Mcafee Product Guide

Product Guide
Revision 1.0
VirusScan Enterprise
®
version 7.1.0
COPYRIGHT
© 2003 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission
of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the
Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972-963-8000.
TRADEMARK ATTRIBUTIONS
Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb
Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert,
Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and
Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp,
First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ, HomeGuard, Hunter, Impermia,
InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design,
Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design,
McAfee.com, MultiMedia Cloaking, NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan,
NetShield, NetStalker, Network Associates, Network Performance Orchestrator, Network Policy Orchestrator, NetXray, NotesGuard, nPO, Nuts
& Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey – International,
Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, Service Level
Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG,
Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail,
UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall,
What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered
trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer® brand products
are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of
their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER
DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE
(AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE
PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE,
YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Attributions
This product includes or may include:
Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
Cryptographic software written by Eric A. Young (eay@cryptsoft.com) and software written by Tim J. Hudson (tjh@cryptsoft.com).
Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software
licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source
code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source
code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free
Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in
this agreement, then such rights shall take precedence over the rights and restrictions herein.
Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer.
Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. All rights reserved.
Software written by Douglas W. Sauder.
Software developed by the Apache Software Foundation (http://www.apache.org/).
International Components for Unicode (“ICU”) Copyright © 1995-2002 International Business Machines Corporation and others. All rights reserved.
Software developed by CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc.
FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany.
Issued SEPTEMBER 2003 / VirusScan® Enterprise software version 7.1.0

DOCUMENT BUILD 011-EN
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Getting information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Contacting McAfee Security & Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1 Introducing VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 13

What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Product components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Orientation to the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Start menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
VirusScan Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Task menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Status bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Right-click menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Right-click menus from the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Right-click scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
System tray . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Right-click scan or update from the system tray . . . . . . . . . . . . . . . . . . . . . . . . 26
Command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Setting user interface options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Display options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Password options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Product Guide iii

Contents
Unlocking and locking the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Setting up scanning operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
On-access scanning vs. on-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Scanning automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Scanning periodically, selectively, or on schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Virus Information Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Submitting a virus sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Setting up remote administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3 On-Access Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring the on-access scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
On-access scan properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
General properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Message properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Process settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Default processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Process properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Low-risk and high-risk processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Assigning risk to a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Process properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Adding file type extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Adding user-specified file type extensions . . . . . . . . . . . . . . . . . . . . . . . . 69
Excluding files, folders, and drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Viewing scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Receiving notification of virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Viewing on-access scan messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
iv VirusScan® Enterprise software version 7.1.0

Contents
4 On-Demand Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Creating on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Creating tasks from the start menu or system tray . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Creating tasks from the console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuring on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Where properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Adding, removing, and editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Adding items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Removing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Editing items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Resetting or saving default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Scheduling on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Scanning operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Running on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Pausing and restarting on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Stopping on-demand tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Resumable scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Viewing scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Responding to virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Receiving notification of virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Taking action on virus detections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
VirusScan Alert dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
On-Demand Scan Progress dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5 E-mail Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

On-delivery e-mail scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configuring the on-delivery e-mail scan for a local or remote host . . . . . . . . . . . . . 116
Configuring the on-delivery e-mail scan properties . . . . . . . . . . . . . . . . . . . . . . . . . 117
Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Alert properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Product Guide v
Contents
Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Viewing on-delivery e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Viewing on-delivery e-mail scan statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Viewing the on-delivery e-mail activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
On-demand e-mail scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Configuring the on-demand e-mail task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Detection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Action properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Alert properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Running the on-demand e-mail task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Viewing on-demand e-mail scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Viewing the on-demand e-mail activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6 Virus Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Configuring recipients and methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Overview of adding alert methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Sending a test message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Setting the alert priority level for recipients . . . . . . . . . . . . . . . . . . . . . . . 157
Viewing the Summary page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Forwarding alert messages to another computer . . . . . . . . . . . . . . . . . . . . . . 160
Sending an alert as a network message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Sending alert messages to e-mail addresses . . . . . . . . . . . . . . . . . . . . . . . . . 166
Sending alert messages to a printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Sending alert messages via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Launching a program as an alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Logging alert notifications in a computer’s event log . . . . . . . . . . . . . . . . . . . . 175
Sending a network message to a terminal server . . . . . . . . . . . . . . . . . . . . . . 177
Using Centralized Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Customizing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Enabling and disabling alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Editing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Changing alert priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Editing alert message text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Using Alert Manager system variables . . . . . . . . . . . . . . . . . . . . . . . . . . 185
vi VirusScan® Enterprise software version 7.1.0

Contents
7 Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Update strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
AutoUpdate task overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Creating an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Configuring an AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Running AutoUpdate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Running the update task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Activities that occur during an update task . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Viewing the activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
AutoUpdate repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Configuring the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Importing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Editing the AutoUpdate repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Adding and editing repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Removing and reorganizing repositories . . . . . . . . . . . . . . . . . . . . . . . . 208
Specifying proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Creating a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Configuring a mirror task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Running mirror tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Viewing the mirror task activity log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Rollback DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Manual updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Updating from DAT file archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
8 Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Configuring task schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Task properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Schedule properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Schedule task frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Advanced schedule options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Scheduling tasks by frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Weekly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Product Guide vii

Contents
Once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
At System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
At Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
When Idle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Run Immediately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Run On Dialup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
A Command-Line Scanner Program . . . . . . . . . . . . . . . . . . . . . . . 239

VirusScan Enterprise command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
On-demand scanning command-line options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Customized installation properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
B Secure Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Registry keys requiring write access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
C Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Minimum Escalation Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Installation questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Scanning questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Virus questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
General questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Updating error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
viii VirusScan® Enterprise software version 7.1.0

Preface
This guide introduces McAfee® VirusScan® Enterprise software version 7.1.0, and
provides the following information:
Overview of the product.
Descriptions of product features.
Descriptions of all new features in this release of the software.
Detailed instructions for configuring and deploying the software.
Procedures for performing tasks.
Troubleshooting information.
Glossary of terms.
Audience
This information is intended primarily for two audiences:
Network administrators who are responsible for their company’s anti-virus

and security program.
Users who are responsible for updating virus definition (DAT) files on their
computer, or configuring the software’s detection options.
Product Guide 9
Preface
Conventions
This guide uses the following conventions:
Bold All words from the user interface, including options, menus,
buttons, and dialog box names.
Example
Type the User name and Password of the desired account.
Courier Text that represents something the user types exactly; for example,
a command at the system prompt.
Example
To enable the agent, run this command line on the client
computer:
FRMINST.EXE /INSTALL=AGENT /SITEINFO=C:\TEMP\SITELIST.XML
Italic Names of product manuals and topics (headings) within the

manuals; emphasis; introducing a new term.
Example
Refer to the VirusScan Enterprise Product Guide for more
information.
<TERM> Angle brackets enclose a generic term.
Example
In the console tree under ePolicy Orchestrator, right-click
<SERVER>.
NOTE Supplemental information; for example, an alternate method of

executing the same command.
WARNING Important advice to protect a user, computer system, enterprise,

software installation, or data.
10 VirusScan® Enterprise software version 7.1.0

Getting information
Getting information
Installation Guide *† System requirements and instructions for installing and starting the software.
VirusScan Enterprise 7.1.0 Installation Guide
Product Guide * Product introduction and features, detailed instructions for configuring the
software, information on deployment, recurring tasks, and operating procedures.
VirusScan Enterprise 7.1.0 Product Guide
Help § High-level and detailed information on configuring and using the software.
What’s This? field-level help.
Configuration Guide * For use with ePolicy Orchestrator™. Procedures for configuring, deploying, and
managing your McAfee Security product through ePolicy Orchestrator
management software.
Implementation Guide * Supplemental information for product features, tools, and components.
Release Notes ‡ ReadMe. Product information, resolved issues, any known issues, and
last-minute additions or changes to the product or its documentation.
Contacts ‡ Contact information for McAfee Security and Network Associates services and
resources: technical support, customer service, AVERT (Anti-Virus Emergency
Response Team), beta program, and training. This file also includes phone
numbers, street addresses, web addresses, and fax numbers for Network
Associates offices in the United States and around the world.
* An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site.
† A printed manual that accompanies the product CD. Note: Some language manuals may be available only as a .PDF file.
‡ Text files included with the software application and on the product CD.
§ Help accessed from the software application: Help menu and/or Help button for page-level help; right-click option for What’s
This? help.
Product Guide 11
Preface
Contacting McAfee Security & Network Associates

Technical Support
Home Page http://www.networkassociates.com/us/support/
KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx
PrimeSupport Service Portal * http://mysupport.nai.com
McAfee Security Beta Program http://www.networkassociates.com/us/downloads/beta/
Security Headquarters — AVERT (Anti-Virus Emergency Response Team)
Home Page http://www.networkassociates.com/us/security/home.asp
Virus Information Library http://vil.nai.com
Submit a Sample — https://www.webimmune.net/default.asp
AVERT WebImmune
AVERT DAT Notification http://www.networkassociates.com/us/downloads/updates/
Service
Download Site
Home Page http://www.networkassociates.com/us/downloads/
DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x
Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp
Training
McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/unive
rsity.htm
Network Associates Customer Service
E-mail services_corporate_division@nai.com
Web http://www.nai.com/us/index.asp
http://www.networkassociates.com/us/products/mcafee_security_home
.htm
US, Canada, and Latin America toll-free:
Phone +1-888-VIRUS NO or +1-888-847-8766
Monday – Friday, 8 a.m. – 8 p.m., Central Time
For additional information on contacting Network Associates and McAfee Security— including toll-free
numbers for other geographic areas — see the Contact file that accompanies this product release.
* Logon credentials required.
Technical Support

Introducing VirusScan
Enterprise 1
The VirusScan Enterprise 7.1.0 software provides protection from viruses for both
servers and workstations. The software offers easy scalable protection, fast
performance, and mobile design. You can specify scanning of local and network
drives, as well as Microsoft Outlook e-mail messages and attachments, configure
the application to respond to any infections the scanner finds, and generate reports
on its actions.
The VirusScan Enterprise software is a replacement for:
VirusScan version 4.5.1 software for workstations.
NetShield® NT version 4.5 software for servers.
NetShield for Celerra™ version 4.5 for Celerra™ filers.
VirusScan Enterprise version 7.0. for workstations and servers.
This Product Guide provides information on configuring and using the VirusScan
Enterprise software. For system requirements and installation instructions, refer to
the VirusScan Enterprise Installation Guide.
The following topics are addressed in this section:
What’s new in this release
Product components
Product Guide 13
Introducing VirusScan Enterprise
What’s new in this release

This release of VirusScan Enterprise includes the following enhancements:
Check Point™ VPN-1®/FireWall-1® SCV integration — The VirusScan

Enterprise software has been enhanced to integrate with Check Point
VPN-1/FireWall-1 SCV. When installed and enabled, the Check Point product
can be configured to prevent clients without up-to-date anti-virus protection
from accessing the corporate network through the Virtual Private Network
(VPN).
See the VirusScan Enterprise 7.1.0 Installation Guide for more information about
configuring Check Point.
McAfee Installation Designer™ and McAfee Desktop Firewall™ integration

— Use McAfee Installation Designer to configure McAfee Desktop Firewall
with VirusScan Enterprise 7.1.0. After configuration, you can deploy both
products together and reduce restarts to a maximum of one.
See the McAfee Installation Designer Product Guide for more information.
Smaller installation package — The VirusScan Enterprise installation package

has been optimized using Netopsystems’ Fast Electronic Application Distribution
(FEAD® Optimizer®) technology. This reduces network bandwidth required in
deployments. You can use McAfee Installation Designer 7.1 or later to recompose
the package, then optimize the package again after changes have been made. When
executing SETUP.EXE from the command line, you can apply special commands and
switches to recompose the installation files.
See the VirusScan Enterprise 7.1.0 Installation Guide for more information about
configuring Netopsystems’ FEAD Optimizer.
Engine and DAT files are contained in the .MSI file — The engine and DAT files
have been added to the .MSI file for VirusScan Enterprise 7.1.0. This allows
customers to deploy the product using a single .MSI file.
Visibility of ePolicy Orchestrator tasks — If you are using ePolicy

Orchestrator 3.0 or later to manage the VirusScan Enterprise software, you can
view ePolicy Orchestrator tasks for on-demand scan, update, and mirror in the
VirusScan Console. This allows users to see all tasks running on their
computers and also aids administrators and help desk operators in debugging
ePolicy Orchestrator tasks over the phone.
See the VirusScan Enterprise 7.1.0 Configuration Guide for use with ePolicy
Orchestrator 3.0 for details about enabling ePolicy Orchestrator task visibility.

Product components
Product components
The VirusScan Enterprise software consists of several components that are
installed as features. Each feature plays a part in defending your computer against
viruses and other potentially unwanted software. The features are:
VirusScan Console. The console is the control point that allows you to create,
configure, and run VirusScan Enterprise tasks. A task can include anything
from running a scan operation on a set of drives at a specific time or interval,
to running an update operation. You can also enable or disable the on-access
scanner from the console if you have administrator rights and if required, type
the password.
See VirusScan Console on page 19.
On-access scanner. The on-access scanner gives you continuous anti-virus

protection from viruses that arrive on disks, from your network, or from
various sources on the Internet. The scanner is fully configured upon
installation of the software; it starts when you start your computer, and stays
in memory until you shut down. The scanner provides process-based scanning
that allows scanning policies to be linked to applications such as Internet
Explorer. A flexible set of property pages lets you configure the scanner to
determine which parts of your system to examine, what to look for, which
parts to leave alone, and how to respond to any infected files the scanner finds.
In addition, the scanner can alert you when it finds a virus, and can generate
reports that summarize each of its actions.
See On-Access Scanning on page 39.
On-demand scanner. The on-demand scanner allows you to initiate a scan at

any time; specify scan targets and exclusions; determine how you want the
scanner to respond when it detects a virus; and see virus incident reports and
alerts. You can also create scan tasks that run at a specific time or within a
specified interval. You can define as many different on-demand scan tasks as
you require, then preserve the configured tasks for reuse.
See On-Demand Scanning on page 85.
E-mail scanner. The e-mail scanner allows you to scan your Microsoft Outlook
messages, attachments, or public folders to which you have access, directly on
the computer. If Outlook is running, e-mail is scanned on-delivery. You can
also perform an on-demand e-mail scan at any time. This allows you to find
potential infections before they make their way to your desktop.
See E-mail Scanning on page 115.
Product Guide 15
Introducing VirusScan Enterprise
AutoUpdate. The AutoUpdate feature allows you to update virus definition

(DAT) files and the scanning engine automatically, then distribute those
updates to computers on your network. You can also use this feature to
download HotFixes. Depending on the size of your network, you can
designate one or more trusted computers, including one that hosts your
internal HTTP site, to download new files automatically from the Network
Associates HTTP web site.
See Updating on page 187.

NOTE
AutoUpdate is one of the common core (common framework)
technologies used by many products.
Scheduler. This feature allows you to schedule on-demand, update, and
mirror tasks at specific times or intervals.
See Scheduling Tasks on page 221.
NOTE
The scheduler is one of the common core (common
framework) technologies used by many products.
Alert Manager. The Alert Manager™ product gives you the ability to receive
or send virus related alert messages. After it is installed, you can configure
Alert Manager to notify you as soon as the scanner detects a virus on the
computer, via e-mail, a printer, SNMP traps, or by other means. By default,
Alert Manager is not preconfigured; you must configure the software before
you can receive or send virus related alert messages.
See Virus Alerting on page 149 for specific details.
Command-line scanner. The command-line scanner can be used to initiate

targeted scan operations from the Command Prompt dialog box. SCAN.EXE, a
scanner for Windows NT environments only, is the primary command-line
interface.
Ordinarily, you can use the VirusScan Enterprise interface to perform most
scanning operations, but if you have trouble starting Windows or if the
VirusScan Enterprise features do not run in your environment, you can use the
command-line scanner as an alternative.
See Command-Line Scanner Program on page 239.

Getting Started
2
After you have installed the VirusScan Enterprise software, you can configure the
features.
Orientation to the user interface
Setting user interface options
Setting up scanning operations
Virus Information Library
Submitting a virus sample
Setting up remote administration
Product Guide 17
Getting Started

The VirusScan Enterprise software gives you the flexibility of performing an action
using several different methods. Although the specific details may vary, many of
the actions may be performed from the console, the toolbar, a menu, or the
desktop. Each of these methods is detailed in the following sections.
These interfaces are addressed in this section:
Start menu
VirusScan Console
Right-click menus
System tray
Command line
Start menu
You can use the Start menu to:
Access Alert Manager configuration, if Alert Manager is installed.
Access the VirusScan Console.
Open the on-access scan property pages.
Open the on-demand scan property pages. This is a one-time unsaved

on-demand scan.
Click Start, select Programs|Network Associates, then select a feature.
Figure 2-1. VirusScan — Start menu

VirusScan Console
The VirusScan Console is the control point for all of the program’s activities.
Use either of these methods to open the VirusScan Console:
Click Start, select Programs|Network Associates|VirusScan Console.

Right-click the VShield icon in the system tray, then select VirusScan
Console.
Menu bar
Toolbar
Task list
Status bar
Figure 2-2. The VirusScan Console
Menu bar
Toolbar
Task list
Status bar
Product Guide 19
Getting Started
Menu bar
The VirusScan Console includes menus with commands that allow you to create,
delete, configure, run, start, stop, and copy scan tasks to suit your most demanding
security needs. You can also connect and disconnect from a remote VirusScan
Enterprise computer. All of the commands are available from the menus. Some
commands are also available when you right-click a task in the VirusScan Console.
The following menus are addressed in this section:
Task menu
Edit menu
View menu
Tools menu
Help menu
Task menu
Use the Task menu to create and configure tasks, and view statistics and activity
logs.
Figure 2-3. Task menu
NOTE
The menu items Start, Stop, Disable, Delete, Rename, Statistics,
Activity Log, and Properties apply to the selected task.

Edit menu
Use the Edit menu to copy and paste selected tasks.
Figure 2-4. Edit menu
View menu
Use the View menu to specify whether to show the toolbar and status bar, or refresh
the console.
Figure 2-5. View menu
Tools menu
Use the Tools menu to configure alerts, launch the event viewer, specify user
interface options, lock or unlock user interface security, connect or disconnect a
computer when configuring a remote console, import or edit the repository list,
and roll back DAT files to a previous version.
Figure 2-6. Tools menu
Product Guide 21
Getting Started
Help menu
Use the Help menu to access online Help topics, the virus information library, or
the Technical Support web site. You can also submit a sample virus to the
Anti-Virus Emergency Response Team (AVERT). The About dialog box gives you
product, DAT file version, and scanning engine information.
Figure 2-7. Help menu
Toolbar
The toolbar gives you quick access to many commands just by clicking an icon. The
icons are:
Connect to a computer.
Disconnect from a computer.
Create a new task.
Display properties of the selected item.
Copy the selected item.
Paste the selected item.
Delete the selected item.

Start the selected item.
Stop the selected item.
Access the Virus Information Library.

Open the event viewer.
Configure alerting options.

Task list
The VirusScan Console includes a list of tasks that VirusScan Enterprise can
perform. A task is a set of instructions to run a program or scan operation, in a
specific configuration, at a certain time.
Figure 2-8. Task list
To configure a task, select the task, then click or double-click the task to open
its property pages. The following default tasks come with the VirusScan Enterprise
software:
On-Access Scan. This task allows you to perform automatic on-access

scanning. This task is unique and cannot be copied. To configure the on-access
scanner, see On-Access Scanning on page 39.
AutoUpdate. This task allows you to download the latest virus definition (DAT)
files and scanning engine. You can use this default update task and create other
update tasks to meet your requirements. To create, configure, and schedule
update tasks, see Updating on page 187.
E-mail Scan. This task allows you to perform on-delivery e-mail scanning. This
task is unique and cannot be copied. To configure an on-delivery or
on-demand e-mail task, see E-mail Scanning on page 115.
Scan All Fixed Disks. This task allows you to perform on-demand scanning.
You can use this default on-demand scan task and create others to meet your
requirements. To create, configure, and schedule on-demand tasks, see
On-Demand Scanning on page 85.
Product Guide 23
Getting Started
Other tasks that you create from the VirusScan Console are added to the task list.
For example:
New mirror task. This task allows you to create a mirror site for use in
downloading update files. You can create any number of mirror tasks. For
more information about mirror tasks see Mirror tasks on page 212.
In addition, you can view tasks created via ePolicy Orchestrator if you choose to
do so.
ePO Task - task name. If you are using ePolicy Orchestrator 3.0 or later to
manage the VirusScan Enterprise software, you can choose to view ePolicy
Orchestrator tasks in the VirusScan Console. This applies to on-demand,
update, and mirror tasks. See the VirusScan Enterprise Configuration Guide for
use with ePolicy Orchestrator 3.0 for information about enabling ePolicy
Orchestrator task visibility.
Status bar
The status bar shows the status of the current activity.
Right-click menus
Use right-click menus for quick access to commonly used actions; such as creating
new tasks, viewing task statistics and logs, opening task property pages, or
scanning a specific file or folder for viruses.
Right-click menus from the console. The right-click menus available from the
VirusScan Console vary, depending on whether you have selected a task in the
task list, and on which task you select. See Right-click menus from the console on
page 25 for details.
Right-click scan. This right-click scan feature allows you to select a specific file
or folder and immediately scan it for viruses. See Right-click scan on page 25 for
details.
Right-click scan from the system tray. This right-click scan feature allows you
to create a one-time, unsaved on-demand scan task. See Right-click scan or
update from the system tray on page 26 for details.

Right-click menus from the console

You have these options when you right-click an item in the task list:
On-access Scan. If you right-click the on-access scan task in the task list, you
can enable or disable the task, view task statistics, view the activity log, and
open the property pages.
Update. If you right-click an update task in the task list, you can start or stop
the task, delete the task, rename the task, view the activity log, and open the
property pages.
E-mail Scan. If you right-click an e-mail scan task in the task list, you can enable
or disable the task, view task statistics, view the activity log, and open the
property pages.
On-demand Scan. If you right-click an on-demand scan task in the task list, you
can start or stop the task, copy or paste the task, delete the task, rename the
task, view task statistics, view the activity log, and open the property pages.
When you right-click a blank area in the console, without selecting an item in the task
list, you can perform these actions:
New Scan task. Create a new on-demand scan task.
New Update task. Create a new update task.
New Mirror task. Create a new mirror task.
Paste. Paste a copied task into the task list.
User Interface options. Access the User Interface Options property pages. See
Setting user interface options on page 27 for information about setting these
options.
Right-click scan
You can perform an immediate on-demand scan of a selected file or folder by
right-clicking on the file or folder in Windows Explorer, then selecting Scan for
viruses. This is also known as shell extension scan. The on-demand scanner is
invoked directly with all scan settings, such as archive scanning, heuristic
scanning, and other options, enabled. This is useful if you are concerned that a
specific folder or file may be infected.
If a file or folder is found to be infected, it is displayed in a list view with the details
of the infected item at the bottom of the scanning dialog box. You can take action
on the infected item by right-clicking on it in the list view, and selecting either the
clean, delete, or move action.
You cannot customize scan options when performing a right-click scan. To

customize the scan options or create a new on-demand scan task, see Creating
on-demand tasks on page 86 for more information.
Product Guide 25
Getting Started
System tray
The on-access scanner installs and activates itself by default when you perform a
typical installation. Once active, the scanner displays the Vshield icon in the
Windows system tray.
Double-click in the system tray to view On-Access Scan Statistics.
Right-click scan or update from the system tray

Use this feature to create a one-time, unsaved on-demand scan or update task. This
is useful when you want to quickly scan a drive, folder, or file at a time other than
your regularly scheduled on-demand scan or perform an immediate update.
Right-click in the system tray to display the menu.
Figure 2-9. System tray menu
The system tray menu includes these options:
VirusScan Console. Display the VirusScan Console.
Disable On-Access Scan. Deactivate the on-access scanner. This function

toggles between Disable On-Access Scan and Enable On-Access Scan.
On-Access Scan Properties. Open the on-access scanner property pages to

configure the on-access scanner.
On-Access Scan Statistics. View on-access scanner statistics. You can enable or
disable the on-access scanner or open the on-access scanner property pages.
On-Access Scan Messages. View the on-access scanner messages. You can
remove a message, clean a file, delete a file, or move a file.
On-Demand Scan. Open the on-demand scanner property pages to configure

the on-demand scanner to perform a one-time unsaved on-demand scan.

Update Now. Perform an immediate update of the default update task.
NOTE
Update Now only works with the default update task which
was created when you installed the product. You can rename
and reconfigure the default update task, but if you delete the
default task, Update Now becomes disabled.
About VirusScan Enterprise. View specific information about the installed

software, such as virus definition (DAT) file and scanning engine version
numbers, as well as license information for the product.
Command line
Use the command line feature to perform activities from the Command Prompt.
See Command-Line Scanner Program on page 239 for more information.

Use these options to specify display and password settings when installing the
program, through McAfee Installation Designer, or from the Tools menu in the
VirusScan Console after installation.
This section describes how to set the display and password options from the
console. The following topics are addressed in this section:
Display options
Password options
Unlocking and locking the user interface
Product Guide 27
Getting Started
Display options
The Display Options dialog box allows you to determine which system tray options
users can access and set refresh time for the local console.
To set display options from the console:
1 Open the VirusScan Console. See VirusScan Console on page 19 for instructions.
2 Select Tools|User Interface Options|Display Options.
Figure 2-10. Display Options
3 Determine which system tray options you want users to see. Under System tray
icon, select an option:
Show the system tray icon with all menu options. This option is selected by
default. Allow users to see all menu options on the system tray.
Show the system tray icon with minimal menu options. Limit the right-click
menu items to only the About and On-Access Scan Statistics items. All
other menu items are hidden on the right-click menu.
Do not show the system tray icon. Do not allow users to have access to the
system tray icon.
4 Under Local console refresh time, select the frequency, in seconds, for which
you want to refresh the console.
5 Click Apply, then OK to save your changes and close the dialog box.

Password options
The Password Options dialog box allows you to set a security password for the
entire system or for only the tabs and controls you select. The same password is
used for all the selected tabs and controls.
Setting a password has the following impact for users:
Non-administrators — Users who do not have Windows NT administrator rights.

Non-administrators always run all VirusScan Enterprise applications in read-only
mode. They can view some configuration parameters, run saved scan tasks, and
run immediate scans and updates. They cannot change any configuration
parameters or create, delete, or modify saved scan and update tasks.
Administrators — Users who have Windows NT administrator rights. If a password is

not set, administrators run all VirusScan Enterprise applications in read/write
mode. They can view and change all configuration parameters, run tasks, and
create, delete, and modify saved scan and update tasks. If a password is set,
administrators see the protected tabs and controls in read-only mode if they have
not entered the security password. Administrators can lock or unlock the user
interface through the console. See Unlocking and locking the user interface on page 32
for more information.
NOTE
A locked red padlock indicates a password is required for the
item. An unlocked green padlock indicates the item is
read/write accessible.
Product Guide 29
Getting Started
To set password options from the console:
2 Select Tools|User Interface Options|Password Options.
Figure 2-11. Password Options
3 Choose one of these options:
No password. This option is selected by default.
Password protection for all items listed below. Users must type the specified
password before they can access any locked tabs or controls in the
software.
Select Password protection for all items listed below.

Type and confirm the password.
Password protection for the selected items below. Users must type the
specified password before they can access the items you lock here. Items
not locked do not require a password.
Select Password protection for the selected items below.

Type and confirm the password.
Select all the items for which this password applies.

4 Click Apply to save your changes.
5 Click OK.
WARNING
If the Console and Miscellaneous password item is locked, you
cannot perform the following:
Enable or disable on-access scanning — The menu items to enable and

disable on-access scanning, and equivalent toolbar icons, are disabled. In
addition, the Disable button on the VirusScan On-Access Scan
Statistics dialog box is disabled.
Enable or disable e-mail scanning — The menu items to enable and
disable e-mail scanning, and equivalent toolbar icons, are disabled. In
addition, the Disable button on the VirusScan On-Delivery E-mail Scan
Statistics dialog box is disabled.
Create a new on-demand scan task, update task, or mirror task — The
menu items to create new tasks, and equivalent toolbar icons are
disabled. In addition for on-demand scanning tasks, the Save As and
Save As Default buttons on the VirusScan On-Demand Scan
Properties dialog box are disabled.
Delete a task — The menu item to delete a task and equivalent toolbar
icon are disabled.
Rename a task — The menu item to rename a task and equivalent toolbar
icon are disabled.
Copy or paste a task — The menu items to copy and paste a task, and
equivalent toolbar icons are disabled.
Roll back the DAT files — The menu item to roll back the DAT files is
disabled.
Product Guide 31
Getting Started
Unlocking and locking the user interface

Administrators can unlock and lock protected tabs and controls through the
console.
NOTE
If password protection is selected for any item, the User
Interface Options dialog box is automatically protected as well.
If password protection has been set for any item and the user
logs out, the user interface is automatically locked again.
To unlock the user interface:
2 Select Tools|Unlock User Interface.
Figure 2-12. Security Password
3 Type the password.
4 Click OK.
To lock the user interface:
2 Select Tools|Lock User Interface.


The VirusScan Enterprise software provides different types of scanning for
different needs.
On-access scanning vs. on-demand scanning

Scanning automatically
Scanning periodically, selectively, or on schedule
On-access scanning vs. on-demand scanning

The VirusScan Enterprise software provides two types of scanning activities. You
can perform scanning activities:
On-access scanning. Automatic scanning for viruses is called on-access scanning.

You must have administrator rights, and the password if one is required, to
configure the on-access scan. See Scanning automatically on page 34 for more
information.
On-demand scanning. Periodic, selective, or scheduled scanning is called

on-demand scanning. You must have administrator rights, and the password if
one is required, to schedule an on-demand scan task, but any user can run an
on-demand task. See Scanning periodically, selectively, or on schedule on page 35 for
more information.
Because the on-access scanner provides your computer with ongoing, background
scanning protection, it may seem redundant to run on-demand scan tasks. But
good anti-virus security measures incorporate complete, regular system scans
because:
On-access scanning operations examine files as they are accessed or used.

The on-access scanner looks for viruses as files are used. If there is a
rarely-used but infected file on your system, the on-access scanner does not
detect the virus until the file is used. However, on-demand scan operations can
detect viruses in files stored on your hard disk, even if no one has yet used
them. An on-demand scan operation can detect a virus before the file executes.
Viruses are unexpected. Accidentally leaving a disk in your drive as you start
your computer could load a virus into memory before the on-access service
starts, particularly if you do not have the service configured to scan disks. Once
in memory, a potent virus can infect nearly any program.
Product Guide 33
Getting Started
On-access scanning takes time and resources. Scanning for viruses as you
run, copy or save files can delay software launch times and other tasks.
Depending on your situation, this could be time you might devote to
important work. Although the impact is slight, you might be tempted to
disable on-access scanning if you need every bit of available system power for
demanding tasks. In that case, performing regular scan operations during idle
periods can guard your system against infection without compromising
performance.
Good security is redundant security. In the networked, web-centric world in
which most computer users operate today, it takes only a moment to
download a virus from a source you might not even realize you visited. If a
software conflict disables background scanning for a moment, or if
background scanning is not configured to watch a vulnerable entry point, you
could end up with a virus. Regular scan operations can often catch infections
before they spread or do any harm.
On-access scanning provides continuous, real-time virus detection and response,
based on users’ activities. The VirusScan Enterprise anti-virus software program
provides a single on-access scan task, which examines for infections each time a
network user writes a file to the computer or reads a file from the computer. The
scanner attempts to clean any infection it finds, and records its activities in a log
file. You can change its settings to define:
Files and file types to be scanned.
Circumstances that precipitate a scan.
Action you want the scanner to take when it detects an infection.
Contents, if any, of the scanner’s activity report.
Files to exclude from on-access scanning.
See On-Access Scanning on page 39 for specific details about configuring on-access
scanning.


Two types of on-demand scan tasks are available:
One-time, unsaved on-demand scan tasks.
Saved on-demand scan tasks.
A one-time unsaved on-demand task can be configured and scheduled, but is not
saved for future use unless you choose to save it.
A saved on-demand scan task can be planned in advance, and run whenever you
feel it is necessary, or on a regularly scheduled basis. You can create an unlimited
number of scan tasks that target specific locations on the network. You can define
them narrowly to a specific drive, folder, or file, or broadly, to multiple drives,
folders, or files. Once created, saved scan tasks remain available until they are
deleted from the VirusScan Console. They can be edited, as needed.
For a complete discussion of setting up on-demand scanning activities, see

On-Demand Scanning on page 85.

The McAfee Security Anti-Virus Emergency Response Team (AVERT) Virus
Information Library has detailed information on where viruses come from, how
they infect your system, and how to remove them.
In addition to genuine viruses, the Virus Information Library contains useful

information on virus hoaxes, those dire e-mail warnings about disk-eating
attachments. A Virtual Card For You and SULFNBK are two of the best-known
hoaxes, but there are many others. Next time you receive a well-meaning virus
warning, view our hoax page before you pass the message on to your friends.
Product Guide 35
Getting Started
To access the Virus Information Library:
Figure 2-13. VirusScan Console
2 Select Virus Information from the Help menu.
Submitting a virus sample

If you have a suspicious file that you believe contains a virus, or experience a
system condition that might result from an infection, McAfee Security
recommends that you send a sample to its anti-virus research team for analysis.
Submission not only initiates an analysis, but a real-time fix, if warranted.
To submit a sample virus to AVERT:
2 Select Submit a Sample from the Help menu.
3 Follow the directions on the web site.


You can perform operations such as modifying or scheduling scanning or update
tasks, or enabling or disabling the on-access scanner on a remote computer. To do
so, you must have administrator rights and the Remote Registry Service must be
running.
NOTE
If you do not have administrator rights to connect to the
remote computer, you receive an Insufficient user rights, access
denied error message.
When you start the VirusScan Console, the name of the computer you are
connected to appears in the console title bar, and in the menu at the left of the
console toolbar. If you have not connected to a computer elsewhere on the
network, the title bar shows the name of your local computer.
To administer a remote computer on which the VirusScan Enterprise program is
installed:
1 From the Tools menu, select Remote Connection or click in the toolbar.
The Connect to Remote Computer dialog box appears.
Figure 2-14. Connect to Remote Computer
2 Click to select a computer in the Connect to computer list or type the name
of the computer that you want to administer in the text box. You can also click
Browse to locate the computer on the network.
NOTE
If environment variables are used while configuring the path
name of the file or folder for a remote task, be sure that the
environmental variable exists on the remote computer. The
VirusScan Console cannot validate environmental variables
on the remote computer.
Product Guide 37
Getting Started
3 Click OK to make a connection attempt to the destination computer.

NOTE
When you connect to the remote computer, the title bar
changes to reflect that computer’s name, and the tasks in the
task list are those for the remote computer. You can add,
delete, or reconfigure tasks for the remote computer.
The console reads the remote computer’s registry and displays the tasks of the
remote computer. Once the tasks appear in the console, you can perform on a local
computer.
To disconnect from the computer you have connected to, click in the console
toolbar, or select Disconnect Computer from the Tools menu. When you disconnect
from the remote computer, the console refreshes to display the local computer’s
tasks.

On-Access Scanning
3
The VirusScan Enterprise anti-virus program uses its on-access scanner to provide
your computer with continuous, real-time virus detection and response based on
the settings you configure. You can configure process-based scanning that allows
scanning policies to be linked to applications.
When an infection is detected, the on-access scanner records a message with details
about the infected file, allows you to quickly access the message and take
immediate action on the infected file.
Configuring the on-access scanner
Viewing scan results
Responding to virus detections
Product Guide 39
On-Access Scanning

To ensure its optimal performance on your computer or in your network
environment, you need to configure the program to determine what you want it to
scan, what you want it to do if it finds a virus, and how it should notify you when
it has.
The on-access scanner comes configured with most response properties enabled.
By default, the scanner is set to clean a virus when it finds one. If the virus is not
cleanable, the default secondary action is to quarantine the virus. The scanner also
records the incident in the log file.
On-access scan properties
General settings
Process settings
Adding file type extensions
Adding user-specified file type extensions
Excluding files, folders, and drives

On-access scan properties

To configure the on-access scanner:
2 Open the On-Access Scan Properties using one of these methods:
Select On-Access Scan Properties from the console’s Task menu.

Right-click On-Access Scan in the console, then select Properties.
Double-click On-Access Scan in the console.
Highlight On-Access Scan in the console, then click in the console
toolbar.
Right-click in the system tray and select On-Access Scan Properties.
Click Start, then select Programs|Network Associates|VirusScan

On-Access Scan.
Product Guide 41
On-Access Scanning
The On-Access Scan Properties dialog box appears.
Figure 3-2. On-Access Scan Properties — default view
The On-Access Scan Properties dialog box allows you to configure general
settings and three types of processes. The icons in the left pane of the dialog
box give you access to the configurable options.
When the On-Access Properties dialog box first opens, the default view
provides access to properties for General Settings and All Processes.
General Settings. Set general detection, message, and reporting properties

for all types processes. See General settings on page 43 for detailed
information about setting these properties.
All Processes. Set process, detection, advanced, and action properties to be

the same for all processes, or set them to be different for default, low-risk
and/or high-risk processes. See Process settings on page 49 for detailed
information about setting these properties.

General settings
The properties you specify in General Settings apply to default, low-risk, and
high-risk processes.
These properties can be configured:
General properties
Message properties
Report properties
General properties
Use the options on the General tab to configure basic properties for on-access
scanning.
1 Open the On-Access Scan Properties dialog box, then select General Settings in
the left pane.
2 Select the General tab.
Figure 3-3. General Settings — General tab
Product Guide 43
On-Access Scanning
3 Under Scan, choose which parts of the computer you want the scanner to
examine. Select from these options:
Boot sectors. This option is selected by default. Include the disk boot sector
during scanning activities. The scanner includes the disk boot sector when
a disk is mounted. In some situations it may be appropriate to disable boot
sector analysis when a disk contains a unique or abnormal boot sector that
cannot be subjected to virus scanning.
Floppy during shutdown. This option is selected by default. Scan the boot sector
of any floppy disk left in your drive as you shut down your computer. If
the disk is infected, the computer does not shut down until the disk is
removed.
4 Under General, select from these options:
Enable on-access scanning at system startup. This option is selected by default.

Start the on-access service when you start your computer.
Quarantine Folder. Accept the default location and name for the quarantine
folder, type a path to a different location for the quarantine folder, or click
Browse to locate a suitable folder on your local drive.
The default location and name for the quarantine folder is:
<drive>:\quarantine
NOTE
The quarantine folder should not be located on a floppy drive
or CD drive. It must be located on a hard drive.
5 Under Scan time, specify the maximum archive and scanning time, in seconds,
for all files. If a file takes longer than the specified time to scan, the scan stops
cleanly and a message is logged. If the scan cannot be stopped cleanly, it
terminates and restarts, and a different message is logged. Select from these
options:
Maximum archive scan time (seconds). The default setting is 15 seconds.
Accept the default or select the maximum number of seconds the scanner
should spend scanning an archive file. The time you select for the archive
time must be less than the time you select for scanning all files.
Enforce a maximum scanning time for all files. This option is selected by default.
Define a maximum scanning time and enforce it for all files.
Maximum scan time (seconds). The default setting is 45 seconds. Accept the
default or select the maximum number of seconds the scanner should
spend scanning a file.

Message properties
Use the options on the Messages tab to configure user message properties for
on-access scanning.
the left pane.
2 Select the Messages tab.
Figure 3-4. General Settings — Messages tab
3 Under Messages for local users, select message options. Some of these options
apply to all users and others apply only to users without administrator rights.
These options apply to all users:
Show the messages dialog when a virus is detected. This option is selected by
default. Display the On-Access Scan Messages dialog box when a virus is
detected. See Responding to virus detections on page 80 for more information
about the On-Access Scan Messages dialog box.
Text to display in message. If you selected Show the messages dialog when
a virus is detected, you can accept the default message or type a custom
message that displays when an infection is detected. The default message is
VirusScan Alert!
Product Guide 45
On-Access Scanning
The following options apply to the actions that users without administrator
rights are allowed to take on messages listed in the On-Access Scan Messages
dialog box. Select any combination of these options:
Remove messages from the list. This option is selected by default. Allow users
without administrator rights to remove messages from the list.
Clean infected files. This option is selected by default. Allow users without
administrator rights to clean infected files referenced by the messages in
the list.
Delete infected files. Allow users without administrator rights to delete

infected files referenced by the messages in the list.
Move infected files to the quarantine folder. This option is selected by default.
Allow users without administrator rights to move infected files, which are
referenced by messages in the list, to the quarantine folder.
4 Under Response to network users, select from these options:
Send message to user. Send a message to the network user when a virus is
detected. For example, you can send an alert message to a network user
that is running on a remote computer and accesses the protected file
system through a network share.
If you select this option, you can accept the default message or type a
custom message in the text box provided. The default message is Virus
Alert!!!
WARNING
The Windows Messenger service must be running to receive
this message.
Disconnect remote users and deny access to network share. Automatically

disconnect any user who reads from, or writes to, an infected file in a
shared folder on your computer. The scanner then rewrites the
permissions to exclude the user who attempted to read from, or write to,
the infected file in the shared folder.

Report properties
Use the options on the Reports tab to configure logging activity and specify what
information you want to capture for each log entry.
NOTE
The log file can serve as an important management tool for
tracking virus activity on your network and to note which
settings you used to detect and respond to any virus that the
scanner found. The incident reports recorded in the file can
help you determine which files you need to replace from
backup copies, examine in quarantine, or delete from your
computer. See Viewing the activity log on page 79 for more
information about how to view the log.
To configure Reports properties:
the left pane.
2 Select the Reports tab.
Figure 3-5. General Settings — Reports tab
Product Guide 47
On-Access Scanning
3 Under Log file, select from these options:
Log to file. This option is selected by default. Record on-access scanning virus
activity in a log file.
In the text box, accept the default log file name and location, type a
different log file name and location, or click Browse to locate a suitable file
elsewhere on your computer or network.
NOTE
By default, the scanner writes log information to the
ONACCESSSCANLOG.TXT file in this folder:
<drive>:Winnt\Profiles\All Users\Application
Data\Network Associates\VirusScan
Limit size of log file to. This option is selected by default. The default log file size
is 1MB. Accept the default log size or set a different size for the log. If you
select this option, type a value between 1MB and 999MB.
NOTE
If the data in the log file exceeds the file size you set, the oldest
20 percent of the log file entries are deleted and new data is
appended to the file.
4 Under What to log in addition to virus activity, select the additional information
that you want to record in the log file:
Session settings. Record the properties that you chose for each scanning
session in the log file.
NOTE
A scanning session is the period of time that the scanner
remains loaded in memory on your computer. It ends when
you either unload the program or restart your computer.
Session summary. This option is selected by default. Summarize the scanner’s
actions during each scanning session and add the information to the log
file. Summary information includes the number of files scanned, the
number and type of viruses detected, the number of files moved, cleaned,
or deleted, and other information.
Failure to scan encrypted files. This option is selected by default. Record the
name of encrypted files that the scanner failed to scan in the log file.
User name. This option is selected by default. Record the name of the user
logged on to the computer at the time the scanner records each log entry,
in the log file.

Process settings
Choose whether to use the same settings for all processes, or whether to specify
different settings for default, low-risk, and high-risk processes.
Figure 3-6. On-Access Scan Properties — All Processes
Use the settings on these tabs for all processes. Specify the same scanning
properties for all processes. The procedure for setting properties for all
processes is the same as the procedure for setting properties for default
processes. See Default processes on page 50 for a step-by-step procedure.
Use different settings for high-risk and low-risk processes. Specify different
properties for processes based on whether they are default processes or are
defined as low-risk or high risk. See Low-risk and high-risk processes on page 60
Product Guide 49
On-Access Scanning
NOTE
When you select this option, the All Processes icon changes to
Default Processes, and both the Low-Risk Processes and
High-Risk Processes icons become available in the left pane.
.
Figure 3-7. On-Access Scan Properties
These topics are addressed in this section:

Default processes
Low-risk and high-risk processes
Default processes
A default process is any process that is not defined as a low-risk or high-risk
process.
NOTE
When setting properties for all processes, follow the
procedures for setting default process properties.
These properties can be configured:
Process properties
Detection properties
Advanced properties
Action properties

Process properties
Use the options on the Processes tab to specify properties for default processes or
all processes:
1 Open the On-Access Scan Properties dialog box, then select All Processes in the
left pane.
2 Select the Processes tab if it is not already selected, then select one of these
options:
Use the settings on these tabs for all processes. This option is selected by
default. If you specify properties with this option selected, the properties
you select apply to all processes. You cannot set different properties for
default, low-risk and high-risk processes.
Use different settings for high-risk and low-risk processes. Set different
properties for default, low-risk and high-risk processes.
NOTE
Figure 3-8. Default Processes — Processes tab
Product Guide 51
On-Access Scanning
Use the options on the Detection tab to specify what types of files you want the
on-access scanner to examine, and when you want to scan them.
left pane.
2 Select one of these options:
NOTE
3 Select the Detection tab.
Figure 3-9. Default Processes — Detection tab

4 Under Scan Files, select any combination of these scanning options:
When writing to disk. This option is selected by default. Scan all files as they are
written to or modified on the server, workstation, or other data storage
device.
When reading from disk. This option is selected by default. Scan all files as they
are read from the server, workstation, or other data storage device.
On network drives. Include network resources during on-access scans. This
is a convenient way to extend virus protection.
NOTE
Including network resources could have a negative effect on
the overall performance of the system that is running the scan.
WARNING
If you are copying or moving a file from one computer to
another, and the on-access scan properties on both computers
have been configured to scan files both written to disk and
read from disk, scanning occurs when the file is read by the
source computer and again when it is written to the destination
computer.
If the prevailing traffic pattern on your network is copying or

moving files from one computer to another, you may want to
configure your scanning properties to scan only files written
to disk, and not to scan files read from disk. This eliminates
double-scanning of the same file. It is possible to achieve the
same result by configuring all computers to scan only files
read from them, and not files written to them.
If you use either of these configuration patterns, it is

important that all computers be configured identically. Do not
configure some computers to scan only files written to disk,
and others to scan only files read from disk. This would allow
an infected file to be copied from a computer that scans only
files written to disk to a computer that scans only files read
from disk.
Product Guide 53
On-Access Scanning
5 Under What to scan, select from these options:
All files. This option is selected by default. Scan all files regardless of extension.
Default + additional file types. Scan the default list of extensions plus any
additions you specify. The default list of file type extensions is defined by
the current DAT file. You can add or remove user-specified file type
extensions, but you cannot delete any file type extensions from the default
list. You can, however, exclude extensions that appear in the default list.
See Excluding files, folders, and drives on page 70 for more information.
Additions. If you selected Default + additional file types, click Additions

to add or remove user-specified file type extensions. See Adding file
type extensions on page 68 for detailed instructions.
The maximum number of additional extensions that the on-access

scanner can list is 1,000.
Also scan for macro viruses in all files. Scan all files, regardless of
extension, for macro viruses. This option is only available when the
Default + additional file types option is selected.
NOTE
Scanning for macro viruses in all files could affect
performance.
Specified file types. Scan only the extensions you specify.
Specified. If you selected Specified file types, click Specified to add or

remove user-specified file type extensions. You can also set the list of
file type extensions to the default list. See Adding user-specified file type
extensions on page 69 for detailed instructions.
The maximum number of specified extensions that the on-access

6 Under What not to scan, click Exclusions to specify the files, folders, and drives
that you want to exclude from scanning. See Excluding files, folders, and drives
on page 70 for detailed instructions.

Advanced properties
Use the options on the Advanced tab to specify advanced scan options for
heuristics, non-virus program files, and compressed files.
left pane.
NOTE
3 Select the Advanced tab.

.
Figure 3-10. Default Processes — Advanced tab
Product Guide 55
On-Access Scanning
4 Under Heuristics, specify whether you want the scanner to evaluate the
probability that an unknown piece of code or a Microsoft Office macro is a
virus. When this feature is enabled, the scanner analyzes the likelihood that the
code is a variant of a known virus. Select any combination of these options:
Find unknown program viruses. This option is selected by default for default
processes and high-risk processes. Treat executable files that have code
resembling a virus as if they were infected. The scanner applies the action
you choose on the Actions tab.
Find unknown macro viruses. This option is selected by default for default
processes and high-risk processes. Treat embedded macros that have code
NOTE
This option is not the same as Also scan for macro viruses in all
files on the Detection tab, which instructs the scanner to find
all known macro viruses. This option instructs the scanner to
assess the probability that an unknown macro is a virus.
5 Under Non-viruses, specify if you want the scanner to search for non-virus
programs that are potentially unwanted.
Find potentially unwanted programs. Detect programs that are potentially

unwanted.
Find joke programs. If you selected Find potentially unwanted

programs, you can also scan for joke programs.
WARNING
VirusScan Enterprise does not take any action on potentially
unwanted program files or joke programs that it detects.
Detections are logged in the log file.
If you want to take action on a detected potentially unwanted
program file or joke program, you must take action manually.
For example, if you want to remove a detected joke program,
you must remove it manually.

6 Under Compressed files, specify which types of compressed files you want the
scanner to examine:
Scan inside packed executables. This option is selected by default for default
processes and high-risk processes. Examine compressed files that contain
executable files. A packed executable is a file that, when run, extracts itself
into memory only. Packed executable files are never extracted to disk.
Scan inside archives. Examine archive files and their contents. An archive
file is a compressed file that must be extracted prior to accessing the files
within it. Files contained inside archives are scanned when they are written
to disk.
Decode MIME encoded files. Detect Multipurpose Internet Mail Extensions

(MIME) encoded files, decode them, then scan them.
NOTE
Although it does give you better protection, scanning
compressed files can increase the amount of time required to
perform a scanning activity.
Action properties
Use the options on the Actions tab to specify the primary and secondary actions
you want the scanner to take when it detects a virus.
left pane.
properties for default, low-risk, and high-risk processes.
NOTE
Product Guide 57
On-Access Scanning
3 Select the Actions tab.
Figure 3-11. Default Processes — Actions tab
4 Under When a virus is found, select the primary action that you want the
scanner to take when a virus is detected.
NOTE
The default primary action is Clean infected files automatically.
Click to select one of these actions:
Deny access to infected files. Denies all users access to any infected files the
scanner finds. Be sure to enable the Log to file property on the General
Settings, Reports tab, so that you have a record of which files are infected.
NOTE
If the file is written to the local system from an outside source,
for example a CD-ROM or the Internet, the scanner adds a .VIR
extension to the end of the file name. The scanner considers
this type of file action to be a write action.
If the file is copied, for example from one location on a hard
disk to another location, the .VIR extension is not added to the
file name. The scanner considers this to be a move action.
Move infected files to a folder. The scanner moves infected files to a folder
that is named quarantine by default. You can change the name of the folder
in the Quarantine Folder text box on the General Settings, General tab.

Delete infected files automatically. The scanner deletes infected files as soon
as it detects them. Be sure to enable the Log to file property on the General
Settings, Reports tab, so that you have a record of which files were infected.
If you select this option, you are required to confirm your selection. Click
Yes to confirm your selection, or click No to deselect this option.
WARNING
If you selected Find unknown macro viruses on the Advanced
tab, the action you select here applies to any macro that has
code resembling a virus. If you select Delete infected files
automatically, any file that has code resembling a macro virus
is deleted, and any archive that contains an infected file is
deleted. If that is not your intention, be certain that your
choice of action corresponds with your choice of action for
macros.
Clean infected files automatically. This option is selected by default. The
scanner tries to remove the virus from the infected file. If the scanner
cannot, or if the virus has damaged the file beyond repair, the scanner
performs the secondary action. See Step 5 for more information.
5 Under If the above Action fails, select the secondary action that you want to the
scanner to take if the first action fails. The available options depend on the
primary action you selected.
NOTE
The default secondary action is Move infected files to a folder.
Click to select the secondary action:
Deny access to infected files.
Move infected files to a folder. This option is selected by default.
Delete infected files automatically.
Product Guide 59
On-Access Scanning
Low-risk and high-risk processes

Process-based scanning allows you to define scanning policies based on your
perceived risk of infection from a defined process.
Determine which processes should be designated as low-risk or high-risk, then set

the properties for each type of process.
Assigning risk to a process
Process properties
Advanced properties
Action properties

Assigning risk to a process

A process is a program in execution. A program may initiate one or more
processes. When deciding what risk or scanning policy to assign to a process,
remember that only the child processes of the defined parent process adhere to the
scanning policy. For example, if you define the Microsoft Word executable file,
WINWORD.EXE, as a high-risk scanning process, any Microsoft Word documents
that are accessed would be scanned based on the high-risk scanning policy.
However, when the parent process, Microsoft Word, is launched the WINWORD.EXE
file would be scanned based on the policy of the process that launched it.
You can assign two types of risks to processes:
Low-risk processes are defined as those processes that have a lower possibility of
being infected. These can be processes that access a lot of files, but do so in a
way that has a lower risk of spreading viruses. Some examples are:
Backup software.
Compiling processes.
High-risk processes are defined as those processes that have a higher possibility
of being infected. Some examples are:
Processes that launch other processes. For example, Microsoft Windows

Explorer, or the command prompt.
Processes that execute. For example, WINWORD or CSCRIPT.

Processes used for downloading from the Internet. For example, browsers,
instant messengers, and mail clients.
NOTE
When you install VirusScan Enterprise with default settings,
the Use the settings on these tabs for all processes option is
selected. If you select Use different settings for high-risk and
low-risk processes some processes are predefined as high-risk.
You can change this list to meet your needs.
Any process that is not defined as either low-risk or high-risk is considered to be a

default process and is scanned with the properties that you set for default processes.
Product Guide 61
On-Access Scanning
To determine which risk to assign to which processes, complete these steps:
1 Decide why you want to have different scanning policies. The two most
common reasons when balancing performance against risk are:
To scan some processes, such as web downloads, more thoroughly than is

accomplished by the default scanning policy.
To scan some processes to a lesser extent based on the risk and impact on
performance that occurs during scanning. For example, capturing
streaming media such as video has little risk, but is very resource intensive.
2 Decide which processes are low-risk and which are high-risk. First determine
which program is responsible for each process, then decide what risk is
associated with that process. Use the Windows Task Manager or Windows
Performance Monitor to help you understand which processes are using the
most CPU time and memory. Once you have this information you can associate
each process with a scanning policy based on the processes’ performance and
risk.
3 Configure the scanning policies for each of the three levels: default, low-risk
and high-risk.
NOTE
We do not recommend reducing the level of scanning for
high-risk processes. The high-risk scanning policy is initially
set the same as default processes to ensure that high-risk
processes maintain an in-depth level of scanning.
Process properties
Use the options on the Processes tab to define processes as either low-risk or
high-risk:
NOTE
Any process that is not defined as either low-risk or high-risk
is considered to be a default process and is scanned with the
properties that you set for default processes.
left pane.
2 Select Use different settings for high-risk and low-risk processes.

NOTE
3 Select either Low-Risk Processes or High-Risk Processes.

4 Select the Processes tab.
Figure 3-12. Low-Risk or High-Risk Processes — Processes tab
The list shows the current list of processes, in alphabetical order by file name.
Each process is shown with its application icon, file name, and description if
available. The default settings are:
The Low-Risk Processes list is empty.
The High-Risk Processes list is populated with processes that McAfee
Security considers to be high-risk. You can add or remove processes from
this list to meet your security needs.
NOTE
The steps you take to add or select processes are identical for
low-risk and high-risk processes.
Product Guide 63
On-Access Scanning
5 To add applications, click Add. The Select Application dialog box appears.
Figure 3-13. Select Application
a Select application(s) that you want to add, using these methods:
Select application(s) from the list.

Use CTRL + SHIFT to select more than one application.
Click Browse to locate an application on the network.
b When you have finished selecting applications, click OK to save your

selections and return to the Processes tab.
6 To remove applications, highlight one or more applications in the list, then
click Remove.

8 Repeat Step 3 through Step 7 to define applications as either low-risk or
high-risk.

on-access scanner to examine, and when you want to scan them.
left pane.

NOTE

Figure 3-14. Low-Risk or High-Risk Processes — Detection tab
NOTE
After you select the process icon from the left pane, the steps
you take to set Detection options are identical for low-risk and
Product Guide 65
On-Access Scanning
5 Under Scan Files, select any combination of these scanning options:
When writing to disk. This option is selected by default. Scan all files as they are
written to or modified on the server, workstation, or other data storage
device.
When reading from disk. This option is selected by default. Scan all files as they
are read from the server, workstation, or other data storage device.
On network drives. Include network resources during on-access scans. This
is a convenient way to extend virus protection.
NOTE
Including network resources could have a negative effect on
the overall performance of the system that is running the scan.
WARNING
If you are copying or moving a file from one computer to
another, and the on-access scan properties on both computers
have been configured to scan files both written to disk and
files read from disk, scanning occurs when the file is read by
the source computer and again when it is written to the
destination computer.
If the prevailing traffic pattern on your network is copying or

moving files from one computer to another, you may want to
configure your scanning properties to scan only files written
to disk, and not to scan files read from disk. This eliminates
double-scanning of the same file. It is possible to achieve the
same result by configuring all computers to scan only files
read from them, and not files written to them.
If you use either of these configuration patterns, it is

important that all computers be configured identically. Do not
configure some computers to scan only files written to disk,
and others to scan files only read from disk. This would allow
an infected file to be copied from a computer that scans only
files written to disk to a computer that scans only files read
from disk.


The maximum number of additional extensions that the on-access

NOTE
performance.

The maximum number of specified extensions that the on-access

you want to exclude from scanning. See Excluding files, folders, and drives on
page 70 for detailed instructions.
9 Repeat Step 3 through Step 8 to specify detection settings for low-risk or

Product Guide 67
On-Access Scanning
Adding file type extensions

Add user-specified file types to the default list of file types. You can also use this
feature to remove any user-specified file types you added. The default list plus any
user-specified file types are scanned during scanning operations.
NOTE
You cannot change or remove file types from the default list of
file types. The default list is defined by the latest DAT file you
downloaded. To prevent an extension from being scanned,
exclude it. See Excluding files, folders, and drives on page 70 for
more information.
1 Click Additions to open the Additional File Types dialog box.
Figure 3-15. Additional File Types
2 Under Add File Type, you can add user-specified file type extensions in two
ways:
Type a file type extension in the text box, then click Add.
NOTE
You only need to type the first three letters of the file type
extension. If you type an HTM file extension, the scanner
searches for HTM and HTML files. You can use a wildcard or a
combination of characters with a wildcard.
Click Select to open the Select File Type dialog box. Select one or more file
type extensions from the list, then click OK.
Use CTRL + SHIFT to select more than one file type extension.
The file type extensions you added appear in the User-specified additional file
types list.

3 You can remove user-specified file type extensions from the user-specified list
in two ways:
Select one or more file type extensions in the User specified additional file
types list, then click Remove.
Click Clear to remove all items from the User specified additional file types
list.
Adding user-specified file type extensions

Create a list of user-specified file type extensions to be scanned during scanning
operations. You can also use this feature to remove any of the user-specified file
type extensions you added previously.
1 Click Specified to open the Specified File Types dialog box.
Figure 3-16. Specified File Types
2 Under Add File Type, you can add user-specified file type extensions in two
ways:
Type a file type extension in the text box, then click Add.
NOTE
You only need to type the first three letters of the file type
extension. If you type an HTM file extension, the scanner
searches for HTM and HTML files. You can use a wildcard or a
combination of characters with a wildcard.
Click Select to open the Select File Type dialog box. Select one or more file
type extensions from the list, then click OK.
The file type extensions you added appear in the list under Only files of these
types will be scanned.
Product Guide 69
On-Access Scanning
3 You can remove user-specified file type extensions from the list in two ways:
Select one or more file type extensions in the list under Only files of these
types will be scanned, then click Remove.
Click Clear to remove all items from the list under Only files of these types
will be scanned.
4 Click Set to Default to replace the current list of user-specified file type
extensions with the default list. The default list of file type extensions is
defined by the current DAT file.
5 Click OK to save your changes and return to the Detection tab.
Excluding files, folders, and drives

Specify files, folders, and drives to exclude from scanning operations. You can also
use this feature to remove any of the exclusions you specified previously.
1 Click Exclusions to open the Set Exclusions dialog box.
Figure 3-17. Set Exclusions
2 Add or edit files, folders, or drives. Windows File Protection is listed by default.
To add an item, click Add to open the Add Exclusion Item dialog box.
To edit an item, double-click the item or select it, then click Edit to open the
Edit Exclusion Item dialog box.
NOTE
The exclusion options are the same whether you are adding an
exclusion item or editing it.

Figure 3-18. Add Exclusion Item
3 Under What to exclude, select one of these options:
By name/location. This option is selected by default. Specify the name or

location. This can include wildcards * and ?. You can type specific
information in the text box or click Browse to locate a name or location.
NOTE
You can specify full pathnames such as C:\WINNIT\SYSTEM*,
file names such as PAGEFILE.SYS, or PAGEFILE.*, or P*.*, or *.SYS,
or folder names such as BACKUP. For example, specifying
BACKUP folder excludes all folders named BACKUP, where ever
they are located.
When using wildcards, these limitations apply:
Valid wildcards are ? for excluding single characters and * for

excluding multiple characters.
A \ cannot follow wildcard characters. For example,
C:\ABC\WWW? is valid, but C:\ABC\WWW?\123 is not valid.
An exclusion that does not begin with a path or \ such as WWW* is

treated as a file only.
An exclusion containing ? characters applies if the number of
characters matches the length of the file or folder name. For
example, the exclusion W?? excludes WWW, but does not exclude
WW or WWWW.
Product Guide 71
On-Access Scanning
Also exclude subfolders. If you selected By name/location, you can

exclude the subfolders of the folders that match the specified pattern.
By file type. Specify a file extension by type. Type a file extension in the text
box or click Select to open the Select File Type dialog box, where you can
select one or more extensions from the list. Click OK to save your entries
and close the dialog box.
NOTE
The file extension that you specify can include wildcards.
Valid wildcards are ? for excluding single characters and * for
excluding multiple characters.
By file age. Specify whether you want to exclude files by age.
Access type. If you selected By file age, click to specify an access

type of Modified or Created.
Minimum age in days. If you selected By file age, specify the minimum
number age of the file in days. The file must be at least this many days
old before it is excluded.
Files protected by Windows File Protection. Specify that this exclusion is

based on a file’s Windows File Protection status.
4 Under When to exclude, specify when to exclude the items from scanning:
On read. This option is selected by default. Specify that the exclusion items are
excluded from scans when read from disk.
On write. This option is selected by default. Specify that the exclusion items are
excluded from scans when written to disk.
NOTE
The On read and On write options are not available for
on-demand scan tasks.
5 Click OK to save your changes and return to the Set Exclusions dialog box.
6 You can remove user-specified file type extensions from the item list in two
ways:
Select one or more file type extensions in the list, then click Remove.
Click Clear to remove all items from the list.
7 Click OK to save your changes and return to the Detection tab.

Advanced properties
Use the options on the Advanced tab to specify advanced scan options for
heuristics, non-virus program files, and compressed files.
left pane.

NOTE

.
Figure 3-19. Low-Risk or High-Risk Processes — Advanced tab
NOTE
you take to set Advanced options are identical for low-risk and
Product Guide 73
On-Access Scanning
virus. When this feature is enabled, the scanner analyzes the likelihood that the
code is a variant of a known virus. Select any combination of these options:
Find unknown program viruses. This option is selected by default for default
processes and high-risk processes. Treat executable files that have code
Find unknown macro viruses. This option is selected by default for default
processes and high-risk processes. Treat embedded macros that have code
you choose on the Actions tab to those files.
NOTE
6 Under Non-viruses, specify if you want the scanner to search for non-virus

unwanted.

WARNING
scanner to examine. You have these options:
Scan inside packed executables. This option is selected by default for default
processes and high-risk processes. Examine compressed files that contain
executable files. A packed executable is a file that, when run, extracts itself
into memory only. Packed executable files are never extracted to disk.

to disk.

NOTE
9 Repeat Step 3 through Step 8 to configure advanced settings for low-risk or

Action properties
left pane.

NOTE
Product Guide 75
On-Access Scanning
Figure 3-20. Low-Risk or High-Risk Processes — Actions tab
NOTE
you take to set Actions options are identical for low-risk and
5 Under When a virus is found, select the primary action that you want the
scanner to take when a virus is detected.
NOTE
The default primary action is Clean infected files automatically.
Deny access to infected files. Denies all users access to any infected files the
scanner finds. Be sure to enable the Log to file property on the General
Settings, Reports tab, so that you have a record of which files are infected.
NOTE
If the file is written to the local system from an outside source,
for example a CD-ROM or the Internet, the scanner adds a .VIR
extension to the end of the file name. The scanner considers
this type of file action to be a write action.
If the file is copied, for example from one location on a hard

disk to another location, the .VIR extension is not added to the
file name. The scanner considers this to be a move action.

Move infected files to a folder. The scanner moves infected files to a folder
that is named quarantine by default. You can change the name of the folder
in the Quarantine Folder text box on the General Settings, General tab.
Delete infected files automatically. The scanner deletes infected files as soon
as it detects them. Be sure to enable the Log to file property on the General
Settings, Reports tab, so that you have a record of which files were infected.
WARNING
code resembling a virus. If you select Delete infected files
automatically, any file that has code resembling a macro virus
is deleted, and any archive that contains an infected file is
deleted. If that is not your intention, be certain that your
choice of action corresponds with your choice of action for
macros.
Clean infected files automatically. This option is selected by default. The

scanner tries to remove the virus from the infected file. If the scanner
cannot, or if the virus has damaged the file beyond repair, the scanner
performs the secondary action. See Step 6 for more information.
6 Under If the above Action fails, select the secondary action that you want to the
scanner to take if the first action fails. The available options depend on the
primary action you selected.
NOTE
Click to select the secondary action:
Deny access to infected files.
Move infected files to a folder. This option is selected by default.
Delete infected files automatically.
8 Repeat Step 3 through Step 7 to configure action settings for low-risk or

Product Guide 77
On-Access Scanning

You can view the results from your on-access scanning operation in the statistics
summary and the activity log.
Viewing scan statistics

Viewing the activity log

The On-Access Scan Statistics summary shows the number of files that the scanner
examined, the number of viruses it found, and the actions it took in response.
2 Use either of these methods to open the On-Access Scan Statistics dialog box:
Double-click in the system tray.
Right-click the on-access scan task in the task list and select Statistics.
Figure 3-21. On-Access Scan Statistics
The On-Access Scan Statistics dialog box shows the Last file scanned in the
upper pane, and a statistical summary in the lower pane.

3 You can perform either of these functions if you have administrator rights and
type the password, as required:
NOTE
The Disable and Properties buttons are hidden if the user
interface is configured to show minimal menu options. This
option is set on the Tools|User Interface Options|Display
Options tab.
Click Disable to deactivate the on-access scanner. This function toggles

between Disable and Enable.
Click Properties to open the On-Access Scan Properties dialog box, change
the scan properties you want to modify, then click Apply to save your
changes.
The scan runs with your new settings immediately.
4 When you have finished reviewing scan statistics, click Close.

The on-access scan activity log shows specific details about the scanning operation.
For example, it shows the number of files that the scanner examined, the number
of viruses it found, and the actions it took in response.
2 Use either of these methods to open the activity log file:
Highlight the task, then select Activity Log from the Task menu.
Right-click the task in the task list and select View Log.
3 To close the activity log, select Exit from the File menu.
Product Guide 79
On-Access Scanning

The on-access scanner looks for viruses based on the configuration settings you
selected in the On-Access Scan Properties dialog box. See Configuring the on-access
scanner on page 40 for more information. When a virus is detected, these actions
occur:
You receive a notification if you have configured Alert Manager and/or the
on-access scanner to notify you when a virus is detected.
The on-access scanner records a message in the On-Access Scan Messages

dialog box.
Receiving notification of virus detections
Viewing on-access scan messages
Taking action on virus detections


The on-access scanner can send three types of notifications when it detects a virus:
On-Access Scan Messages dialog box — The On-Access Scan Messages

dialog box displays when a virus is detected, if you configured the on-access
scanner to do so. See Message properties on page 45 for more information about
configuring message options.
See Viewing on-access scan messages on page 82 for more detailed information
about the On-Access Scan Messages dialog box.
Messenger Service to network users — A message is sent to network users

when a virus is detected, if you configured the on-access scanner to do so. See
Message properties on page 45 for more information about configuring message
options.
The message provides details about the infected file, such as the name and
location of the file, type of virus detected, and the version of scanning engine
and DAT file used to detect the virus. View the message details, then click OK
to dismiss the message.
Messenger Service — A network message displays, if you have configured

Alert Manager to do so. See Configuring Alert Manager on page 150 for more
information.
Following is an example of a network message from Alert Manager.
Figure 3-22. On-Access Scan — Messenger Service
The message provides details about the infected file, such as the name and
location of the file, type of virus detected, and the version of scanning engine
and DAT file used to detect the virus.
You may receive more than one notification depending on how you have
configured Alert Manager and the on-access scanner.
View the message details, then click OK to dismiss the message.
Product Guide 81
On-Access Scanning
NOTE
If you do not have any of the three message options
configured to send a message when a virus is detected, you do
not receive any notification. However, you can always review
the On-Access Scan Messages dialog box to see detected
viruses. See Viewing on-access scan messages on page 82 for
more information.
Viewing on-access scan messages

When a virus is detected, the on-access scanner records a message in the On-Access
Scan Messages dialog box. This dialog box lists all messages for the current user in
chronological order. If the user is an administrator, it can optionally list all
messages on the local system.
This dialog box automatically displays when a virus is detected, if you have
configured the on-access scanner to do so.
You can open this dialog box at any time by right-clicking in the system tray
and selecting On-Access Scan Messages.
Figure 3-23. On-Access Scan Messages
The On-Access Scan Messages dialog box is separated into several sections:
Menus — Provides menus for taking actions on files or messages.
The File menu provides actions that can be taken on files or messages in the
list.
The View menu provides options for controlling visibility of parts of the
dialog box.
The Options menu gives options for showing all messages and always
keeping the On-Access Scan Messages dialog box on top.

The Help menu provides access to help topics for the VirusScan Enterprise
product, access to the Virus Information, Submit a Sample, and Technical
Support web sites, as well as information about the currently installed
product, license, scanning engine, and DAT files.
VirusScan Message — Displays specific details about the selected message.
Buttons — Displays buttons for actions that are available for the selected
message. If an action is not available for the selected message, the
corresponding button is disabled.
Message List — Lists the messages for viruses detected by the on-access
scanner. The columns in the list area are sortable by clicking on the column
header.
Status bar — Displays the status of the selected message.

This section describes the actions that you can take when a virus is detected by the
on-access scanner.
NOTE
You also have the option of sending a virus sample to AVERT
for analysis. See Submitting a virus sample on page 36 for more
information.
Use the On-Access Scan Messages dialog box to take action on viruses detected by
the on-access scanner.
1 Right-click in the system tray and select On-Access Scan Messages.
2 Highlight a message in the list, then select an action using one of these
methods:
File menu.
Buttons to select an action.

Right-click the highlighted message and select an action.
Product Guide 83
On-Access Scanning
Following are the actions that may be taken on messages in the list:
Clean File — Attempts to clean the file referenced by the selected message.
In some cases, a file cannot be cleaned, either because it has no cleaner or

because the virus has damaged the file beyond repair. If the file cannot be
cleaned, the scanner appends a .VIR extension to the file name and denies
access to it. An entry is recorded in the log file.
NOTE
If a file cannot be cleaned, we recommend that you delete the
file and restore it from an uninfected backup copy.
Move File — Moves the file referenced by the selected message to the
quarantine folder. The location of the quarantine folder is defined on the
General Settings, General tab in the On-Access Scan Properties.
Delete File — Deletes the file referenced by the selected message. The file name
is recorded in the log, so that you can restore it from a backup copy.
Select All (CTRL+A) — Selects all the messages in the list.
Remove Message (CTRL+D) — Removes the selected message from the list.
Messages that have been removed from the list are still visible in the log file.
If an action is not available for the current message, the corresponding icon,
button, and menu items are disabled. For example, Clean File is not available if
the file has already been deleted.
The administrator can use the options on the General Settings, Messages tab in
the On-Access Scan Properties, to configure what actions users without
administrator rights can perform on messages in the list. If an action is
suppressed by the administrator, the button is hidden, and the icon and menu
items are disabled.
Other actions that are available:
Open Log File — Opens the activity log file.
Close Window — Closes the On-Access Scan Messages dialog box.

On-Demand Scanning
4
The on-demand scanner provides you with a method for scanning all parts of your
computer for viruses, at convenient times or at regular intervals. Use it to
supplement the continuous protection that the on-access scanner offers, or to
schedule regular scan operations when they do not interfere with your work.
In memory process scanning and incremental scanning make virus detection more
efficient than ever.
In memory process scanning checks all active processes prior to running the
on-demand scan. Where infected processes are found, we highlight the
infection and stop the process. This means that only a single pass with the
on-demand scanner is required to remove all instances of a virus.
Incremental, or resumable scanning allows the scanner to start where it last left
off. You can define a start and stop time for scheduled scans. The on-demand
scanner logically works through each folder and related files. When the time
limit is reached, the scan is stopped. With incremental scanning on the next
scheduled scan, the on-demand scan continues from the point in the file and
folder structure where the previous scan stopped.
Creating on-demand tasks

Configuring on-demand tasks
Resetting or saving default settings
Scheduling on-demand tasks

Scanning operations
Product Guide 85
On-Demand Scanning

You can create on-demand tasks using three methods. The type of scan you create,
saved or unsaved, depends on the method you use. Choose from these options:
From the Start menu — Tasks created from the Start menu are one-time,
unsaved tasks, unless you choose to save the task for future use.
From the icon in the system tray — Tasks created from the system tray are
one-time, unsaved tasks, unless you choose to save the task for future use.
From the VirusScan Console — Tasks created from the console are
automatically saved in the task list for future use.
NOTE
If you create on-demand scanning tasks via ePolicy
Orchestrator 3.0 or later, and enable task visibility, you can
also see these on-demand scanning tasks in the VirusScan
Console. These ePolicy Orchestrator tasks are read-only and
cannot be configured from the VirusScan Console. See the
VirusScan Enterprise Configuration Guide for use with ePolicy
Orchestrator 3.0 for more information.
Creating tasks from the start menu or system tray
Creating tasks from the console
Creating tasks from the start menu or system tray

The on-demand scan task you create from either the start menu or the system tray
is a one-time, unsaved task. The task you create can then be configured, scheduled,
and run, but unless you choose to save it, the task is discarded when you close the
On-Demand Scan Properties dialog box.
2 Open the On-Demand Scan Properties using one of these methods:
Click Start, then select Programs|Network Associates|VirusScan

On-Demand Scan.
Right-click in the system tray and select On-Demand Scan.

The On-Demand Scan Properties (Unsaved Task) dialog box appears.
Figure 4-1. On-Demand Scan Properties — (Unsaved Task)
NOTE
You can identify this as an unsaved on-demand scan task
because the title bar shows (Unsaved Task). Click Save As to
save the task to the console for use again. When you save the
task, the On-Demand Scan Properties title bar changes from
(Unsaved Task) to the task name you specify.
3 Configure the one-time, unsaved on-demand scan task. See Configuring

on-demand tasks on page 89 for detailed instructions.
5 To schedule the task, you must first save the task, then click Schedule. You
cannot schedule an unsaved task. See Configuring task schedules on page 222 for
detailed instructions.
6 To run the task, click Scan Now. See Running on-demand tasks on page 107 for
more information.
Product Guide 87
On-Demand Scanning
Creating tasks from the console

The VirusScan Console comes with a default Scan All Fixed Disks on-demand scan
task. You can rename this task and/or create an unlimited number of on-demand
tasks.
To create a new on-demand task from the console:
2 Create a new scan task using one of these methods:
Right-click a blank area in the console, without selecting an item in the task
list, then select New Scan Task.
Select New Scan task from the Task menu.

Click in the console toolbar.
A new on-demand task appears, highlighted, in the VirusScan Console task

list.

3 Type a new name for your task, then press ENTER to open the On-Demand Scan
Properties dialog box.
Figure 4-3. On-Demand Scan Properties

You can configure the on-demand scanner to determine where and what you want
to scan, what you want it to do if it finds a virus, and how it should notify you
when it has.
Where properties
Advanced properties
Action properties
Report properties
Adding items
Removing items
Editing items
Product Guide 89
On-Demand Scanning
Where properties
Use the options on the Where tab to specify the locations you want to scan for
viruses.
1 Open the On-Demand Scan Properties dialog box for the task you are
configuring.
2 Select the Where tab.
Figure 4-4. On-Demand Scan Properties — Where tab
NOTE
By default, the dialog box lists all of the drives on your
computer and all of the subfolders they contain. A scan
operation this inclusive can take a long time. You may want to
narrow this scan for regular use later.
3 Under Item name, specify where you want scanning to take place. All fixed disks
and Memory of running processes are listed by default.
NOTE
If you are creating a new scan task, All Local Drives and
Memory of running processes are listed by default.
Use the Add, Remove, and/or Edit buttons to specify the items to scan. See
Adding, removing, and editing items on page 91 for detailed instructions.

4 Under Scan options, specify additional scanning criteria. Select from these
options:
Include subfolders. This option is selected by default. The scanner examines all
subfolders in the volumes you target for scanning. To scan only the root
level of your chosen volumes, deselect Include subfolders.
Scan boot sector(s). This option is selected by default. The scanner examines
the disk boot sector. It may be appropriate to disable boot sector analysis
when a disk contains a unique or abnormal boot sector that cannot be
subjected to virus scanning.
Adding, removing, and editing items

Follow these procedures to Add, Remove, or Edit items in the Item name list of the
On-Demand Scan Properties.
Adding items
Removing items
Editing items
Adding items
configuring.
2 On the Where tab, click Add to open the Add Scan Item dialog box.
Figure 4-5. Add Scan Item
Product Guide 91
On-Demand Scanning
3 Click to select a scan item from the list. Choose from these options:
My computer. This option is selected by default. Scans all local and

mapped drives.
All local drives. Scans all of the drives on your computer and all of the
subfolders they contain.
All fixed disks. Scans hard drives physically connected to your

computer.
All removable media. Scans only floppy disks, CD-ROM discs, Iomega
ZIP disks, or similar storage devices physically attached to your
computer.
All network drives. Scans network drives logically mapped to a drive

letter on your computer.
Memory of running processes. Scans the memory of all running

processes. This scan occurs before all other scans.
User’s home folder. Scans the home folder of the user who starts the
scan.
User’s profile folder. Scans the profile of the user who starts the scan.
This includes the My Documents folder.
Drive or folder. Scans a specific drive or folder. Type the path to the
drive or folder in the Location text box, or click Browse to locate and
select a drive or folder.
When you have finished browsing, click OK to return to the Add Scan
Item dialog box.
File. Scan a specific file. Type the path to the file in the Location text
box, or click Browse to open the Select Item To Scan dialog box where
you can locate and select a file.
When you have selected an item, click Open to return to the Add Scan
Item dialog box.
4 Click OK to save your changes and return to the On-Demand Scan Properties
dialog box.

Removing items
configuring.
2 On the Where tab, select one or more items that you want to delete in the Item
name list, then click Remove.
3 Click Yes to confirm that you want to remove the item.

Editing items
configuring.
2 On the Where tab, select an item in the Item name list, then click Edit to open the
Edit Scan Item dialog box.
Figure 4-6. Edit Scan Item
3 Click to select a scan item from the Item to scan list. All local drives is selected
by default.
NOTE
The options you have here are the same as the options in
Adding items. See Step 3 on page 92 for a complete list and
description of available options.
4 Click OK to return to the On-Demand Scan Properties dialog box.

Product Guide 93
On-Demand Scanning
on-demand scanner to examine, and when you want to scan them.
configuring.
Figure 4-7. On-Demand Scan Properties — Detection tab


The maximum number of additional extensions that the on-demand

NOTE
performance.

The maximum number of specified extensions that the on-demand

to exclude from scanning. See Excluding files, folders, and drives on page 70 for
detailed instructions.
Product Guide 95
On-Demand Scanning
Scan inside packed executables. This option is selected by default. Examine
compressed files that contain executable files. A packed executable is a file
that, when run, extracts itself into memory only. Packed executable files
are never extracted to disk.
to disk.

Advanced properties
Use the options on the Advanced tab to specify advanced scanning properties, such
as scanning for unknown program viruses and potentially unwanted programs,
setting the CPU utilization level, and miscellaneous options.
configuring.
Figure 4-8. On-Demand Scan Properties— Advanced tab

virus. When this feature is enabled, the scanner analyzes the likelihood that it
is a variant of a known virus. Select any combination of these options:
Find unknown program viruses. This option is selected by default. Treat

executable files that have code resembling a virus as if they were infected.
The scanner applies the action you choose on the Actions tab.
Find unknown macro viruses. This option is selected by default. Treat
embedded macros that have code resembling a virus as if they were
infected. The scanner applies the action you choose on the Actions tab to
those files.
NOTE
4 Under Non-viruses, specify whether you want the scanner to find non-virus

unwanted.

programs, you can also scan for joke programs that are potentially
unwanted.
WARNING
Product Guide 97
On-Demand Scanning
5 Under CPU utilization, use the slider to set the utilization level for the scan task
in relation to the other tasks running on your computer. 100% is selected by
default. This ensures that other running software does not slow down during a
scan operation, but the scan takes longer. Set the scan task to a lower scanning
level if you plan to run it at a time when the CPU is in heavy use with other
essential operations.
NOTE
The CPU limitation you specify does not work when scanning
encrypted files. The decryption is done by LSASS.EXE, not by
the SCAN32 process. Scanning encrypted files is CPU intensive,
therefore even if the CPU limit on the scanning thread is low, it
is still scanning files fast enough that LSASS.EXE must keep
busy to supply the decrypted data.
6 Under Miscellaneous, select from these options:
Scan files that have been migrated to storage. Scan files that have been
moved to offline storage.
NOTE
If you are using Remote Storage to extend disk space on your
server, the on-demand scanner can scan the cached files.
Remote Storage data storage is hierarchical, with two defined
levels. The upper level, called local storage, includes the NTFS
disk volumes of the computer running Remote Storage on
Windows 2000 Server. The lower level, called remote storage,
is located on the robotic tape library or stand-alone tape drive
that is connected to the server computer.
Remote Storage automatically copies eligible files on your

local volumes to a tape library, then monitors space available
on the local volumes. File data is cached locally so that it can
be accessed quickly as needed. When necessary, Remote
Storage moves data from the local storage to remote storage.
When you need to access a file on a volume managed by
Remote Storage, open the file as usual. If the data for the file is
no longer cached on your local volume, Remote Storage
recalls the data from a tape library.
Rescan all files when DAT files are updated. Re-examine all files when new
DAT files are installed or updated. This is best used for scheduled,
resumable scans. Using this feature reduces the risk of infection by
re-examining files for new viruses.

Scan window. Normal is selected by default. Click to specify how you want
the scan window to appear during on-demand scans. The options are:
Normal
Minimized
Hidden
NOTE
Although the scan window can be configured to be normal,
minimized, or hidden, the scheduled and remote task
windows are always hidden regardless of the configured
mode.
Action properties
configuring.
Figure 4-9. On-Demand Scan Properties — Actions tab
Product Guide 99
On-Demand Scanning
3 Under When a virus is found, select the primary action you want the scanner to
take when a virus is detected.
NOTE
The default primary action is Clean infected files.
Prompt for action. Prompt the user for action when a virus is detected.
If you select this option, you can also select what actions are allowed in
addition to Stop and Continue. The additional choices are:
Clean file. Allow the infected file to be cleaned.
Delete file. Allow the infected file to be deleted.
Move file. Allow the infected file to be moved.
No secondary action is allowed for this option.
Continue scanning. Continue scanning when an infected file is found.
Move infected files to a folder. The scanner moves infected files to a

quarantine folder. You can accept the default location of the folder in the
Folder text box, or click Browse to navigate to the location where the folder
is located.
<drive>:\quarantine
NOTE
Clean infected files. This option is selected by default. The scanner tries to
remove the virus from the infected file. If the scanner cannot, or if the virus
has damaged the file beyond repair, the scanner performs the secondary
action. See Step 4 for more information.

Delete infected files. The scanner deletes infected files as soon as it detects
them. Be sure to enable Log to file on the Reports tab, so that you have a
record of which files are infected.
WARNING
code resembling a virus. If you select Delete infected files, any
file that has code resembling a macro virus is deleted, and any
archive that contains an infected file is deleted. If that is not
your intention, be certain that your choice of action
corresponds with your choice of action for macros.
4 Under If the above Action fails, select the secondary action you want the
scanner to take if the first action fails.
NOTE
Prompt for action. If you select this option, you can also select what actions
are allowed in addition to Stop and Continue. The additional choices are:
Clean file. Allow the infected file to be cleaned. This option is

disabled if you selected Clean file as the primary action.
Delete file. Allow the infected file to be deleted. This option is

disabled if you selected Delete file as the primary action.
Move file. Allow the infected file to be moved. This option is

disabled if you selected Move file as the primary action.
Product Guide 101

On-Demand Scanning
Move infected files to a folder. This option is selected by default. The scanner
moves infected files to a quarantine folder. You can accept the default
location of the folder in the Folder text box, or click Browse to navigate to
the location where the folder is located.
<drive>:\quarantine
NOTE
Delete infected files. The scanner deletes infected files as soon as it detects
them. Be sure to enable Log to file on the Reports tab, so that you have a
record of which files are infected.
Report properties
Use the options on the Reports tab to configure logging activity. Specify the log file
location and size, and what information to capture for each log entry.
NOTE
computer. See Viewing the activity log on page 111 for more
information.
1 Open the On-Demand Scan Properties dialog box.

Figure 4-10. On-Demand Scan Properties — Reports tab
Log to file. This option is selected by default. Record on-demand scanning

virus activity in a log file.
NOTE
ONDEMANDSCANLOG.TXT file in this folder:
Data\Network Associates\VirusScan.
NOTE
Product Guide 103

On-Demand Scanning
to record in the log file:
logged on to the computer at the time the scanner records each log entry in
the log file.

Resetting or saving default settings

After you have configured the on-demand task, you have the option of resetting
the configuration settings to the default settings or saving the current
configuration settings as the default.
If you do not want to reset the defaults or save the current settings as the default,
skip these steps.
1 Select from these options:

Reset to Default. Restores the default scan settings.
Save as Default. Saves the current scanning configuration as the default

configuration. If you Save as Default, all new tasks are created with this
configuration.
Product Guide 105

On-Demand Scanning
Scheduling on-demand tasks

After you have configured an on-demand task, you can schedule it to run at
specific dates and times, or intervals.
Figure 4-11. On-Demand Scan Properties — Schedule
configuring.
2 Click Schedule. See Scheduling Tasks on page 221 for detailed instructions about
how to schedule a task.

Scanning operations
Scanning operations
You can run scheduled on-demand tasks unattended, start immediate scan tasks,
and pause, stop, and restart tasks during the scanning operation.
NOTE
The on-demand scanner does not scan its own quarantine
folder during scanning operations. The on-demand scanner is
designed to exclude the quarantine folder during scanning
operations to avoid repeat scanning or scanning loops.
Running on-demand tasks
Pausing and restarting on-demand tasks
Stopping on-demand tasks
Resumable scanning
Running on-demand tasks

Once you have configured your task with the scan properties you want, you can
run the scan task using one of these methods:
Scan as scheduled. If you scheduled the scan, allow the task to run unattended.
Figure 4-12. On-Demand Scan Task — In Progress
NOTE
For the scanner to run your task, your computer must be
active. If your computer is down when the task is scheduled
to start, the task starts at the next scheduled time if the
computer is active, or when the computer starts if you selected
the Run missed task option on the Schedule Settings, Schedule
tab.
Product Guide 107

On-Demand Scanning
NOTE
The scanner always exits after completing scheduled tasks
that are launched by the Scheduler and remote tasks that are
run on a remote computer.
Scan immediately. You can start on-demand scan tasks immediately using
several methods:
Create an on-demand scan task from the system tray or Start menu, then
from the On-Demand Scan Properties dialog box, click Scan Now.
From the VirusScan Console, right-click an on-demand scan task and select
Start.
From Windows Explorer, right-click a file, folder, drive, or other item, then
select Scan for viruses.
The On-Demand Scan dialog box appears.
Figure 4-13. On-Demand Scan — In Progress
NOTE
The scanner does not exit automatically upon completion of
the scan for these types of immediate scans. To exit the
scanner, select Exit from the Scan menu.
Pausing and restarting on-demand tasks

You can pause and restart an on-demand task during the scanning operation.
To pause an on-demand task, click , in the On-Demand Scan dialog box.
To restart an on-demand task, click , in the On-Demand Scan dialog box.

Stopping on-demand tasks

You can stop an on-demand task during the scanning operation using one of these
methods:
Click in the On-Demand Scan dialog box.
From the On-Demand Scan Properties dialog box, click Stop.
Resumable scanning
The on-demand scanner automatically resumes scanning where it left off if the
scan is interrupted before it completes. The incremental scan feature of the
on-demand scanner recognizes the last file it scanned, so the next time the scan
starts, you have the option of starting the scan from where it left off, or starting the
scan from the beginning.
Figure 4-14. Resumable scan

You can view the results from your on-demand scanning operation in the statistics
summary and the activity log.
Product Guide 109

On-Demand Scanning

The On-Demand Scan Statistics summary shows the number of files that the
scanner examined, the number of viruses it found, and the actions it took in
response.
To see statistics and results for your task:
1 Open the VirusScan Console, right-click the on-demand task in the task list,
and select Statistics.
Figure 4-15. On-Demand Scan Statistics
The On-Demand Scan Statistics dialog box shows each of the scan targets you
have chosen for this task in an upper pane, progress of the scan in the center
pane, and a statistical summary in the lower pane.
If your scan task is still in progress, the center pane shows the file that the
scanner is currently examining, and the status of the scan operation.
NOTE
If the task is run again, the statistics shown here are only for
the last scan.
2 Click Properties to open the On-Demand Scan Properties dialog box, change the
scan properties you want to modify, then click Apply to save your changes.
The scan runs with your new settings when the next on-demand scan starts. If
an on-demand scan is in process when you change the scan properties, the new
settings do not take effect until the next on-demand scan starts.
3 When you have finished reviewing scan statistics, click Close.


The on-demand scan activity log shows specific details about the scanning
operation. For example, it shows the number of files that the scanner examined, the
number of viruses it found, and the actions it took in response.

The on-demand scanner looks for viruses based on the configuration settings you
selected in the On-Demand Scan Properties dialog box. See Configuring on-demand
tasks on page 89 for more information.
When a virus is detected, you receive a notification if you have configured Alert
Manager and/or the on-demand scanner to notify you when a virus is detected.
Product Guide 111

On-Demand Scanning

The on-demand scanner can send three types of notifications when it detects a
virus:
VirusScan Alert — An alert dialog box displays when a virus is detected, if you
configured the on-demand scanner to Prompt for action as either the primary
or secondary action on the Actions tab. See Action properties on page 99 for
more information.
See Taking action on virus detections on page 113 for more information about the
VirusScan Alert dialog box.
Messenger Service — A network message displays, if you have configured

Alert Manager to do so. See Configuring Alert Manager on page 150 for more
information.
Following is an example of a network message from Alert Manager:
Figure 4-16. On-Demand Scan — Messenger Service
The message provides details about the infected file, such as name of the file,
location of the file, type of virus detected, and version of scanning engine and
DAT file used to detect the virus. View the message details, then click OK to
dismiss the message.
On-Demand Scan Progress dialog box — The On-Demand Scan Progress dialog
box displays while the on-demand scanner is performing a task. If any
infections are found, they appear in the lower pane of the dialog box. See
On-Demand Scan Progress dialog box on page 114 for more information.
You may receive more than one notification depending on how you have
configured Alert Manager and the on-demand scanner.
NOTE
If you have not configured the on-demand scanner or Alert
Manager to send notification, you do not receive a VirusScan
Alert or network message. However, you can always see
detected viruses in the On-Demand Scan Progress dialog box,
during the scan operation.


This section describes the actions that you can take when a virus is detected by the
on-demand scanner.
NOTE
You also have the option of sending a virus sample to AVERT
for analysis. See Submitting a virus sample on page 36 for more
information.
Use either the VirusScan Alert dialog box or the On-Demand Scan Progress dialog
box to take action on the detected virus, depending on how you were notified of
virus detection.
If you were notified with a VirusScan Alert take action on the detected virus
from that dialog box.
If you saw the virus detection in the On-Demand Scan Progress dialog box, take
action on the detected virus from there.
VirusScan Alert dialog box

The VirusScan Alert dialog box appears to notify you of a virus detection if you
have configured the on-demand scanner to Prompt for action. It provides
information about where the detected file is located and what type of virus it
detected in the file.
Figure 4-17. VirusScan Alert
Select an action to perform on the infected file:
Continue — Continues the scanning operation, records each detection in the

activity, and lists each infected file in the On-Demand Scan dialog box.
Stop — Stops the scanning operation immediately.
Product Guide 113

On-Demand Scanning
Clean — Attempts to clean the file referenced by the selected message.
If the file cannot be cleaned, either because it has no cleaner or because the
virus has damaged the file beyond repair, an entry is recorded in the log file.
Alternative responses may be suggested. For example, if a file cannot be
cleaned, you should delete the file and restore it from a backup copy.
Delete — Deletes the file referenced by the selected message. The file name is
recorded in the log, so that you can restore it from a backup copy.
Move File to — Moves the file referenced by the selected message, to the folder
you select from the dialog box.
On-Demand Scan Progress dialog box

The On-Demand Scan Progress dialog box displays when the on-demand scanner
is performing tasks. The lower pane shows viruses detected during the on-demand
scan operation.
Figure 4-18. On-Demand Scan Progress- Virus detected
1 Take action on the detected virus using one of these methods:

Right-click the name of the file in the lower pane and select an action that
you want to take from the menu.
Highlight the name of the file in the lower pane and select an action to take
from the Scan menu.
2 When you have finished taking actions on all the virus detections in the list,
select Exit from the Scan menu to close the dialog box.

E-mail Scanning
5
The e-mail scanner provides you with two methods of scanning e-mail folders,
attachments, and message bodies for either a local host or a remote host:
The on-delivery e-mail scanner examines e-mail messages and attachments as

they are delivered, if Microsoft Outlook is running. You can configure and run
the on-delivery e-mail scanner from the VirusScan Console.
The on-demand e-mail scanner examines e-mail messages and attachments as
needed, from Microsoft Outlook. You can configure and run the on-demand
e-mail scanner from Microsoft Outlook.
Use the on-demand e-mail scanner to supplement the protection that the
on-delivery e-mail scanner provides. For example, if you have had Microsoft
Outlook closed or you are installing the VirusScan Enterprise product for the
first time, we recommend running an on-demand e-mail scan first.
On-delivery e-mail scan
On-demand e-mail scan
Product Guide 115

E-mail Scanning

The on-delivery e-mail scanner examines e-mail attachments, and message bodies
as they are delivered to Microsoft Outlook.
WARNING
The on-delivery scanner does not scan incoming e-mail
messages while Microsoft Outlook is offline. If you have had
Microsoft Outlook offline, we recommend running an
on-demand e-mail scan as soon as you bring Outlook online.
See On-demand e-mail scan on page 132 for detailed
instructions.
Configuring the on-delivery e-mail scan for a local or remote host
Configuring the on-delivery e-mail scan properties
Viewing on-delivery e-mail scan results
Configuring the on-delivery e-mail scan for a local or remote host

To configure the on-delivery E-mail Scan from the VirusScan Console for either a
local or remote host.
If you are configuring the E-mail Scan for a local host, skip Step 2 and go to
Configuring the on-delivery e-mail scan properties on page 117.

2 If you are configuring the E-mail Scan for a remote host:
a Select Remote Connection from the Tools menu.
b Type the computer name or click Browse to locate the computer.

c Click OK to return to the VirusScan Console.
Configuring the on-delivery e-mail scan properties

You can configure the on-delivery e-mail scanner to examine e-mail as it is
delivered to Microsoft Outlook.
Advanced properties
Action properties
Alert properties
Report properties
Product Guide 117

E-mail Scanning
Use the options on the Detection tab to specify which attachments and file type
extensions you want to scan.
1 Open the On-Delivery Scan Properties dialog box using one of these methods:
Highlight E-mail Scan in the task list, then click .

Right-click E-mail Scan in the task list and select Properties.
Double-click E-mail Scan in the task list.
NOTE
If Outlook has not been configured, the Outlook configuration
dialog box is launched. If you have not logged on to your
mailbox, you are prompted to log on.
Figure 5-2. On-Delivery Scan Properties — Detection tab
3 Under Scanning of e-mail, Enable Microsoft Exchange (MAPI, IMAP) is selected by

default. Deselect this option if you do not want to perform e-mail scanning.
4 Under Scanning of attachments, select one of these options:
All file types. This option is selected by default. Scan all attachments regardless
of extension.

list.

The maximum number of additional extensions that the on-delivery

e-mail scanner can list is 1,000.
Also scan for macro viruses in all attachments. Scan all attachments,
regardless of extension, for macro viruses. This option is only
available when the Default + additional file types option is selected.
NOTE
Scanning for macro viruses in all attachments could affect
performance.

The maximum number of specified extensions that the on-delivery
NOTE
Excluding file types is not supported for e-mail scanning.
Product Guide 119

E-mail Scanning
Advanced properties
as scanning for unknown program viruses, potentially unwanted programs,
compressed files, and e-mail message bodies.

NOTE
Figure 5-3. On-Delivery Scan Properties — Advanced tab

is a variant of a known virus. Select any combination of these options:

The scanner applies the action you choose on the Actions tab.
those files.
NOTE
Find attachments with multiple extensions. Treat attachments that have

multiple extensions as if they were infected. The scanner applies the action
When you select this option, the E-mail Scan Warning dialog box appears.
E-mail Scan Warning. Read the warning carefully. Click OK to continue

and accept the selection to treat attachments that have multiple
extensions as if they were infected, or click Cancel to deselect the
option.
Figure 5-4. E-mail Scan Warning
Product Guide 121

E-mail Scanning
unwanted.

WARNING


Scan inside archives. This option is selected by default. Examine archive files
and their contents. An archive file is a compressed file that must be
extracted prior to accessing the files within it. Files contained inside
archives are scanned when they are written to disk.
Decode MIME encoded files. This option is selected by default. Detect

Multipurpose Internet Mail Extensions (MIME) encoded files, decode them,
then scan them.
NOTE
6 Under E-mail message body, Scan e-mail message body is selected by default. If
you deselect this option, e-mail message bodies are not scanned.

Action properties

NOTE
Figure 5-5. On-Delivery Scan Properties — Actions tab
Product Guide 123

E-mail Scanning
3 Under When infected attachments found, select the primary action that you
want the scanner to take when a virus is detected.
NOTE
The default primary action is Clean infected attachments.
addition to stop and continue. The additional choices are:
Clean attachment. Allow the infected attachment to be cleaned.
Move attachment. Allow the infected attachment to be moved.
Delete attachment. Allow the infected attachment to be deleted.
Continue scanning. Continue scanning when an infected attachment is

found.
Move infected attachments to a folder. Move infected attachments to a

quarantine folder. The default quarantine folder is named Quarantine. You
can accept the default name for the quarantine folder or type a new name.
NOTE
The quarantine folder is created in the MAPI database and can
be viewed from the Folder List in Microsoft Outlook.
Clean infected attachments. This option is selected by default. The scanner tries
to remove the virus from the infected attachment. If the scanner cannot
remove a virus from an infected attachment, or if the virus has damaged
the attachment beyond repair, the scanner performs the secondary action.
Delete infected attachments. Delete infected attachments as soon as they are

detected. Be sure to enable the Log to file property on the Reports tab, so
that you have a record of which attachments are infected.

4 Under If the above Action fails, select the secondary action that you want the
NOTE
The default secondary action is Move infected attachments to a
folder.

This option is disabled if you selected Clean attachment as the
primary action.
Move attachment. Allow the infected attachment to be moved. This
option is disabled if you selected Move attachment as the primary
action.

This option is disabled if you selected Delete attachment as the
primary action.
Move infected attachments to a folder. This option is selected by default. Move

infected attachments to a quarantine folder. The default quarantine folder
is named Quarantine. You can accept the default name for the quarantine
folder or type a new name.
NOTE
The Quarantine folder is created in the MAPI database and can

Product Guide 125

E-mail Scanning
Alert properties
Use the options on the Alerts tab to configure how to warn users that an infected
e-mail message or attachment has been detected.

NOTE
2 Select the Alerts tab.
Figure 5-6. On-Delivery Scan Properties — Alerts tab

3 Under E-mail alert, specify how you want to notify the mail sender and another
user when an infected mail message is detected. You have these options:
Return reply mail to sender. To send a return reply to the sender.
If you select this option, click Configure to open the Return Mail
Configuration dialog box.
Figure 5-7. E-mail Scan — Return Mail Configuration
Type the message you want to send, then click OK.

Send alert mail to user. Send an e-mail alert to another user.
If you select this option, click Configure to open the Send Mail
Figure 5-8. E-mail Scan — Send Mail Configuration
Product Guide 127

E-mail Scanning
5 Under If Prompt for Action is selected, specify how you want to notify users
when an infected e-mail is detected. You have these options:
Display custom message. This option is selected by default. Notify the user
with a custom message. If you select this option, you can type the custom
message in the text box.
Sound audible alert. This option is selected by default. Notify the user with an
audible alert.
Report properties
location and size, and what information you want to capture for each log entry.
NOTE
computer. See Viewing the on-delivery e-mail activity log on
page 132 for more information.

NOTE

Figure 5-9. On-Delivery Scan Properties — Reports tab
Log to file. This option is selected by default. Record on-delivery e-mail

scanning virus activity in a log file.
NOTE
EMAILONDELIVERYLOG.TXT file in this folder:
NOTE
Product Guide 129

E-mail Scanning
4 Under What to log, select the additional information that you want to record in
the log file:
Date and time. This option is selected by default. Record the date and time
when a virus is detected.
logged on to e-mail at the time the scanner records each log entry, in the
log file.
Viewing on-delivery e-mail scan results

You can view the results from your scanning operation in the statistics summary
and the activity log.
Viewing on-delivery e-mail scan statistics
Viewing the on-delivery e-mail activity log

Viewing on-delivery e-mail scan statistics

The On-Delivery E-mail Scan Statistics summary shows the number of files that the
scanner examined, the number of viruses it found, and the actions it took in
response.
2 Use either of these methods to open the On-Delivery E-mail Scan Statistics
dialog box:
Highlight the e-mail scan task in the task list, then select Statistics from the
Task menu.
Right-click the e-mail scan task in the task list and select Statistics.
Figure 5-10. On-Delivery E-mail Scan Statistics
The On-Delivery E-mail Scan Statistics dialog box shows the Last attachment
scanned in the upper pane, and a statistical summary in the lower pane.
If your scan is still in progress, it shows the file that the scanner is currently
examining, and the status of the scan operation.
3 You can perform either of these functions if you have administrator rights and
type the password, as required:
Click Disable to deactivate the e-mail on-delivery scanner. This function

toggles between Disable and Enable.
Click Properties to open the On-Delivery E-mail Scan Properties dialog box,
change the scan properties you want to modify, then click Apply to save
your changes.
The scan runs with your new settings immediately.
4 When you have finished viewing scan statistics, click Close.
Product Guide 131

E-mail Scanning
Viewing the on-delivery e-mail activity log

The on-delivery scan activity log shows specific details about the scanning
operation. For example, it shows the number of files that the scanner examined, the
number of viruses it found, and the actions it took in response.
Highlight the e-mail scan task, then select Activity Log from the Task menu.
Right-click the e-mail scan task in the task list and select View Log.

The on-demand e-mail scan task can be run directly from Microsoft Outlook, as
needed, to scan selected messages and attachments. Use the on-demand e-mail
scanner to supplement the on-delivery e-mail scanner after periods of time when
Microsoft Outlook has been closed.
NOTE
If Microsoft Outlook was open during the VirusScan
Enterprise installation, we recommend restarting Microsoft
Outlook after the installation process completes.
Configuring the on-demand e-mail task
Running the on-demand e-mail task
Viewing on-demand e-mail scan results
Configuring the on-demand e-mail task

You can use Microsoft Outlook to configure the on-demand e-mail scan task that
scans messages and attachments.
Advanced properties
Action properties
Alert properties
Report properties

Use the options on the Detection tab to specify which attachments and file type
extensions you want to scan.
1 Start Microsoft Outlook.
2 Use one of these methods to open the On-Demand E-mail Scan Properties dialog
box:
Select E-mail Scan Properties from the Tools menu.

Click in the Outlook toolbar.
NOTE
If the icon is not visible in the Outlook toolbar, click on the
right side of the standard toolbar, then select the icon.
Figure 5-11. On-Demand E-mail Scan Properties — Detection tab
Product Guide 133

E-mail Scanning
4 Under Messages to scan, specify what messages you want to scan. You have
these options:
All highlighted item(s). This option is selected by default. Scan selected e-mail
messages or folders.
All messages in the Inbox folder. Scan all messages currently in the Inbox
folder and its subfolders.
Scan unread messages only. Scan only unread messages in the Inbox
folder and its subfolders. If you did not select All messages in the Inbox
folder, this option is disabled.
5 Under Attachments to scan, specify what files, folders, or drives that you want
to scan. You have these options:
All file types. This option is selected by default. Scan all attachments regardless
of extension.
list.

The maximum number of additional extensions that the on-demand
Also scan for macro viruses in all attachments. Scan all attachments,
regardless of extension, for macro viruses. This option is only
available when the Default + additional file types option is selected.
NOTE
Scanning for macro viruses in all attachments could affect
performance.


The maximum number of specified extensions that the on-demand

NOTE
Excluding file types is not supported for e-mail scanning.
Advanced properties
as scanning for unknown program viruses, potentially unwanted programs,
compressed files, and e-mail message bodies.
box:
NOTE
Product Guide 135

E-mail Scanning
Figure 5-12. On-Demand E-mail Scan Properties — Advanced tab
is a variant of a known virus. You have these options:

The scanner applies the action you choose on the Actions tab to those files.
those files.
NOTE

Find attachments with multiple extensions. Treat attachments that have

multiple extensions as if they were infected. The scanner applies the action
When you select this option, the E-mail Scan Warning dialog box appears:
E-mail Scan Warning. Read the warning carefully. Click OK to continue

and accept the selection to treat attachments that have multiple
extensions as if they were infected, or click Cancel to deselect the
option.
Figure 5-13. E-mail Scan Warning

unwanted.

WARNING
VirusScan Enterprise does not take action on potentially
unwanted program files or joke programs. Detections are
logged in the log file.
Product Guide 137

E-mail Scanning
Scan inside archives. This option is selected by default. Examine archive files
and their contents. An archive file is a compressed file that must be
extracted prior to accessing the files within it. Files contained inside
archives are scanned when they are written to disk.
Decode MIME encoded files. This option is selected by default. Detect

Multipurpose Internet Mail Extensions (MIME) encoded files, decode them,
then scan them.
NOTE
7 Under E-mail message body, Scan e-mail message body is selected by default. If
you deselect this option, e-mail message bodies are not scanned.

Action properties
box:

NOTE
Figure 5-14. On-Demand E-mail Scan Properties — Actions tab
Product Guide 139

E-mail Scanning
4 Under When infected attachments found, select the primary action that you
want to the scanner to take when a virus is detected.
NOTE
The default primary action is Clean infected attachments.

This option is disabled if you selected Clean attachment as the
primary action.
Move attachment. Allow the infected attachment to be moved. This

option is disabled if you selected Move attachment as the primary
action.

This option is disabled if you selected Delete attachment as the
primary action.
Continue scanning. Continue scanning when an infected attachment is

found.
Move infected attachments to a folder. Move infected attachments to a

quarantine folder. The default quarantine folder is named quarantine. You
can accept the default name for the quarantine folder or type a new name.
NOTE
Clean infected attachments. This option is selected by default. The scanner tries
to remove the virus from the infected attachment. If the scanner cannot
remove a virus from an infected attachment, or if the virus has damaged
the attachment beyond repair, the scanner performs the secondary action.


5 Under If the above Action fails, select the secondary action that you want the
NOTE
The default secondary action is Move infected attachments to a
folder.
Move attachment. Allow the infected attachment to be moved.
Move infected attachments to a folder. This option is selected by default. Move

infected attachments to a quarantine folder. The default quarantine folder
is named quarantine. You can accept the default name for the quarantine
folder or type a new name.
NOTE

Product Guide 141

E-mail Scanning
Alert properties
Use the options on the Alerts tab to configure how to warn users that an infected
e-mail message or attachment has been detected.
box:

NOTE
3 Select the Alerts tab.
Figure 5-15. On-Demand E-Mail Scan Properties — Alerts tab

4 Under E-mail alert, specify how you want to notify the mail sender and another
user when an infected mail message is detected. You have these options:
Return reply mail to sender. To send a return reply to the sender.
If you select this option, click Configure to open the Return Mail
Figure 5-16. E-mail Scan — Return Mail Configuration

Send alert mail to user. Send an e-mail alert to another user.
If you select this option, click Configure to open the Send Mail
Figure 5-17. E-mail Scan — Send Mail Configuration
Product Guide 143

E-mail Scanning
5 Under If Prompt for Action is selected, specify how you want to notify users
when an infected e-mail is detected. You have these options:
Display custom message. Notify the user with a custom message. If you
select this option, you can type the custom message in the text box.
Sound audible alert. Notify the user with an audible alert.
Report properties
location and size, and what information you want to capture for each log entry.
NOTE
tracking virus activity in e-mail and to record which settings
you used to detect and respond to any virus that the scanner
found. You can open the log file from your text editor for later
review. The incident reports recorded in the file can help you
determine which files you need to replace from backup
copies, examine in quarantine, or delete from your computer.
box:

NOTE

Figure 5-18. On-Demand E-mail Scan Properties — Reports tab
Log to file. This option is selected by default. Record on-demand e-mail

scanning virus activity in a log file.
NOTE
EMAILONDEMANDLOG.TXT file in this folder:
Data\Network Associates\VirusScan.
NOTE
Product Guide 145

E-mail Scanning
that you want to record in the log file:
Date and time. This option is selected by default. Record the date and time
when a virus is detected.
logged on to the computer at the time the scanner records each log entry,
in the log file.

Running the on-demand e-mail task

To run your on-demand e-mail task:
2 Use one of these methods to start an on-demand e-mail scan from Microsoft
Outlook:
Select Scan for viruses from the Tools menu.

NOTE
Figure 5-19. On-Demand E-mail Scan
3 Close the dialog box when the on-demand e-mail scan completes.
Product Guide 147

E-mail Scanning
Viewing on-demand e-mail scan results

You can view the results from your scanning operation in the On-Demand E-Mail
Scan dialog box while the scan is running, or in the activity log after the scan
completes.
The following topic is addressed in this section:
Viewing the on-demand e-mail activity log
Viewing the on-demand e-mail activity log

The on-demand e-mail scan activity log shows specific details about the scanning
operation. For example, it shows the number of attachments that the scanner
examined, the number of viruses it found, and the actions it took in response.
1 Navigate to the EMAILONDEMANDLOG.TXT file in this location:
<drive>:Winnt\Profiles\All Users\Application Data\Network

Associates\VirusScan.
2 Open the activity log file.

Virus Alerting
6
VirusScan Enterprise software provides several methods for informing you of the
progress and outcome of scanning activities. For example, you can review the
results of any scan after it has concluded by examining the Activity Log. You can
also see the results of all scans on the VirusScan Enterprise Console. But neither of
these methods notifies you immediately when the scanner detects a virus on the
computer. Although the console also includes a real-time display of scanning
activities, you cannot be watching the screen at all times. Providing you with
immediate notification that a virus has been detected is the function of Alert
Manager, a discrete component that is incorporated into VirusScan Enterprise
software and other Network Associates client/server security and management
solutions.
Alert Manager handles alerts and events generated by your anti-virus software in
real time. In a typical configuration, Alert Manager resides on a central server and
listens for alerts sent to it by client or server anti-virus software applications on the
network. This client software can be workstation or server applications. Alert
Manager allows you to configure two basic aspects of alerting:
Where and how alerts are sent.
What the alert message is.
See the Alert Manager Product Guide for more detailed information.
Configuring Alert Manager
Configuring recipients and methods

Customizing alert messages
Product Guide 149

Virus Alerting

Use the options on the Alert Properties dialog box to determine when and how you
are notified when the scanner detects a virus.
To open the Alert Properties dialog box:
2 Select Alerts from the Tools menu.

The Alerts Properties dialog box appears.
Figure 6-2. Alert Properties
3 Under Which components will generate alerts, select the components that you
want to communicate with Alert Manager. Choose any combination of these
options:
On-Access Scan. This option is selected by default.
On-Demand Scan and scheduled scans. This option is selected by default.
E-Mail Scan. This option is selected by default.
AutoUpdate. This option is selected by default.
Product Guide 151

Virus Alerting
4 Under Alert Manager destination selection, click Destination to open the Alert
Manager Client Configuration dialog box.
Figure 6-3. Alert Manager Client Configuration
You can disable or enable the alerting feature, determine which method of
alerting to use when an event occurs, and specify which server receives alerts.
a Under Alerting Options, specify the alerting method that meets your needs:
Disable Alerting. Do not send an alert when an event occurs.
Enable Alert Manager alerting. This option is selected by default. Activates

the Alert Manager alerting method.
Configure. If you selected Enable Alert Manager alerting, click Configure

to open the Select Alert Manager Server dialog box.
Figure 6-4. Select Alert Manager Server

Under Destination for Alerts, type the location for the Alert Manager
Server to receive alerts, or click Browse to navigate to the location.
Click OK to save your changes and return to the Alert Manager Client
Enable Centralized alerting. Activates the Centralized alerting method.

Centralized alerting provides an alternative to using regular Alert
Manager messages. See Using Centralized Alerting on page 179 for
more information.
NOTE
Due to security issues with shared folders, McAfee
Security recommends that you do not use centralized
alerting.
Configure. If you selected the option to Enable Centralized alerting,
click Configure to open the Central Alerting Configuration dialog box.
Figure 6-5. Centralized Alerting Configuration
Under Destination for Alerts, type the location for the Central Alerting
Shared Directory, or click Browse to navigate to location.
Click OK to save your changes and return to the Alert Manager Client
b Click OK to save your changes and return to the Alert Properties dialog box.
Product Guide 153

Virus Alerting
5 Under Configure the selected Alert Manager:
a Click Alert Messages to configure the Alert Manager Messages. See

Customizing alert messages on page 181 for detailed instructions.
b Click Recipients to configure the Alert Manager Properties. See Configuring

recipients and methods on page 155 for detailed instructions.
c Click Alert Messages to configure the Alert Manager Messages. See

Customizing alert messages on page 181 for detailed instructions.
d When you have finished configuring Alert Manager Properties and Alert
Manager Messages, click OK to close the Alert Properties dialog box.
NOTE
The buttons are disabled if Alert Manager is not installed.

Configuring recipients and methods

In the Alert Properties dialog box, click Recipients to open the Alert Manager
The Alert Manager Properties dialog box allows you to configure the recipients of
alert messages sent out by Alert Manager, and also the method by which those
recipients receive the alert messages. Recipients can be e-mail addresses or
computers on your network. The methods by which recipients receive alert
notifications can include e-mail messages or network pop-up messages.
Figure 6-6. Alert Manager Properties
To configure the recipients for a specific alert method:
1 Click the appropriate tab for a given alert method, such as Logging.
2 Configure the recipients that receive alert notifications using that alert method.
3 Click other tabs to configure recipients for any additional alert methods as
required.
4 When finished, click OK to save the configurations and close the Alert Manager
Product Guide 155

Virus Alerting
For details on configuring specific alert methods and the recipients to which Alert
Manager sends alert messages via those methods, refer to the sections of this
Product Guide:
Viewing the Summary page on page 159

Forwarding alert messages to another computer on page 160
Sending an alert as a network message on page 164
Sending alert messages to e-mail addresses on page 166

Sending alert messages to a printer on page 170
Sending alert messages via SNMP on page 172
Launching a program as an alert on page 173
Logging alert notifications in a computer’s event log on page 175
Sending a network message to a terminal server on page 177. This method is only
available if terminal services are running on the computer where Alert
Manager is installed.
Using Centralized Alerting on page 179
Overview of adding alert methods

The various tabs of the Alert Manager Properties dialog box allow you to configure
alerting methods. As you add each new method to your configuration, you have
two options:
Sending a test message.
Setting the alert priority level for recipients.
Sending a test message

When using the tabs of the Alert Manager Properties dialog box to add new alert
notification recipients, such as a network computer or an e-mail address, you can
test whether the destination can receive the message. To send the selected
destination a test message when configuring that method, click the Test button.
The message should appear at the configured destination if all is configured

correctly.
NOTE
An e-mail alert may take some time to reach its destination,
depending on both your SMTP server and the receiving e-mail
server.

Test messages that do not reach the target

If the target does not receive the message, review the list and confirm, as
applicable, that:
Any communication service required to implement the selected alerting

method, such as e-mail or SNMP, is enabled.
Any device required to transmit or receive the message, such as a modem or

pager, exists and is operational.
Any program that is to be executed in response to virus detection is located at

the path specified and is installed properly.
Any destination printer or computer that you have targeted exists on your
network.
Your network is functioning properly.
The configuration information you have provided is accurate and complete.

Some property pages include secondary pages. For example, the E-Mail
Properties page links to a Mail Settings page. Be certain to review the
information on these secondary pages as well.
If you installed Alert Manager using an account and password, make sure that
the specified account has sufficient rights for the action you are trying to
perform.
Setting the alert priority level for recipients

You can specify a priority level for each recipient that you add to your Alert
Manager configuration. Alert Manager only sends alert notifications of that
priority level or higher to the specified recipient, such as an e-mail address.
This is useful for filtering alert notifications. For example, you may want to record
alert messages of all priority levels to a computer’s event log using the Logging tab
of the Alert Manager Properties dialog box (see Logging alert notifications in a
computer’s event log on page 175). However, you may want Alert Manager to send
only serious alert notifications to a network administrator’s pager via e-mail. To do
this, set separate priority thresholds for your logging and e-mail recipients.
Product Guide 157

Virus Alerting
To set the alert priority level for a specific recipient:
1 On the Properties dialog box for an alert method, click the Priority Level button.
See Figure 6-13 on page 165 for an example.
Figure 6-7. Priority Level
2 In the Priority Level dialog box, drag the slider right or left to set the priority
level.
Drag to the right to send the recipient fewer, higher priority messages. Drag
the slider to the left to send the recipient more alert messages, including lower
priority messages.
3 Click OK to save the priority settings.

NOTE
On the Priority Level dialog box, you can specify the priority
level for specific recipients, such as a computer on a network
or an e-mail address. However, you cannot set the priority of
individual alert messages here. For information on setting the
priority levels of individual alert messages, see Customizing
alert messages on page 181.

Viewing the Summary page

The Summary tab of the Alert Manager Properties dialog box lists the recipients to
which Alert Manager sends any alert notifications it receives. Recipients are
grouped by alert method.
Figure 6-8. Alert Manager Properties — Summary tab
Click next to each listed alert method to display the recipient computers,
printers, or e-mail addresses. To remove an alert notification recipient, select it,
then click Remove. To change the configuration options for a listed recipient, select
it, then click Properties to open the Properties dialog box for that alert method.
When you install Alert Manager, it is by default configured to send pop-up

network message to the computer on which it is installed and to log alert
notifications in that computer’s event log. If you have not yet configured Alert
Manager to send alert notifications to any recipients, the Summary tab displays
only these two methods. Alert Manager sets priority levels for these two default
methods to send alert notifications of all priorities except for the lowest,
Informational. See Setting the alert priority level for recipients on page 157 for details
on priority.
The following sections describe the options available for each method.
Product Guide 159

Virus Alerting
Forwarding alert messages to another computer

Alert Manager can forward the alert messages received from McAfee anti-virus
client or server products to another computer on your network that has Alert
Manager installed. Typically, you would do this when you want to forward
messages to another Alert Manager server for further distribution.
NOTE
Alert Manager 4.7 can only forward alert notifications to, and
receive alerts forwarded from, servers running the same
version of Alert Manager. Forwarding alert notifications
between servers running older versions of Alert Manager is
not supported.
These topics are included in this section:
Forwarding alerts in a large organization.
Forwarding alerts in a small organization.
Configuring alert forwarding options.

Forwarding alerts in a large organization

In a large organization you can use the forwarding feature to send alert
notifications to a central notification system or to an MIS (Management
Information System) department for tracking virus statistics and problem areas.
Also, large organizations tend to be spread out geographically, often with offices
in several different countries. In this case, you may want to use a single Alert
Manager installed on a local server to handle alerting for that local subnetwork.
You can then configure that local Alert Manager server to forward high priority
alert notifications to another server in another part of your network for further
distribution.
Figure 6-9. Forward alerts to another Alert Manager
To do this, configure the local Alert Manager to forward alerts to the computer
where the second Alert Manager is installed. You then need to configure the
second Alert Manager to distribute alert notifications as desired. See Configuring
alert forwarding options on page 162 for instructions.
Product Guide 161

Virus Alerting
Forwarding alerts in a small organization

In a small organization, forwarding can also be useful. Suppose, for example, you
want to send all high priority alert notifications to a specific pager via e-mail, but
only one server on your network has direct Internet access.
To satisfy this requirement:
1 Configure Alert Manager on each Alert Manager server to forward high

priority alert messages to the modem-equipped computer.
2 Configure Alert Manager on the modem-equipped computer to send high

priority messages to the target pager’s e-mail address.
Configuring alert forwarding options

To configure forwarding options:
1 From the Alert Manager Properties dialog box, click the Forward tab.
The Forward page appears with a list of all of the computers you have chosen
to receive forwarded messages. If you have not yet chosen a destination
computer, this list is blank.
Figure 6-10. Alert Manager Properties — Forward tab

2 To update this list, you can do any of the following:
To add a computer, click Add to open the Forward Properties dialog box,
then type the name of the computer that receives forwarded messages in
the text box. You can type the computer name in Universal Naming
Convention (UNC) notation, or click Browse to locate the computer on the
network.
To remove a listed computer, select one of the destination computers

listed, then click Remove.
To change configuration options, select one of the destination computers

listed, then click Properties. Alert Manager opens the Forward Properties
dialog box. Type the name of the computer to which you want Alert
Manager to forward messages, or click Browse to locate the computer on
the network.
Figure 6-11. Forward Properties
3 Click Priority Level to specify which types of alert messages the destination
computer receives. See Setting the alert priority level for recipients on page 157.
4 Click Test to send the destination computer a test message. See Sending a test
message on page 156.
5 Click OK to return to the Alert Manager Properties dialog box.
Product Guide 163

Virus Alerting
Sending an alert as a network message

Alert Manager can send alert messages to other computers. A standard message
appears as a pop-up box on the recipient computer’s screen and requires the
recipient to acknowledge it.
It is not necessary for the recipient computers to have Alert Manager installed.
However, you might need to have the appropriate messaging client software for
your operating system running on the recipient computer. This messaging
software is always pre-installed on newer versions of the Windows operating
system, such as Windows NT, Windows 2000, and Windows XP. This service is
usually running by default.
To configure Alert Manager to send alert notifications as network messages:
1 Open the Alert Manager Properties dialog box.
2 Click the Network Message tab. The Network Message page appears with a list
of the computers that you have configured to receive a network message. If
you have not yet chosen a recipient computer, this list is blank.
Figure 6-12. Alert Manager Properties — Network Message tab

To add a computer, click Add to open the Network Message Properties

dialog box. You can specify a recipient computer in one of two ways. You
can type the name of the computer directly into the Computer: text box in
UNC format, or you can select Browse to locate the computer on the
network.
To remove a listed computer, select one of the recipient names listed, then
click Remove.
To change configuration options, select one of the recipient names listed,

then click Properties. Alert Manager opens the Network Message Properties
dialog box. Change the information in the Computer: text box as necessary.
Figure 6-13. Network Message Properties
4 Click Priority Level to specify which types of alert messages the recipient
receives. See Setting the alert priority level for recipients on page 157.
5 Click Test to send the recipient a test message. See Sending a test message on
page 156.
Product Guide 165

Virus Alerting
Sending alert messages to e-mail addresses

Alert Manager can send alert messages to a recipient’s e-mail address via Simple
Mail Transfer Protocol (SMTP). Alert messages appear in the recipient’s mail box.
If your message is particularly urgent, you can supplement an e-mail message with
other methods, such as pop-up network messages, to ensure that your recipient
sees the alert in time to take appropriate action.
NOTE
An e-mail alert may take some time to reach its destination,
depending on both your SMTP server and the receiving e-mail
server.
To configure Alert Manager to send e-mail alert notifications to recipients:
2 Click the E-Mail tab.
The E-Mail page appears with a list of the e-mail addresses that you have
chosen to receive alert messages. If you have not yet chosen an e-mail address,
this list is blank.
Figure 6-14. Alert Manager Properties — E-Mail tab

To add an e-mail address to the list, click Add to open the E-Mail Properties
dialog box. Type the e-mail address for your alert notification recipient in
the Address text box, type a subject in the Subject text box, then type your
e-mail address in the From text box. Use the standard Internet address
format <user name>@<domain>, such as administrator_1@mail.com.
To control the truncation of longer messages, for example, a message

containing a very long file and path name, append the address with a “*”,
like this: administrator_1@mail.com*. For more information, see Forcing
truncation of messages sent to specific e-mail addresses on page 169.
To remove a listed address, select one of the e-mail addresses listed, then
click Remove.
To change configuration options, select one of the e-mail addresses listed,

then click Properties. Alert Manager opens the E-Mail Properties dialog box.
Change the information in the text boxes as necessary.
Figure 6-15. E-Mail Properties
Product Guide 167

Virus Alerting
4 Click Mail Settings to specify the network server you use to send Internet mail
via SMTP.
NOTE
You must click Mail Settings and specify an SMTP server to be
able to send e-mail alert notifications. Do not skip this step.
Also, after configuring your SMTP mail settings the first time,
you are not be required to configure them again unless your
SMTP mail server information changes.
Figure 6-16. SMTP Mail Settings
a In the dialog box that appears, type the mail Server. You can type the server
name as an Internet Protocol (IP) address, as a name your local domain
name server can recognize, or in Universal Naming Convention (UNC)
notation.
b If your SMTP server requires it, type a Login name to use for the mail
server.
NOTE
Only type a login name in the Login field if your SMTP mail
server is configured to use a login. Check your SMTP
configuration to see if this is required. Typing a login name
here when your mail server is not configured to use it may
cause problems with e-mail alerting.
c Click OK to return to the E-Mail Properties dialog box.

6 Click Test to send the recipient computer a test message. See Sending a test
7 If the test message is successful, click OK to return to the Alert Manager
Forcing truncation of messages sent to specific e-mail addresses

Sometimes alert notification messages can become very long, particularly when
containing %FILENAME% system variables populated with file names containing
very long path information. Very long messages containing long file and names
can be confusing and inconvenient. For example, when e-mail messages are sent to
a pager, some pager services truncate long messages abruptly, potentially
removing important information from the message. On the other hand, if a very
long message does get through to a pager, the recipient might be forced to scroll
through lines of path information in a file name to get to the critical information
contained in the alert.
You have two options for managing long messages in e-mail alert notifications:
Append e-mail addresses with an asterisk (*), such as

administrator_1@mail.com*. Alert Manager truncates alerts sent to e-mail
addresses that are appended with an asterisk according to the current system
SMTP message length settings. The default SMTP length is 240 characters.
This is particularly valuable if Alert Manager sends alerts to pagers via e-mail.
Some pager services have a short message length limit, for example 200
characters. If a message is intended to be delivered to a pager via an e-mail
address, appending the address with an asterisk (*) lets you, instead of the
pager company, control where the message is truncated.
You can also edit the message text in the Alert Manager Messages dialog box to
make sure important message content is preserved in truncated messages. To
do this, you could either abbreviate some parts of the message or move critical
information to the beginning of the message, perhaps leaving long file names
for the end of the message.
Product Guide 169

Virus Alerting
Sending alert messages to a printer

Alert Manager can send alert notifications to a printer to print hardcopy messages.
To configure Alert Manager to send alert notifications to a print queue:
2 Click the Printer tab.
The Printer page appears with a list of all of the printer queues that you have
chosen to receive alert messages. If you have not yet chosen a printer queue,
this list is blank.
Figure 6-17. Alert Manager Properties — Printer tab

To add a print queue to the list, click Add to open the Printer Properties
dialog box, then type the name of the print queue to which you want to
send messages. You can type the print queue name or you can click Browse
to locate the printer on the network.
To remove a listed print queue, select one of the printers listed, then click
Remove.
To change configuration options, select one of the printers listed, then click
Properties. Alert Manager opens the Printer Properties dialog box. Change
the information in the Printer text box as necessary.
Figure 6-18. Printer Properties
4 Click Priority Level to specify which types of alert notifications the recipient
printer receives. See Setting the alert priority level for recipients on page 157.
5 Click Test to send the recipient printer a test message. See Sending a test message
on page 156.
Product Guide 171

Virus Alerting
Sending alert messages via SNMP

Alert Manager can send alert messages to other computers via the Simple Network
Management Protocol (SNMP). To use this option, you must install and activate
the Microsoft SNMP service on your computer; see your operating system
documentation for details. To view the alert messages that the client anti-virus
software sends, you must also have an SNMP management system configured
properly with an SNMP viewer. To set up and configure your SNMP management
system, see the documentation for your SNMP management product.
Figure 6-19. Enable SNMP alerting
To configure the scanner to send alert messages via SNMP:
2 Click the SNMP tab.
3 Select Enable SNMP traps.
4 If Alert Manager is installed on a computer running the Windows NT 4

operating system, you can click Configure SNMP to display your Windows
Network dialog box and configure the Microsoft SNMP service. See your
operating system documentation for details.
6 Click Test to send the recipient computer a test message via SNMP. See Sending
a test message on page 156.

7 Click OK to save your changes and return to the Alert Manager Properties dialog
box.
Launching a program as an alert

Whenever Alert Manager receives an alert that a virus has been detected, it can
automatically start any executable program on your computer or anywhere on
your network. By default, Alert Manager runs VIRNOTFY.EXE, which is installed in
your Alert Manager installation folder. VIRNOTFY.EXE displays names of infected files
in a scrolling dialog box on the screen of the computer where Alert Manager is
installed.
NOTE
Alert Manager only launches a program when it receives
alerts specifically pertaining to viruses. The %VIRUSNAME% and
%FILENAME% system variables must be present in the alert
message. See Using Alert Manager system variables on page 185.
Alert Manager does not start a program unless these fields are
present in the alert, regardless of the priority level set for the
Program method. See Setting the alert priority level for recipients
on page 157 for more information about priority levels.
To configure Alert Manager to execute a program when it finds a virus:
2 Click the Program tab to open the Program page.
Figure 6-20. Alert Manager Properties — Program tab
Product Guide 173

Virus Alerting
3 Select Execute Program.
4 Type the path and file name of the executable program that you want to run
when your anti-virus software finds a virus, or click Browse to locate the
program file on your computer or network.
5 Select one of the following:
To start the program only when your anti-virus software first finds a
specific virus, click First Time.
To start the program each time the scanner finds a virus, click Every Time.
NOTE
If you select First time, the program you designate starts as
soon as the scanner initially encounters a specific virus, for
example VirusOne. If the scanner finds more than one
occurrence of VirusOne in the same folder, it does not start the
program again. However, if, after encountering VirusOne, the
scanner then encounters a different virus (VirusTwo), then
encounters VirusOne again, the program starts in response to
each encounter, in this example, three times in a row. Starting
multiple instances of the same program might cause your
server to run out of memory.
Remember that the Program method does not run a program unless the alert
pertains specifically to viruses. In other words, the alert must contain the
%VIRUSNAME% and %FILENAME% system variables. All other alerts, regardless of
priority level, are ignored.

Logging alert notifications in a computer’s event log

Alert Manager can log alert messages to the local event log on your computer or
the event log of another computer on your network.
To configure logging options:

2 Click the Logging tab.
The Logging page appears with a list of all of the computers you have chosen
to receive messages for logging. If you have not yet chosen a recipient
computer, this list is blank.
Figure 6-21. Alert Manager Properties — Logging tab
Product Guide 175

Virus Alerting
To add a computer, click Add to open the Logging Properties dialog box,
then type the name of the computer that receives forwarded messages in
the text box. You can type the computer name in Universal Naming
Convention (UNC) notation, or you can click Browse to locate the
computer on the network.
To remove a listed computer, click the computer in the list and click the
Remove button.
To change configuration options, select one of the recipient computers

listed, then click Properties. Alert Manager opens the Logging Properties
dialog box. Type the name of the computer to which you want Alert
Manager to forward messages for logging. Click Browse to locate the
destination computer.
Figure 6-22. Logging Properties

Sending a network message to a terminal server

Alert Manager can send alert messages to a terminal server. Pop-up network
messages display to the user whose session originated the alert.
The Alert Manager Properties dialog box only displays the Terminal Server tab if the
computer on which Alert Manager is installed is a terminal server.
To configure Alert Manager to send a message to a terminal server:

2 Click the Terminal Server tab.
Figure 6-23. Alert Manager Properties — Terminal Server tab
3 To enable terminal server alerting, select Enable alerting to client.
Product Guide 177

Virus Alerting
4 Click Test to send the recipient computer a test message. The Select client for
test message dialog box appears, listing the current terminal server user
sessions for that computer.
Figure 6-24. Send a terminal server user a test message
5 Select a user from the list and click OK to send that user a test message and
return to the Alert Manager Properties dialog box.
6 Click Priority Level to specify which types of alert messages the terminal server
users should receive. See Setting the alert priority level for recipients on page 157.
7 Click OK to save the terminal server settings and return to the Alert Manager

Using Centralized Alerting

Centralized Alerting provides an alternative to using regular Alert Manager
messaging. With centralized alerting, alert messages generated by anti-virus
software, such as VirusScan Enterprise, are saved to a shared folder on a server.
Then, Alert Manager is configured to read alert notifications from that same folder.
When the contents of the shared folder change, Alert Manager sends new alert
notifications using whatever alerting methods Alert Manager is already
configured to use, such as sending e-mail messages to a pager.
WARNING
Due to security issues with shared folders, McAfee Security
recommends that you do not use centralized alerting. Instead,
you should configure your client anti-virus software to use the
regular Alert Manager alert notification methods.
To use centralized alerting:
1 Configure the anti-virus software on client computers to send alert messages

to the appropriate alert folder. See your anti-virus software documentation for
instructions on how to do this.
NOTE
To allow other workstations on your network to send
messages to this folder, you must give file scan, write, create
and modify permissions for this folder to all users and
computers. See your operating system documentation for
details.
2 Make sure that all your users and computers are able to read and write to this
shared alert folder. If the folder is located on a computer running Windows
NT, you must properly configure a null session share. See your operating
system documentation for details.
Product Guide 179

Virus Alerting
3 Configure Alert Manager to monitor the centralized alert folder for activity. To
do this:
a From the Alert Manager Properties dialog box, select Centralized Alert tab.
Figure 6-25. Centralized Alerting Properties
b Select Enable centralized alerts.

c Type the location of the alert folder or click Browse to locate a folder
elsewhere on your server or on the network. This must be the same folder
to which your anti-virus software on client computers is using for
centralized alerts (see Step 1). The default location of the alert folder is:
C:\Program Files\Network Associates\Alert Manager\Queue\.
6 Click OK to save your centralized alerting settings and return to the Alert
Manager Properties dialog box.

Customizing alert messages

Alert Manager comes with a wide range of alert messages suited to nearly all of the
situations you may encounter when a virus is detected on a computer in your
network. The alert messages include a preset priority level and incorporate system
variables that identify the infected file and system, the infecting virus, and other
information that you can use to get a quick but thorough overview of the situation.
To suit your own circumstances, you can enable or disable individual alert
messages or change the contents and priority level for any message. Because Alert
Manager still activates the alert message in response to specific trigger events, you
should try to retain the overall sense of any alert messages you choose to edit.
Use the Alert Manager Messages dialog box to customize alert messages. See
Configuring Alert Manager on page 150 for details on how to access the Alert
Manager Messages dialog box.
Figure 6-26. Alert Manager Messages
From here, you can do either of the following:
Enabling and disabling alert messages.

Editing alert messages.
Product Guide 181

Virus Alerting
Enabling and disabling alert messages

Although VirusScan Enterprise can alert you whenever your anti-virus software
finds a virus or whenever nearly any aspect of its normal operation changes
significantly, you might not want to receive alert messages in each of these
circumstances. Use the Alert Manager Messages dialog box to disable specific alert
messages that you do not want to receive.
Next to each alert listed in the Alert Manager Messages dialog box is a checkbox. If
this is selected, the alert is enabled. If it is not selected, it is disabled. By default, all
of the available alert messages are enabled.
To enable or disable alert messages:
1 Select or deselect the corresponding checkbox for any alert messages you want
to enable or disable.
2 Click OK to save your changes and close the Alert Manager Messages dialog
box.
Editing alert messages

You can edit alert messages in the following two ways:
Changing alert priority.
Editing alert message text.

Changing alert priority

Some of the alerts that Alert Manager receives from your client anti-virus software
require more immediate attention than others. A default priority level is set for
each alert message, corresponding to the urgency most system administrators
would assign them. You can reassign these priority levels to suit your own needs.
Use them to filter the messages that Alert Manager sends to your recipients so your
recipients can concentrate on the most important ones first.
To change the priority level assigned to an alert message:
1 On the Alert Manager Messages dialog box (see Customizing alert messages on
page 181), click a message in the list once to select it.
2 Click Edit to open the Edit Alert Manager Message dialog box.
Figure 6-27. Edit the priority and text of an alert message
3 Choose a priority level from the Priority list. You can assign each alert message
a Critical, Major, Minor, Warning, or Informational priority.
The icons shown beside each message listed in the Alert Manager Messages
dialog box identify the priority level currently assigned to a message. Each icon
corresponds to a choice in the Priority drop-down list. The priority levels are:
Critical. Indicates your anti-virus software detected viruses in files that
could not be cleaned, quarantined or deleted.
Major. Indicates either that successful virus detection and cleaning has
occurred or that serious errors and problems that might cause your
anti-virus software to stop working. Examples include “Infected file
deleted,” “No licenses are installed for the specified product,” or “Out of
memory!”
Minor. Indicates lesser detection or status messages.
Warning. Indicates status messages that are more serious than

informational messages. These often relate to non-critical problems
encountered during the anti-virus scan.
Product Guide 183

Virus Alerting
Informational. Indicates standard status and informational messages,

such as “On-Access scan started” or “Scan completed. No viruses found.”
As you reassign the priority for a message, the icon beside it changes to show
its new priority status.
4 Click OK.
Filtering messages by priority level

To filter your messages, configure each alert method you have set up in Alert
Manager to accept only messages of a certain priority. For example, suppose you
want to have Alert Manager page you whenever your client anti-virus software
finds a virus on your network, but do not want it to send routine operational
messages. To do this, you would assign a Critical or Major priority to virus alerts,
and a Minor, Warning, or Informational priority to the routine informational
messages. Then, configure Alert Manager to send only high priority messages to
the e-mail address that goes to your pager.
See Setting the alert priority level for recipients on page 157 for information about
applying priority level filters for specific recipients.
Editing alert message text

To help you respond to a situation that requires your attention, Alert Manager
includes enough information in its messages to identify the source of whatever
problem it has found and some information about the circumstances in which it
found the problem. You can edit the message text as desired. For example, you can
add comments to the alert message that describe more about the problem or list
support contact information.
NOTE
Although you can edit the alert message text to state what you
want, you should try to keep its essence intact, because Alert
Manager sends each message only when it encounters certain
conditions. Alert Manager sends the “task has started” alert
message, for example, only when it starts a task.
To edit the alert message text:
1 From the Alert Manager Messages dialog box, click the alert message in the list
to select it.
2 Click Edit to open the Edit Alert Manager Message dialog box.
3 Edit the message text as desired. Text enclosed in percentage signs, such as
%COMPUTERNAME%, represents a variable that Alert Manager replaces with text
at the time it generates the alert message. See Using Alert Manager system
variables on page 185.
4 Click OK to save your changes and return to the Alert Properties dialog box.

Using Alert Manager system variables

Alert Manager 4.7 includes system variables that you can use in alert message text.
These variables refer to system features like system date and time, file names, or
computer names. When sending alert notifications, Alert Manager dynamically
replaces the variable with a specific value.
For example, the major alert Infected file successfully cleaned (1025) listed in the
Alert Manager Messages dialog box is by default set to the following:
The file %FILENAME% was infected with %VIRUSNAME% %VIRUSTYPE%. The file
was successfully cleaned with Scan engine version %ENGINEVERSION% and
DAT version %DATVERSION%.
When this alert is sent to Alert Manager from an anti-virus application, Alert
Manager dynamically populates the system variables with real values, for example
displaying MYDOCUMENT.DOC for the %FILENAME% variable.
Some of the most commonly-used system variables are:
%DATVERSION% The version of the current DAT files used by the

antivirus software that generated the alert.
%ENGINEVERSION% The version of the current antivirus engine used by
the antivirus software to detect an infection or
other problem.
%FILENAME% The name of a file. This could include the name of
an infected file it found, or the name of a file it
excluded from a scan operation.
%TASKNAME% The name of an active task, such as an On-Access
scan or AutoUpdate task in VirusScan Enterprise.
Alert Manager might use this to report the name of
the task that found a virus, or the name of a task
that reported an error during a scan operation.
%VIRUSNAME% The name of an infecting virus.
%DATE% The system date of the Alert Manager computer.
%TIME% The system time of the Alert Manager computer.
%COMPUTERNAME% The name of a computer as it appears on the
network. This could include an infected computer,
a computer that reported a device driver error, or
any other computer with which the program
interacted.
%SOFTWARENAME% The file name of an executable file. This could
include the application that detected a virus, an
application that reported an error, or any other
application with which the program interacted.
Product Guide 185

Virus Alerting
%SOFTWAREVERSION% The version number taken from an active software

package. This could include the application that
detected a virus, an application that reported an
error, or any other application with which the
program interacted.
%USERNAME% The login name of the user currently logged on to
the server. This can, for instance, inform you if
somebody cancelled a scan.
WARNING
Be careful when editing message text to include system
variables that might not be used by the event generating that
alert message. Using system variables in alerts that do not use
that system variable field could cause unexpected results,
including garbled message text or even a system crash.
Following is a complete list of the Alert Manager system variables that can be used
in Alert Manager messages:
%ACCESSPROCESSNAME% %NOTEID% %RESOLUTION%

%CLIENTCOMPUTER% %NOTESDBNAME% %SCANRETURNCODE%
%COMPUTERNAME% %NOTESSERVERNAME% %SEVERITY%
%DATVERSION% %LANGUAGECODE% %SHORTDESCRIPT%
%DOMAIN% %LOCALDAY% %SOFTWARENAME%
%ENGINESTATUS% %LOCALHOUR% %SOFTWAREVERSION%
%ENGINEVERSION% %LOCALMIN% %SOURCEIP%
%EVENTNAME% %LOCALMONTH% %SOURCEMAC%
%FILENAME% %LOCALSEC% %SOURCESEG%
%GMTDAY% %LOCALTIME% %TARGETCOMPUTERNAME%
%GMTHOUR% %LOCALYEAR% %TARGETIP%
%GMTMIN% %LONGDESCRIPT% %TARGETMAC%
%GMTMONTH% %MAILCCNAME% %TASKID%
%GMTSEC% %MAILFROMNAME% %TASKNAME%
%GMTTIME% %NUMCLEANED% %TRAPID%
%GMTYEAR% %NUMDELETED% %TSCLIENTID%
%INFO% %NUMQUARANTINED% %URL%
%MAILIDENTIFIERINFO% %NUMVIRS% %USERNAME%
%MAILSUBJECTLINE% %OBRULENAME% %VIRUSNAME%
%MAILTONAME% %OS% %VIRUSTYPE%
%PROCESSORSERIA%

Updating
7
The VirusScan Enterprise software depends on information in the virus definition
(DAT) files to identify viruses. Without updated files, the product software might
not detect new virus strains or respond to them effectively. Software that is not
using current DAT files can compromise your virus-protection program.
New viruses appear at the rate of more than 500 per month. To meet this challenge,
McAfee Security releases new DAT files every week, incorporating the results of its
ongoing research into the characteristics of new or mutated viruses. The
AutoUpdate feature makes it easy to take advantage of this service. It allows you
to download the latest DAT files, scanning engine, and EXTRA.DAT simultaneously,
using an immediate or scheduled update.
Update strategies
System variables
AutoUpdate tasks
AutoUpdate repository list
Mirror tasks
Rollback DAT files
Manual updates
Product Guide 187

Updating
Update strategies
Updates can be performed using many methods. You can use update tasks,
manual updates, login scripts, or you can schedule updates with management
tools. This document discusses using the update tools provided in VirusScan
Enterprise and updating manually. Any other implementations are beyond of the
scope of this document.
An efficient updating strategy generally requires that at least one client or server
in your organization retrieve the updates from the Network Associates download
site. From there, the files can be replicated throughout your organization,
providing access for all other computers. Ideally, you should minimize the amount
of data transferred across your network by automating the process of copying the
updated files to your share sites.
For efficient updating, the main factors to consider are the number of clients and
the number of sites. There may be additional considerations that affect your
update schema, for example, the number of systems at each remote site and how
remote sites access the Internet. However, the basic concepts of populating your
share sites and scheduling updates apply to any size organization.
Using an update task to perform updates allows you to:
Schedule network-wide DAT file rollouts at convenient times and with minimal
intervention from either administrators or network users. You might, for
example, stagger your update tasks, or set a schedule that phases in, or rotates,
DAT file updates to different parts of the network.
Split rollout administration duties among different servers or domain

controllers, among different regions of wide-area networks, or across other
network divisions. Keeping update traffic primarily internal can also reduce
the potential for network security breaches.
Reduce the likelihood that you need to wait to download new DAT or upgraded
engine files. Traffic on McAfee computers increases dramatically on regular
DAT file publishing dates and whenever new product versions appear.
Avoiding the competition for network bandwidth enables you to deploy your
new software with minimal interruptions.
For more information about updating and using McAfee Installation Designer or
McAfee AutoUpdate Architect to configure and manage updates, see the
VirusScan Enterprise Updating Implementation Guide.

System variables
System variables
System variables are supported for path definition when configuring AutoUpdate
tasks, mirror tasks, and repositories. Some commonly-used system variables are:
Variable Definition
<COMPUTER_NAME> The name of the computer as it appears on the network.

<USER_NAME> The login name of the user currently logged on to the
computer.
<DOMAIN_NAME> The name of the domain.
<SYSTEM_DRIVE> The name of the system drive. For example:
C:
<SYSTEM_ROOT> The path to the root directory. For example:
C:\WinNT
<SYSTEM_DIR> The path to the system directory. For example:
C:\WinNT\System32
<TEMP_DIR> The path to the temporary directory. For example:
C:\Document and Settings\Administrator\Local
Settings\Temp
<PROGRAM_FILES_DIR> The path to the Program Files directory. For example:
C:\Program Files
<PROGRAM_FILES_COMMON_DIR> The path to the Common Files directory: For example:
C:\Program Files\Common Files
<SOFTWARE_INSTALLED_DIR> The path to the location where the software is installed.
<PP_VAR_NAME> McAfee product variable name. For example:
%ALLUSERSPROFILE%
Product Guide 189

Updating
AutoUpdate tasks
The AutoUpdate task is used to perform scheduled or immediate updates. You can
update DAT files, the scanning engine, and the EXTRA.DAT file. See the VirusScan
Enterprise Updating Implementation Guide for information about downloading
HotFix, Service Pack, SuperDAT package, or .CAB files.
The VirusScan Enterprise product provides a default update task that is scheduled
to update every Friday at 5:00 p.m. with one-hour randomization. The default
update task is named AutoUpdate.You can rename and reconfigure the default
AutoUpdate task. You can also create additional update tasks to meet your
updating requirements.
AutoUpdate task overview
Creating an AutoUpdate task
Configuring an AutoUpdate task
Running AutoUpdate tasks

AutoUpdate tasks
AutoUpdate task overview

The following diagram shows an overview of an AutoUpdate task:
Figure 7-1. AutoUpdate task overview
Product Guide 191

Updating
Creating an AutoUpdate task

To create a new AutoUpdate task:
2 Create a new update task using one of these methods:

Right-click a blank area in the console without selecting an item in the task list,
then select New Update Task.
Select New Update task from the Task menu.
A new update task appears, highlighted, in the VirusScan Console task list.
3 Accept the default task name or type a new name for your task, then press
ENTER to open the AutoUpdate Properties dialog box. See Configuring an
AutoUpdate task on page 193 for detailed configuration information.
NOTE
If you create update tasks via ePolicy Orchestrator 3.0 or later,
and enable task visibility, these update tasks are visible in the
VirusScan Console. These ePolicy Orchestrator tasks are
read-only and cannot be configured from the VirusScan
Console. See the VirusScan Enterprise Configuration Guide for
use with ePolicy Orchestrator 3.0 for more information.

AutoUpdate tasks
Configuring an AutoUpdate task

You can configure and schedule an AutoUpdate task to meet your requirements.
2 Open the AutoUpdate Properties dialog box using one of these methods:
Highlight the task in the console task list, then select Properties from the
Task menu.
Double-click the task in the task list.

Right-click the task in the task list, then select Properties.
Highlight the task in the task list, then click .
Figure 7-2. AutoUpdate Properties — New Update Task
NOTE
Configure the update task before you click either Schedule or
Update Now.
3 In the Log file text box, accept the default log file name and location, type a
different log file name and location, or click Browse to locate a suitable
location. System variables are supported. See System variables on page 189 for
more information.
NOTE
By default, log information is written to the UPDATELOG.TXT
file in this folder:
Product Guide 193

Updating
4 Under Run options, you can specify an executable file to start after the
AutoUpdate task finishes running. For example, you might use this option to
start a network message utility that notifies the administrator that the update
operation completed successfully.
Enter the executable to be run after the Update has completed. Type the path
of the executable you want to run, or click Browse to locate it.
Only run after successful update. Run the executable program only after a
successful update. If the update is not successful, the program you
specified does not run.
NOTE
The program file that you specify must be executable by the
currently logged on user. If the currently logged on user does
not have access to the folder containing the program files, or if
there is no currently logged on user, the program does not
run.
5 Click Schedule to schedule the update task. See Scheduling Tasks on page 221
7 To run the update task immediately, click Update Now.
8 Click OK to close the AutoUpdate Properties dialog box.

NOTE
The update task uses the configuration settings in the
AutoUpdate repository list to perform the update. See
AutoUpdate repository list on page 199 for more information.

AutoUpdate tasks
Running AutoUpdate tasks

Once you have configured your task with the update properties you want, you can
run the update task. The following topics are addressed in this section:
Running the update task
Activities that occur during an update task
Running the update task

Updates can be executed immediately as needed or scheduled for a convenient
time. If the update task is interrupted during execution, it automatically resumes
as follows:
Tasks that are updating from an HTTP, UNC, or local site. If the update task
is interrupted for any reason during the update, the task resumes where it left
off the next time the update task starts.
Tasks that are updating from an FTP site. The task does not resume if
interrupted during a single file download. However, if a task is downloading
several files and is interrupted, the task resumes before the file that was being
downloaded at the time of the interruption.
To run an update task:
2 Run the update task using one of these methods:
Update as scheduled. If you scheduled the update, allow the task to run
unattended.
NOTE
Your computer must be active to run an update task. If your
computer is not operating when the task is scheduled to start,
the task starts at the next scheduled time if the computer is
active, or when the computer starts if you selected the Run
missed task option on the Schedule Settings, Schedule tab.
Update immediately. You can start update tasks immediately using three
methods:
Update Now command for the default update task.
Start command for all update tasks.
Update Now command for all update tasks.
Product Guide 195

Updating
Update Now command for the default update task

You can use Update Now to immediately start the default update task.
NOTE
Update Now only works with the default update task which
was created when you installed the product. You can rename
and reconfigure the default update task, but if you delete the
default task, Update Now becomes disabled.
2 Use one of these methods to perform an immediate update using Update Now:
From the VirusScan Console, select Update Now from the Task menu.
Right-click in the system tray, then select Update Now.
3 When the task finishes, click Close to exit the McAfee Updater dialog box, or
wait for the dialog box to close automatically.
Start command for all update tasks

You can use Start from the VirusScan Console to immediately begin any update
task.
2 Use one of these methods to start an immediate update from the VirusScan
Console:
Highlight the task in the console task list, then select Start from the Task
menu.
Right-click the task in the task list, then select Start.


AutoUpdate tasks
Update Now command for all update tasks

You can use Update Now in the AutoUpdate Properties dialog box to immediately
begin any update task.
2 Open the AutoUpdate Properties dialog box for the selected update task. For
instructions, see Configuring an AutoUpdate task on page 193.
3 Click Update Now in the AutoUpdate Properties dialog box.
Activities that occur during an update task

The following activities occur when you run an AutoUpdate task:
A connection is made to the first enabled repository (update site) in the

repository list. If this repository is not available, the next repository is
contacted, and so on until a connection is made, or until the end of the list is
reached.
An encrypted CATALOG.Z file downloads from the repository. The CATALOG.Z

file contains the fundamental data required to complete updating. This data is
used to determine what files and/or updates are available.
The software versions in the CATALOG.Z are checked against the versions on the
computer. If new software updates are available, they are downloaded.
Once the update is checked into the repository, the update is verified to
confirm that it is applicable to VirusScan Enterprise and that the version is
newer than the current version. Once this is verified, VirusScan Enterprise
downloads the update when the next update task runs.
Product Guide 197

Updating
An EXTRA.DAT file can be used in an emergency to detect a new threat until the new
virus is added to the weekly virus definition file. The EXTRA.DAT file is downloaded
from the repository on each update. This ensures that if you modify and re-check
the EXTRA.DAT in as a package, all VirusScan Enterprise clients download and use
the same updated EXTRA.DAT package. For example, you may use the EXTRA.DAT as
an improved detector for the same virus or additional detection for other new
viruses. VirusScan Enterprise supports using only one EXTRA.DAT file.
NOTE
When you have finished using the EXTRA.DAT file, you should
remove it from the master repository and run a replication
task to ensure it is removed from all distributed repository
sites. This stops VirusScan Enterprise clients from attempting
to download the EXTRA.DAT file during an update.
By default, detection for the new virus in the EXTRA.DAT is

ignored once the new virus definition is added to the weekly
DAT files.
See AutoUpdate task overview on page 191 for a diagram of the updating process.

The update task activity log shows specific details about the updating operation.
For example, it shows the updated DAT file and engine version numbers.
To view the activity log:


The AutoUpdate repository list (SITELIST.XML) specifies repositories and
configuration information necessary to perform an update task.
For example:
Repository information and location.

Repository order preference.
Proxy settings, where required.
Credentials required to access each repository.

NOTE
These credentials are encrypted.
The AutoUpdate repository list (SITELIST.XML) is located at different locations

depending on your operating system.
For example, for Windows NT:

C:\Program Files\Network Associates\Common Framework\Data
For example, for Windows 2000:

C:\Documents and Settings\All Users\Application Data\Network
Associates\Common Framework
AutoUpdate repositories
Configuring the AutoUpdate repository list
Product Guide 199

Updating
AutoUpdate repositories
A repository is a location from which you receive updates.
The VirusScan Enterprise software comes pre-configured with two repositories:
ftp://ftp.nai.com/CommonUpdater
http://update.nai.com/Products/CommonUpdater
The FTP repository is the default site. If you plan to use the FTP repository to
perform updates, you are automatically configured to do so after the VirusScan
Enterprise 7.1.0 installation process completes.
You can use either of these sites to download the latest updates if you are using
VirusScan Enterprise 7.1.0 exclusively, or if you are using VirusScan Enterprise
7.1.0 in a mixed environment with VirusScan 4.5.1 or NetShield 4.5.
You can reorganize the repositories in the list or create new repositories to meet
your requirements. The number of repositories that you need depends on your
updating requirements. See Editing the AutoUpdate repository list on page 201 for
more information.
Configuring the AutoUpdate repository list

You can configure the AutoUpdate repository list (SITELIST.XML) before
installation, during installation, or after installation.
This guide addresses post installation options. See the VirusScan Enterprise
Updating Implementation Guide for more information about installation options.
Importing the AutoUpdate repository list
Editing the AutoUpdate repository list

Importing the AutoUpdate repository list

To import an AutoUpdate repository list from another location:
2 Select Tools|Import AutoUpdate Repository List.
Figure 7-3. Import AutoUpdate Repository List
3 In the Look in box, type the location for the .XML file, or click to navigate to
the location, then select a file.
4 Click Open to import the AutoUpdate repository list.
NOTE
To import a customized AutoUpdate repository list, to specify
source repositories from which to obtain software, or to use
multiple update locations that can replicate from a master
repository, you must use the McAfee AutoUpdate Architect™
utility with VirusScan Enterprise. Refer to the McAfee
AutoUpdate Architect Product Guide for more information.
Editing the AutoUpdate repository list

Use the Edit AutoUpdate Repository List dialog box to add new AutoUpdate
repositories to the list, configure them, edit and remove existing repositories, and
organize the repositories in the list.
Adding and editing repositories
Removing and reorganizing repositories
Specifying proxy settings
Product Guide 201

Updating
Adding and editing repositories

AutoUpdate repositories can be added or edited from the Edit AutoUpdate
Repository List dialog box.
NOTE
You can also create repositories using McAfee AutoUpdate
Architect and export them to VirusScan Enterprise. See the
McAfee AutoUpdate Architect Product Guide for more
information about using it to create and export AutoUpdate
repositories.
AutoUpdate repositories can have a state of Enabled or Disabled.
Enabled — A defined repository that may be used during the AutoUpdate

process.
Disabled — A defined repository that you do not want to access during the
AutoUpdate process.
To add or edit a repository in the AutoUpdate repository list:
2 Select Tools|Edit AutoUpdate Repository List.
3 Select the Repositories tab. The FTP repository is the default download site.
Figure 7-4. Edit AutoUpdate Repository List — Repositories tab

4 Choose from these actions:
To add a repository, click Add to open the Repository Settings dialog box.
To edit a repository, highlight it in the Repository Description list, then click
Edit to open the Repository Settings dialog box.
Figure 7-5. Repository Settings
5 In the Repository description text box, type the name or description for this
repository.
6 Under Retrieve files from, select the repository type or path from these choices:
HTTP repository. This option is selected by default. Use the HTTP repository
location that you designate as the repository from which you retrieve the
update files.
NOTE
An HTTP site, like FTP, offers updating independent of network
security, but supports higher levels of concurrent connections
than FTP.
Product Guide 203

Updating
FTP repository. Use the FTP repository location that you designate as the
repository from which you retrieve the update files.
NOTE
An FTP site offers flexibility of updating without having to
adhere to network security permissions. FTP has been less
prone to unwanted code attack than HTTP, so it may offer
better tolerance.
UNC path. Use the UNC path that you designate as the repository from
which you retrieve the update files.
NOTE
A UNC site is the quickest and easiest to set up. Cross domain
UNC updates require security permissions for each domain,
which makes update configuration more involved.
Local path. Use the local site that you designate as the repository from
which you retrieve the update files.
7 Under Repository details, the information you type depends on the repository
type or path you selected under Retrieve files from. System variables are
supported. See System variables on page 189 for more information. Choose from
the following:
If you selected HTTP repository or FTP repository, see HTTP or FTP

repository details on page 205 for detailed instructions.
If you selected UNC path or Local path, see UNC path or Local path repository
details on page 206 for detailed instructions.

HTTP or FTP repository details

If you selected HTTP or FTP repository:
Figure 7-6. Repository details — HTTP or FTP site
1 Under Repository details, type the path to the repository you selected, the port
number, and specify security credentials for accessing the repository.
URL. Type the path to the HTTP or FTP repository location:
HTTP. Type the location for the HTTP server and folder where the
update files are located. The default McAfee HTTP repository for DAT
file updates is located at:
http://update.nai.com/Products/CommonUpdater
FTP. Type the location for the FTP server and folder where the update
files are located. The default McAfee FTP repository for DAT file
updates is located at:
Product Guide 205

Updating
Port. Type the port number for the HTTP or FTP server you selected.
Use authentication or Use anonymous login. The title differs depending on

whether you have selected HTTP path or FTP path. Specify security credentials
for accessing the repository. Type a User name and Password, then Confirm
password.
NOTE
Download credentials are required for FTP and UNC
repositories, but are optional for HTTP repositories. The
credentials you specify are used by AutoUpdate to access the
repository so that it can download the required update files.
When configuring the account credentials on the repository,
you ensure that the account has read permissions to the folders
containing the update files.
FTP updates support anonymous repository connections.
2 Click OK to save your changes and return to the AutoUpdate Repositories List
dialog box.
UNC path or Local path repository details

If you selected UNC or Local path:
Figure 7-7. Repository details — UNC or Local path

1 Under Repository details, type the path to the repository you selected and
determine whether to use the logged on account or add security by specifying
a user name and password. System variables are supported. See System
variables on page 189 for more information.
Path. Type the path to the location from which you want to retrieve the
update files.
UNC path. Using UNC notation (\\servername\path\), type the path

of the repository where the update files are located.
Local path. Type the path of the local folder in which you have placed
the update files, or click Browse to navigate to the folder.
NOTE
The path can be that of a folder on a local drive or a
network drive.
Use logged on account. Determine which account you want to use:
Select Use logged on account to use the account that is currently

logged on.
Deselect Use logged on account to use a different account, then type

the Domain, User name, Password, and Confirm password.
NOTE
Download credentials are required for FTP and UNC
repositories, but are optional for HTTP repositories. The
credentials you specify are used by AutoUpdate to access the
repository so that it can download the required update files.
When configuring the account credentials on the repository,
you ensure that the account has read permissions to the folders
containing the update files.
With UNC updates, you have the additional option to use the
logged on account. This allows the update task to make use of
the logged on users’ permissions to access the repository.
2 Click OK to save your changes and return to the Repositories tab.
Product Guide 207

Updating
Removing and reorganizing repositories

To remove or reorganize repositories in the repository list:
Figure 7-8. Edit AutoUpdate Repository List — Repositories tab
3 Select the Repositories tab.
4 To remove or reorganize repositories in the repository list, choose from the

following:
To remove a repository, highlight it in the list, then click Delete.

To reorganize the repositories in the list, highlight a repository, then click
Move up or Move down repeatedly until the repository has moved to the
place in the list that you want it.
NOTE
The order in which the repositories are listed, is the order in
which they are accessed during an update operation.

Specifying proxy settings

Proxy servers are commonly used as part of Internet security to mask Internet
users’ computers from the Internet, and improve access speed by caching
commonly accessed sites.
If your network uses a proxy server, you can specify which proxy settings to use,
the address of the proxy server, and whether to use authentication. Proxy
information is stored in the AutoUpdate repository list (SITELIST.XML). The proxy
settings you configure here apply to all the repositories in this repository list.
To specify proxy settings:
3 Select the Proxy settings tab.
Figure 7-9. Edit AutoUpdate Repository List — Proxy settings tab
Product Guide 209

Updating
4 Determine whether you want to use a proxy and, if you do, which settings you
want to use. Choose from these options:
Don’t use a proxy. Do not specify a proxy server. Select this option, then
click OK to save your settings and close the Edit AutoUpdate Repository List
dialog box.
Use Internet Explorer proxy settings. This option is selected by default. Use the
proxy settings for the currently installed version of Internet Explorer.
Select this option, then click OK to save your settings and close the Edit
AutoUpdate Repository List dialog box.
Manually configure the proxy settings. Configure the proxy settings to meet
your specific needs. System variables are supported. See System variables
on page 189 for more information.
Select this option, then type the address and port information for the
repository you selected:
HTTP Address. Type the address of the HTTP proxy server.
HTTP Port. Type the port number of the HTTP proxy server.
FTP Address. Type the address of the FTP proxy server.
FTP Port. Type the port number of the FTP proxy server.
Determine whether to use authentication for either the HTTP or FTP proxy
server you specified. Choose from these options:
Use authentication for HTTP. Select this option to add authentication to

the HTTP proxy, then type the HTTP user name, HTTP password, and
HTTP confirm password.
Use authentication for FTP. Select this option to add authentication to

the FTP proxy server, then type the FTP user name, FTP password, and
FTP confirm password.

5 Click Exceptions to specify proxy exceptions. If you do not want to specify

exceptions, skip this step and go to Step 6.
Figure 7-10. Proxy Exceptions
a Select Specify exceptions, then type the exceptions, using semicolons to

separate the entries.
b Click OK to save your changes and return to the Proxy settings tab.
6 Click OK to save your changes and close the Edit AutoUpdate Repository List
dialog box.
Product Guide 211

Updating
Mirror tasks
The VirusScan Enterprise software relies on a directory structure to update itself.
The mirror task allows you to replicate the update files from the first accessible
repository defined in the repository list, to a mirror site on your network. It is
important to remember to replicate the entire directory structure when mirroring
a site. This directory structure also supports previous versions of VirusScan and
NetShield, as long as the entire directory structure is replicated in the same
locations that VirusScan 4.5.1 used for updating.
The following shows the directory structure in the repository after using a mirror
task to replicate the Network Associates repository:
Figure 7-11. Mirrored site
After you replicate the Network Associates site that contains the update files,
computers on your network can download the files from the mirror site. This
approach is practical because it allows you to update any computer on your
network, whether or not it has Internet access; and efficient because your
computers are communicating with a server that is probably closer than a Network
Associates Internet site, therefore economizing access and download time. The
most common use of this task is to mirror the contents of the Network Associates
download site to a local server.

Mirror tasks
Creating a mirror task
Configuring a mirror task

Running mirror tasks
Viewing the mirror task activity log
Creating a mirror task

You can create a mirror task for each mirror location you need.
To create a new mirror task:
2 Create a mirror task using one of these methods:
Right-click a blank area in the console without selecting an item in the task list,
then select New Mirror Task.
Select New Mirror task from the Task menu.
A new mirror task appears, highlighted, in the VirusScan Console task list.
3 Accept the default task name or type a new name for your task, then press
ENTER to open the AutoUpdate Properties dialog box. See Configuring a mirror
task on page 214 for detailed configuration information.
NOTE
If you create mirror tasks via ePolicy Orchestrator 3.0 or later,
and enable task visibility, these mirror tasks are visible in the
VirusScan Console. These ePolicy Orchestrator tasks are
read-only and cannot be configured from the VirusScan
Console. See the VirusScan Enterprise Configuration Guide for
use with ePolicy Orchestrator 3.0 for more information.
Product Guide 213

Updating
Configuring a mirror task

You can configure and schedule a mirror task to meet your requirements.
2 Open the AutoUpdate Properties dialog box using one of these methods:
Highlight the task in the console task list, then select Properties from
the Task menu.
Double-click the task in the task list.

Right-click the task in the task list, then select Properties.
Figure 7-12. AutoUpdate Properties — New Mirror Task
NOTE
Configure the mirror task before click Schedule or Mirror Now.
3 In the Log file text box, accept the default log file name and location, type a
different log file name and location, or click Browse to locate a suitable
location. System variables are supported. See System variables on page 189 for
more information.
NOTE
By default, log information is written to the
VSEMIRRORLOG.TXT file in this folder:

Mirror tasks
4 Click Mirror Location to open the Mirror Location Settings dialog box:
Figure 7-13. Mirror Location Settings
a Type the path to the destination on the local system that you are using for
the mirror site, or click Browse to navigate to the desired location. System
variables are supported. See System variables on page 189 for more
information.
b Click OK to return to the AutoUpdate Properties dialog box.
5 Under Run options, you can specify an executable file to start after the mirror
task finishes running. For example, you might use this option to start a
network message utility that notifies the administrator that the update
operation completed successfully.
Enter the executable to be run after the Mirror has completed. Type the path
of the executable you want to run, or click Browse to locate it.
Only run after successful mirror. Run the executable program only after a
successful update. If the update is not successful, the program you selected
does not run.
NOTE
The program file that you specify must be executable by the
currently logged on user. If the currently logged on user does
not have access to the folder containing the program files, or if
there is no currently logged on user, the program does not
run.
6 Click Schedule to schedule the mirror task. See Scheduling Tasks on page 221 for
more information about scheduling tasks.
8 To run the mirror task immediately, click Mirror Now.
9 Click OK to close the AutoUpdate Properties dialog box.

NOTE
The Mirror task uses the configuration settings in the
repository list to perform the update. See AutoUpdate
repository list on page 199 for more information.
Product Guide 215

Updating
Running mirror tasks

Once you have configured the mirror task with the properties you want, you can
run the mirror task using one of these methods:
Mirror as scheduled. If you scheduled the mirror task, allow it to run
unattended.
NOTE
Your computer must be active to run a mirror task. If your
computer is not operating when the task is scheduled to start,
the task starts at the next scheduled time if the computer is
active, or when the computer starts if you selected the Run
missed task option on the Schedule Settings, Schedule tab.
Mirror immediately. You can start mirror tasks immediately using two
methods:
Start command for mirror task.
Mirror Now command for mirror tasks.
Start command for mirror tasks

You can use Start from the VirusScan Console to immediately start any mirror task.
2 Use one of these methods to start an immediate mirror task from the VirusScan
Console:
Highlight the task in the console task list, then select Start from the Task
menu.
Right-click the task in the task list, then select Start.

When the task finishes, click Close to exit the McAfee Updater dialog box,
or wait for the dialog box to close automatically.

Rollback DAT files
Mirror Now command for mirror tasks

You can use Mirror Now in the AutoUpdate Properties dialog box to immediately
start any mirror task.
2 Open the AutoUpdate Properties dialog box for the selected mirror task. For
instructions, see Configuring a mirror task on page 214.
3 Click Mirror Now in the AutoUpdate Properties dialog box.
Viewing the mirror task activity log

The mirror task activity log shows specific details about the updating operation.
For example, it shows the updated DAT file and engine version numbers.
Rollback DAT files

Use this feature to roll back the DAT files to the last backed up version, if you find
that the current DAT files are corrupt or incompatible for some reason. When you
update DAT files, the old version is stored in this location:
C:\Program Files\Common Files\Network Associates\Engine\OldDats
When you roll back the DAT files, the current DAT files are replaced with the version
in the OldDats folder, and a flag is set in the registry at this location:
HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan
Enterprise\CurrentVersion\szRollbackedDATS
Once the rollback occurs, you cannot go back to the previous version again. The
next time an update is performed, the DAT version in the registry is compared with
the DAT files in the update repository. If the new DAT files are the same as the ones
flagged in the registry, no update occurs.
Product Guide 217

Updating
To roll back the DAT files:
2 Select Tools|Rollback DATs. The McAfee Updater dialog box opens.
Figure 7-14. Rollback DATs — Update in Progress
3 The rollback appears to be the same as an update, except that the details show
Performing DAT rollback. When the rollback finishes, click Close to exit the
McAfee AutoUpdate dialog box, or wait for the dialog box to close
automatically.
NOTE
When you perform a rollback, the last backup of the DAT files
is restored.

Manual updates
Manual updates
McAfee Security recommends that you use the AutoUpdate task supplied with the
VirusScan Enterprise software to install new DAT file or scanning engine versions.
This utility offers an easy method for correctly updating the DAT files and scanning
engine. To install DAT files yourself, however, you can download DAT and engine
files manually from these update sites:
http:www.networkassociates.com/us/downloads/updates
Regular DAT files. McAfee Security stores these files on its FTP site as .ZIP
archives with the name DAT-XXXX.ZIP. The XXXX in the file name is a series
number that changes with each DAT file release. To download these files, use a
web browser or FTP client to connect with:
Installable .EXE files. McAfee Security stores these files on its web site as a
self-executing setup file named XXXXUPDT.EXE. Here, too, the XXXX is a series
number that changes with each new DAT release. To download these files, use
a web browser to connect with:
http:www.networkassociates.com/us/downloads/updates
Both files contain exactly the same DAT files. The difference between them is in
how you use them to update your copy of the VirusScan Enterprise software.
To use the DAT-XXXX.ZIP archive, you must download the file, extract it from its
archive, copy the files into the DAT folder, then restart the on-access scanner. See
Updating from DAT file archives on page 220 for detailed steps.
To install DAT files that come with their own setup utility, you need only to
download the files to a temporary folder on your hard disk, then run or
double-click the XXXUPDT.EXE file. The setup utility stops the on-access scanner,
copies the files to the correct folder, then restarts the on-access scanner.
NOTE
You may need administrator rights to write to the DAT folder.
Once updated, the new DAT files are picked up by the on-access scanner, the
on-demand scanner, and the e-mail scanner, the next time each scanner starts.
Product Guide 219

Updating
Updating from DAT file archives

To install DAT file updates directly from a .ZIP archive without using AutoUpdate:
1 Create a temporary folder on your hard disk, then copy the DAT file .ZIP archive
you downloaded to that folder.
2 Back up or rename these existing DAT files.
CLEAN.DAT
NAMES.DAT
SCAN.DAT
If you accepted the default installation path, these files are located in:
<drive>:\Program Files\Common Files\Network Associates\Engine\
3 Use WINZIP, PKUNZIP, or a similar utility to open the .ZIP archive and extract the
updated DAT files.
4 Log on to the server you want to update. You must have administrator rights
for the destination computer.
5 Copy the DAT files to the DAT folder.
6 Disable on-access scanning by stopping the McShield service, then enable it

again by starting the McShield service.
7 Stop Microsoft Outlook, then restart it.
8 Stop on-demand scan tasks, then restart them.

Scheduling Tasks
8
You have the option of scheduling VirusScan Enterprise tasks to run at specific
dates and times, or intervals. Schedules can be configured to meet your company’s
needs.
Configuring task schedules
Product Guide 221

Scheduling Tasks

You can schedule three types of tasks:
On-demand tasks — To schedule an on-demand task, open the On-Demand

Scan Properties for the task, then click Schedule. The Schedule Settings dialog
box opens.
For more information about on-demand tasks, see On-Demand Scanning on

page 85.
AutoUpdate tasks — To schedule an AutoUpdate task, open the AutoUpdate

Properties for the AutoUpdate task, then click Schedule. The Schedule Settings
dialog box opens.
For more information about AutoUpdate tasks, see AutoUpdate tasks on
page 190.
Mirror tasks — To schedule a mirror task, open the AutoUpdate Properties for
the mirror task, then click Schedule. The Schedule Settings dialog box opens.
For more information about mirror tasks, see Mirror tasks on page 212.
Task properties
Schedule properties

Task properties
Use the options on the Task tab to enable scheduling, specify a limit for the task run
time, and add authentication for this task.
1 Select the Task tab.
Figure 8-1. Schedule Settings — Task tab
2 Under Schedule Settings, specify whether you want the task to run at a specific
time. You have these options:
Enable (scheduled task runs at specified time). Schedule the task to run at a
specified time.
Stop the task if it runs for. Stop the task after a limited time. If you select this
option, also type in or select the hours and minutes.
NOTE
If the task is interrupted before it completes, the next time it
starts it resumes scanning from where it left off, unless the
DAT files have been updated and you have selected the
option to rescan all files when DAT files are updated. In that
case, the scan starts over instead of resuming from where it
left off.
Product Guide 223

Scheduling Tasks
3 Under Task, specify authentication credentials for this task by entering the
following information:
NOTE
The use of credentials is optional. If you do not type
credentials here, the scheduled task runs under the local
system account.
User. Type the user ID under which this task executes.
Domain. Type the domain for the user ID you specified.
Password. Type the password for the user ID and domain you specified.

NOTE
If you schedule a task using credentials, the account that you
specify needs to have logon as a batch job privilege. Without this
privilege, the spawned process cannot access network
resources, even though it has the correct credentials. This is
documented Windows NT behavior.
To give an account this privilege:
Start|Programs|Administrative Tools|Local Security Policy.
Security Settings|Local Policies|User Rights Assignments.
Double-click Log on as a batch job.

Add the user to the list.
Click OK to save your changes and close the dialog box.
Schedule properties
Use the options on the Schedule tab to specify the task frequency, when the task
runs in time zones, whether you want to run the task at random times within
specified intervals, whether to run missed tasks, and specify delay times for
missed tasks.
Schedule task frequencies
Advanced schedule options
Scheduling tasks by frequency

Schedule task frequencies

The schedule frequency you select here affects the options you have available for
scheduling days, weeks, months, and other frequencies. The frequency options
are:
Daily. This option is selected by default. Run the task daily on the specified day(s).
See Daily on page 227.
Weekly. Run the task weekly on the specified week(s) and day(s). See Weekly on
page 229.
Monthly. Run the task monthly on the specified day(s) and months. See Monthly
on page 230.
Once. Run the task once on the specified date. See Once on page 232.
At System Startup. Run the task at system startup and specify whether to run
the task once per day and the number of minutes to delay the task. See At
System Startup on page 233.
At Logon. Run the task at log on and specify whether to run the task once per
day and the number of minutes to delay the task. See At Logon on page 234.
When Idle. Run the task when the computer is idle and specify the number of
minutes. See When Idle on page 235.
Run Immediately. Run the task immediately. See Run Immediately on page 236.
Run On Dialup. Run the task on Dialup and specify whether to run the task once
per day. See Run On Dialup on page 237.
Product Guide 225

Scheduling Tasks
Advanced schedule options

1 On the Schedule tab, under Schedule, click Advanced to open the Advanced
Schedule Options dialog box.
Figure 8-2. Advanced Schedule Options
Start Date. Click to select a date from the calendar. This field is optional.
End Date. Click to select a date from the calendar. This field is optional.
Repeat Task. Repeat the task at the frequency selected.
Every. Type the frequency or use the arrows to select a number, then select
whether you want the frequency to be in minutes or hours.
Until. Select either Time (Local) and type in or select the time, or select
Duration and type in or select the hour(s) and minute(s).
2 Click OK to return to the Schedule tab.

Scheduling tasks by frequency

You can schedule a task for a date and/or time that meets your needs.
The following task frequencies are addressed in this section:
Daily
Weekly
Monthly
Once
At System Startup
At Logon
When Idle
Run Immediately
Run On Dialup
Daily
1 On the Schedule tab, under Schedule:
Schedule Task. Click to select Daily.
Figure 8-3. Schedule tab — Daily
Product Guide 227

Scheduling Tasks
Start Time. Type the start time the for the scheduled task or use the arrows
to select a time.
UTC Time. Coordinated Universal Time (UTC). Select this option to run the
task simultaneously in all time zones.
Local Time. This option is selected by default. Run the task independently in
each local time zone.
Enable randomization. Run the task at a random point within the interval of
time you set. If you select this option, also type in or select the hours and
minutes for the maximum time lapse.
You can type in or select a time lapse interval between one minute
(minimum) and 24 hours (maximum). For example, setting the task
schedule to 1:00 and the randomization to three hours, would cause the
task to run at any time between 1:00 and 4:00.
Run missed task. To ensure that missed tasks run when the computer starts
up again. If the computer was offline when a task was scheduled to be run,
it may have been missed. This feature ensures that remote users and the
network are fully protected if they happen to be offline when a task is
scheduled to run.
Delay missed task by. Type the number of minutes by which you want to
delay the missed task, or use the arrows to select the number of minutes.
Choose from 0 to 99 minutes.
Advanced. Click this button to set advanced scheduling properties. See

Advanced schedule options on page 226 for more information.
2 Under Schedule Task Daily, type in or select frequency in number of days, or

use the arrows to select a number.
NOTE
Daily tasks can be run every so many days, or every day
Monday through Sunday. If you only want to run the task on
specific days of the week, other than every day Monday
through Sunday, we recommend that you use the weekly task
frequency.
3 Click OK to save your settings and close the Schedule Settings dialog box.

Weekly
Schedule Task. Click to select Weekly.
Figure 8-4. Schedule tab — Weekly
to select a time.
You can type a time lapse interval between one minute (minimum) and 24
hours (maximum). For example, setting the task schedule to 1:00 and the
randomization to three hours, would cause the task to run at any time
between 1:00 and 4:00.
Product Guide 229

Scheduling Tasks
scheduled to run.

2 Under Schedule Task Weekly:

Every. Type the frequency in number of weeks.
Week(s) on. Select the days of the week.
Monthly
Schedule Task. Click to select Monthly.
Figure 8-5. Schedule tab — Monthly

to select a time.
time you set. If you select this option, also type the hours and minutes for
the maximum time lapse.
You can type a time lapse interval between one minute (minimum) and 24
hours (maximum). For example, setting the task schedule to 1:00 and the
randomization to three hours, would cause the task to run at any time
between 1:00 and 4:00.
scheduled to run.

2 Under Schedule Task Monthly, choose from these options:
Day of the month. Select the option and the day of the month.
Weekday of the month. Select this option to run the task on a specific day of
the month (for example, first Sunday or second Wednesday).
Select First, Second, Third, Fourth, or Last option.

Select the day of the week on which to run this task each month.
Click Select Months to select specific months:

Select the months for which you want to run the task.
NOTE
All months are selected by default.
Click OK to return to the Schedule tab.
Product Guide 231

Scheduling Tasks
Once
Schedule Task. Click to select Once.
Figure 8-6. Schedule tab — Once
to select a time.

scheduled to run.

2 Under Schedule Task Once, click to select the date on which you want to
run the task.
At System Startup
Schedule Task. Click to select At System Startup.
Figure 8-7. Schedule tab — At System Startup
Product Guide 233

Scheduling Tasks
2 Under Schedule Task at System Startup:
Only run this task once per day. Select this option to run this task once a day.
If you do not select this option, the task runs every time startup occurs.
Delay task by. Select the number of minutes to delay the task. Choose from
0 to 99 minutes. This allows time for logon scripts to execute or user logon
time.
At Logon
Schedule Task. Click to select At Logon.
Figure 8-8. Schedule tab — At Logon
2 Under Schedule Task at Logon:
Only run this task once per day. Select this option to run this task once a day.
If you do not select this option, the task runs every time log on occurs.
Delay task by. Type the number of minutes to delay the task. Choose from
0 to 99 minutes. This allows time for logon scripts to execute or user logon
time.

When Idle
Schedule Task. Click to select When Idle.
Figure 8-9. Schedule tab — When Idle
2 Under Schedule Task When Idle, type in or select the number of minutes that
you want the computer to be idle before it starts the task. Choose from 0 to 999
minutes.
Product Guide 235

Scheduling Tasks
Run Immediately
Schedule Task. Click to select Run Immediately.
Figure 8-10. Schedule tab — Run Immediately

Run On Dialup
Schedule Task. Click to select Run On Dialup.
Figure 8-11. Schedule tab — Run On Dialup
2 Under Schedule Task Run On Dialup, select whether to run the task once per
day.
NOTE
Scheduling a task to Run On Dialup may be more useful for an
AutoUpdate task than an on-demand task.
Product Guide 237

Scheduling Tasks

Command-Line Scanner
Program A
A typical installation of the VirusScan Enterprise software includes the McAfee
Security VirusScan Enterprise Command Line program. That program can be run
from a Windows Command Line prompt.
VirusScan Enterprise command-line options
On-demand scanning command-line options
Customized installation properties
Product Guide 239

Command-Line Scanner Program

To run the VirusScan Enterprise Command Line program, change to the folder in
which the file SCAN.EXE is located, and type SCAN. If you installed the VirusScan
Enterprise program to its default location, the file can be found in:
C:\Program Files\Common Files\Network Associates\Engine\
The following table lists the options that can be added to the command SCAN. All
the options listed can be used to configure both on-demand and on-access scans,
unless otherwise noted.
Table A-1. VirusScan Command-Line Options
Command-Line Option Description
/? or /HELP Displays a list of VirusScan command-line options, each with

a brief description.
You may find it helpful to add a list of scanning options to the
report files that the VirusScan program creates. To do this,
type scan /? /REPORT <file name> at the command prompt.
The results of your scanning report are appended with the full
set of options available for that scan task.
/ADL Scan all local drives—including compressed drives and PC
cards, but not disks—in addition to any other drive(s)
specified on the command line.
To scan both local and network drives, use the /ADL and
/ADN commands together in the same command line.
/ADN Scan all network drives—including CD-ROM—for viruses, in
addition to any other drive(s) specified on the command line.
Note: To scan both local drives and network drives, use the
/ADL and /ADN commands together in the same command
line.
/ALERTPATH <dir> Designates the directory <dir> as a network path to a remote
NetWare volume or Windows NT directory, monitored by
Centralized Alerting.
VirusScan sends an .ALR text file to the server when it
detects an infected file.
From this directory, VirusScan Enterprise, through its
Centralized Alerting feature, broadcasts or compiles the
alerts and reports according to its established configuration.
Requirements:
You must have write-access to the directory you specify.
The directory must contain the VirusScan
Enterprise-supplied CENTALRT.TXT file.

Table A-1. VirusScan Command-Line Options (Continued)
/ALL Overrides the default scan setting by scanning all infectable

files—regardless of extension.
Notes: Using the /ALL option substantially increases the
scanning time required. Use it only if you find a virus or
suspect that you have one.
To get a current list of file type extensions run /EXTLIST at
the command prompt.
/ANALYZE Sets the software to scan using its full heuristics, both
program and macro.
Note: /MANALYZE targets macro viruses only; /PANALYZE
targets program viruses only.
/APPEND Used with /REPORT <file name> to append report message
text to the specified report file instead of overwriting it.
/BOOT Scan boot sector and master boot record only.
/CLEAN Clean viruses from all infected files and system areas.
/CLEANDOCALL As a precautionary measure against macro viruses,
/CLEANDOCALL cleans all macros from Microsoft Word and
Office documents if a single infection is found.
Note: This option deletes all macros, including macros not
infected by a virus.
/CONTACTFILE <file Display the contents of <file name> when a virus is found. It
name> is an opportunity to provide contact information and
instructions to the user when a virus is encountered. (McAfee
Security recommends using /LOCK in tandem with this
option.)
This option is especially useful in network environments,
because you can easily maintain the message text in a
central file instead of on each workstation.
Note: Any character is valid in a contact message except a
backslash (\). Messages beginning with a slash (/)or a
hyphen (-) should be placed in quotation marks.
Product Guide 241

/DAM A repair switch: deletes all macros in the event an infected

macro is found. If no infected macro is found, no deletions
are made.
If you suspect that there is an infection in your file, you may
choose to strip all macros from a data file to minimize any
possible exposure to a virus. To pre-emptively delete all
macros in a file, use this option with /FAM:
scan <file name> /fam /dam
When using these two options in tandem, all found macros
are deleted, whether or not an infection is found.
/DEL Deletes infected files permanently.
/EXCLUDE <file name> Do not scan the files listed in <file name>.
Use this option to exclude specific files from a scan. List the
complete path to each file that you want to exclude on its own
line. You may use wildcards * and ?
/EXTLIST Use this option to get a current list of file type extension from
the current DAT file.
/FAM Find all macros: not just macros suspected of being infected.
It causes any macro found to be treated as a possible virus
detection. No deletion of the found macros is made unless
used in conjunction with the /DAM option.
If you suspect that there is an infection in your file, you may
choose to strip all macros from a data file to minimize any
possible exposure to a virus. To pre-emptively delete all
macros in a file, use this option with /FAM:
scan <file name> /fam /dam
When using these two options in tandem, all found macros
are deleted, whether or not an infection is found.
/FREQUENCY <n > Do not scan <n> hours after the previous scan.
In environments where the risk of viral infection is low, use
this option to prevent unnecessary scans.
Remember, the greater the scan frequency, the better your
protection against infection.
/HELP or /? Displays a list of scanning options, each with a brief
description.
report files the VirusScan program creates. To do this, type
scan /? /REPORT <file name> at the command prompt. The
results of your scanning report are appended with the full set
of options available for that scan task.

/LOAD <file name> Load scanning options from the named file.
Use this option to perform a scan you’ve already configured
by loading custom settings saved in an ASCII-formatted file.
/MANALYZE Enables heuristic scanning target macro viruses.
Note: /PANALYZE targets program viruses only; /ANALYZE
targets both program and macro viruses.
/MANY Scans multiple disks consecutively in a single drive. The
program prompts you for each disk.
Use this option to examine multiple disks quickly.
You cannot use the /MANY option if you run the VirusScan
software from a boot disk and you have only one floppy drive.
/MOVE <dir> Moves all infected files found during a scan to the specified
directory, preserving drive letter and directory structure.
Note: This option has no effect if the Master Boot Record or
boot sector is infected, since these are not files.
/NOBEEP Disables the tone that sounds whenever the scanners find a
virus.
/NOBREAK Disables CTRL+C and CTRL+BREAK during scans.
Users are not be able to halt scans in progress with
/NOBREAK in use.
/NOCOMP Skips the examination of compressed executables created
with the LZ.EXE or PkLite file-compression programs.
This reduces scanning time when a full scan is not needed.
Otherwise, by default, VirusScan examines inside
executable, or self-decompressing files by decompressing
each file in memory and checking for virus signatures.
/NODDA No direct disk access. This prevents the scanners from
accessing the boot record.
This feature has been added to allow the scanners to run
under Windows NT.
You might need to use this option on some device-driven
drives.
Using /NODDA with the /ADN or /ADL switches may
generate errors when accessing empty CD-ROM drives or
empty Zip drives. If this occurs, type F (for Fail) in response
to the error messages to continue the scan.
/NOXMS Does not use extended memory (XMS).
Product Guide 243

/PANALYZE Enables heuristic scanning for program viruses.

Note: /MANALYZE targets macro viruses only; /ANALYZE
targets both program and macro viruses.
/PAUSE Enables screen pause.
The “Press any key to continue” prompt appears when the
program fills a screen with messages. Otherwise, by default,
the program fills and scrolls a screen continuously without
stopping, which allows it to run on PCs with multiple drives or
that have severe infections without needing your input.
McAfee Security recommends omitting /PAUSE when using
the report options (/REPORT, /RPTALL, /RPTCOR, and
/RPTERR).
/REPORT <file name> Creates a report of infected files and system errors, and
saves the data to <file name> in ASCII text file format.
If <file name> already exists, /REPORT overwrites it. To
avoid overwriting, use the /APPEND option with /REPORT:
the software adds report information to the end of the file,
instead of overwriting it.
You can also use /RPTALL, /RPTCOR, and /RPTERR to add
scanned files, corrupted files, modified files, and system
errors to the report.
report files the VirusScan program creates. To do this, type /?
/report <file name> at the command prompt. The results of
your scanning report are appended with the full set of options
available for that scan task.
You can include the destination drive and directory (such as
D:\VSREPRT\ALL.TXT), but if the destination is a network
drive, you must have rights to create and delete files on that
drive.
any report option.
/RPTALL Includes the names of all scanned files in the /REPORT file.
You can use /RPTCOR with /RPTERR on the same
command line.
any report option.

/RPTCOR Include corrupted files in /REPORT file.

When used with /REPORT, this option adds the names of
corrupted files to the report file. Corrupted files that the
VirusScan scanners find may have been damaged by a virus.
You can use /RPTCOR with /RPTERR on the same
command line.
There may be false readings in some files that require an
overlay or another executable to run properly (that is, a file
that is not executable on its own).
any report option.
/RPTERR Include errors in /REPORT file.
When used with /REPORT, this option adds a list of system
errors to the report file.
/LOCK is appropriate in highly vulnerable network
environments, such as open-use computer labs.
You can use /RPTERR with /RPTCOR on the same
command line.
System errors can include problems reading or writing to a
disk or hard disk, file system or network problems, problems
creating reports, and other system-related problems.
any report option.
/SUB Scans subdirectories inside a directory.
By default, when you specify a directory to scan other than a
drive, the VirusScan scanners examine only the files it
contains, not its subdirectories.
Use /SUB to scan all subdirectories within any directories you
have specified. It is not necessary to use /SUB if you specify
an entire drive as a target.
/UNZIP Scan inside compressed files.
/VIRLIST Displays the name of each virus that the VirusScan software
can detect.
This file is over 250 pages long. This is too large for the
MS-DOS “Edit” program to open; McAfee Security
recommends using Windows Notepad or another text editor
to open the virus list.
Product Guide 245


The VirusScan Enterprise on-demand scanner can be run from the Windows
Command Line prompt, or from the Start menu’s Run dialog box. To run the
program, change to the folder in which the file SCAN32.EXE is located, and type
SCAN32. If you installed the VirusScan Enterprise program to its default location,
the file can be found in:
C:\Program Files\Network Associates\VirusScan
The following table lists the options that can be added to the command SCAN32.
Table A-2. On-Demand Command-Line Arguments
SPLASH Displays the VirusScan splash dialog when opening the

on-demand scanner.
NOSPLASH Conceals the VirusScan splash dialog when opening the
on-demand scanner.
AUTOEXIT Exits the on-demand scanner upon completion of a
non-interactive scan.
NOAUTOEXIT Does not exit on-demand scanner upon completion of a
non-interactive scan.
ALWAYSEXIT Forces exit from on-demand scan, even if scan completed
with error/failure.
NOALWAYSEXIT Does not force exit.
UINONE Launch the scanner without making the user interface dialog
box visible.
SUB Include sub-folders of the target folders in the scan.
NOSUB Exclude sub-folders of the target folder from the scan.
ALL Scan all files in the target folder
NOALL Scan only those files in the target folder that have file name
extensions found on the list of specified file types.
COMP Scans archive files such as .ZIP, .CAB, .LZH, and .UUE files.
NOCOMP Excludes archive files from scan.
CONTINUE Scanning continues after a virus is detected.
PROMPT Prompts user for action when a virus is detected.
NOPROMPT Does not prompt user for action when a virus is detected.
CLEAN Cleans the infected target file when a virus is detected.
DELETE Deletes the infected file when a virus is detected.

Table A-2. On-Demand Command-Line Arguments (Continued)
MOVE Move (quarantine) the infected file to a pre-specified

quarantine folder when a a virus is detected.
BEEP Plays an audible beep on completion of a scan if an infected
item is detected.
NOBEEP Suppresses the audible beep on completion of a scan even
if an infected item is detected.
RPTSIZE Sets the size of the alert log, in kilobytes.
BOOT Scans the boot sectors before the current scan task runs.
NOBOOT Excludes the boot sectors from scanning.
EXT File extensions that you add, as parameters following this
argument, replace the extensions on the list of selected filed
types that are included in scanning.
DEFEXT File extensions that you add, as parameters following this
argument, are added to the list of selected file types that are
included in scanning.
TASK Launches the on-demand scanner task specified in the
VirusScan Enterprise Console. Requires additional
parameter specifying the specified task ID as recorded in the
registry at:
HKEY_LOCAL_MACHINE;SOFTWARE;
NETWORK ASSOCIATES;TVD;
VirusScan EnterpriseNT;CurrentVersion;Tasks.
SERVER Use this argument to specify the computer on which you

want to start or stop a scan task.
CANCEL If a task fails, but the console continues to show it as
running, use this argument to adjust the registry to show that
the task is no longer running.
LOG Log infection reports to previously specified log file.
NOLOG Do not log infection reports.
LOGALL Log all responses to virus detection as events. This includes
Prompt, Clean, Delete, and Move.
LOGDETECT Log detection of a virus as an event.
NOLOGDETECT Do not log detection of a virus as an event.
LOGCLEAN Log success or failure of a virus cleaning activity as an
event.
NOLOGCLEAN Do not log success or failure of a virus cleaning activity as an
event.
Product Guide 247

Table A-2. On-Demand Command-Line Arguments (Continued)
LOGDELETE Log deletion of an infected file as an event.

NOLOGDELETE Do not log deletion of an infected file as an event.
LOGMOVE Log the moving of an infected file to a quarantine folder as
an event.
NOLOGMOVE Do not log the moving of an infected file as an event.
LOGSETTINGS Log the configuration settings of a scan task.
NOLOGSETTINGS Do not log the configuration settings for a scan task.
LOGSUMMARY Log a summary of scan task results.
NOLOGSUMMARY Do not log a summary of scan task results
LOGDATETIME Log the date, start time, and end time of scanning activities.
NOLOGDATETIME Do not log date or time of scanning activities.
LOGUSER Log identifying information about the user who executes a
scan task.
NOLOGUSER Do not log user information.
PRIORITY Sets the priority of the scan task relative to other CPU
processes. Requires an additional numerical parameter. A
value of 1 assigns priority to all other CPU processes. A
value of 5 assigns the highest priority to the scan task.


You can customize the installation process using these properties when installing
from the command line.
Table A-3. Customized Installation Properties
Command-Line Property Function
ALERTMANAGERSOURCEDIR Sets the default Alert Manager source path. The

default path is \AMG.
You can set it yourself in SETUP.INI
CMASOURCEDIR Set the source path for the SITELIST.XML. The
default path is the current directory from which
SETUP.EXE is being run.
ENABLEONACCESSSCANNER False = A False value cannot be set.

True = Enable on-access scanner upon
completion of installation. This is the default.
Note: If you do not want to enable the on-access
scanner, set the property to ““. This literally
means ENABLEONACCESSSCANNER=””, an
empty string.
EXTRADATSOURCEDIR Set the source path for the EXTRA.DAT. During
installation, the EXTRA.DAT is copied into the
location where the engine files reside.
FORCEAMSINSTALL True = Install Alert Manager, if present.
INSTALLDIR Sets the default installation directory.
INSTALLCHECKPOINT False = Do not install the Check Point SCV
integration.
True = Install the Check Point SCV integration.
LOCKDOWNVIURUSSCANSHORTCUTS False = A False value cannot be set.
True = Do not display any shortcuts under the
start menu.
Note: To allow the shortcuts to be installed, set
the property to ““. This literally means
LOCKDOWNVIURUSSCANSHORTCUTS=””,
an empty string. This is the default.
Product Guide 249

Table A-3. Customized Installation Properties (Continued)
PRESERVESETTINGS Preserves settings upon upgrade of NetShield

4.5 or VirusScan 4.5.1.
False = A False value cannot be set.
True = Preserve settings. This is the default.
Note: If you do not want to preserve settings, set
the property to ““. This literally means
PRESERVESETTINGS=””, an empty string.
RUNAUTOUPDATE False = A False value cannot be set.
True = Run update upon completion of
installation. This is the default.
Note: If you do not want to run update upon
completion of installation, set the property to ““.
This literally means RUNAUTOUPDATE=””, an
empty string.
RUNONDEMANDSCAN False = A False value cannot be set.
True = Run a scan of all local drives upon
completion of installation. This is the default.
Note: If you do not want to run the on-demand
scanner at completion of installation, set the
property to ““. This literally means
RUNONDEMANDSCAN=””, an empty string.
RUNAUTOUPDATESILENTLY False = A False value cannot be set.
True = Run silent update upon completion of
installation.
Note: If you do not want to run a silent update
upon completion of installation, set the property
to ““. This literally means
RUNAUTOUPDATESILENTLY=””, an empty
string.
RUNONDEMANDSCANSILENTLY False = A False value cannot be set.
True = Run on-demand scan silently upon
completion of installation.
Note: If you do not want to run a silent
on-demand scan upon completion of installation,
set the property to ““. This literally means
RUNONDEMANDSCANSILENTLY=””, an empty
string.

Table A-3. Customized Installation Properties (Continued)
SUPPRESSAMSINSTALL True = Suppress installation of Alert Manager.

VIRUSSCANICONLOCKDOWN Lock down the product in two different levels.
NORMAL = Show all the menu items on the
VirusScan icon menu in the system tray.This is
the default.
MINIMAL = Show only the Enable On-Access
Scan and About VirusScan Enterprise menu
items on the VirusScan icon menu in the system
tray.
NOICON = Do not show the VirusScan icon
menu in the system tray.
Product Guide 251


Secure Registry
B
The VirusScan Enterprise program is compatible with the Windows secure
registry feature. The program writes registry entries based on the limits imposed
by the user's security permissions. Any program feature to which the user has no
permission appear disabled and are unselectable or unresponsive. Previous
releases of the product sometimes generated errors when the VirusScan Enterprise
program attempted to write a registry entry for a function to which the user did
not have permission.
This topic is included in this section:
Registry keys requiring write access
Product Guide 253

Secure Registry

This a list of the registry keys to which the VirusScan Enterprise program and its
Alert Manager component require Write access. The table also displays the results
that can be expected if a user does not have adequate permission to write to those
keys.
All the registry keys shown in this table are subkeys of:
hkey_local_machine\software\network associates\tvd.
Table B-1. Result of VirusScan Enterprise Registry Key Lock-down
Feature Program Description Write access Result if Write Access

or required to is unavailable due to
Windows registry key for registry lockdown
Service full
functionality
On-Access Network A Windows service Shared Ordinarily not affected

Scanner Associates that can run only Components because the service
McShield under the local On-Access runs under a System
service System account. This Scanner account. However, if
service performs this service does not
scans whenever a file have write access to
is used. this key, the on-access
scanner does not
function.
On-Access ShCfg32.exe A program that runs Shared The user can see the
Scanner the on-access Components on-access scanner
configuration On-Access property pages, but
interface. Scanner cannot change the
configuration.
McShield
Configuration

Table B-1. Result of VirusScan Enterprise Registry Key Lock-down (Continued)

Service full
functionality
On-Access ShStat.exe A program that Shared The user cannot enable

Scanner gathers statistics on Components or disable the
the activities of the On-Access on-access scanner
on-access scanner. Scanner using the icon in the
This program also system tray.
places the VirusScan McShield
Enterprise icon in the Configuration
system tray.
Right-clicking the icon
allows the user to
view scanning
statistics, disable and
enable the program,
and open several
program components.
On-Demand ScnCfg32 A program that runs VirusScan If write access fails for
Scanner the on-demand Enterprise any of these keys, The
configuration CurrentVersion user can see the
interface. This on-demand scanner
interface is accessed property pages, but
from the VirusScan VirusScan cannot change the
Enterprise Console. Enterprise configuration.
CurrentVersion
Tasks
VirusScan
Enterprise
CurrentVersion
DefaultTask
VirusScan
Enterprise
CurrentVersion
Tasks
Product Guide 255

Secure Registry

Service full
functionality
On-Demand ScnStat.exe A program that VirusScan No effect.

Scanner gathers statistics on Enterprise
the activities of the CurrentVersion
on-demand scanner.
Tasks
VirusScan
Enterprise
CurrentVersion
VirusScan
Enterprise
CurrentVersion
Tasks
On-Demand Scan32.exe A program that VirusScan If Scan32 does not
Scanner performs on-demand Enterprise have a writable key to
scanning activities of CurrentVersion it's own task, then it
targets specified on runs but does not
the VirusScan update statistics.
Enterprise Console. VirusScan Scanning results data is
Enterprise not generated.
CurrentVersion\
Tasks This does not affect
scheduled on-demand
tasks, which are
Note: Also controlled by the Task
requires Read Manager service
rights to: described in the
Shared following section.
Components
VirusScan
Engine
4.0.xx


Service full
functionality
Task Network A Windows service VirusScan Ordinarily not affected

Manager Associates that can run under the Enterprise NT because the service
Task System account or CurrentVersion runs under a system or
Manager under an administrator account.
Service administrator’s However, if this service
account. This VirusScan does not have
program allows Enterprise NT read/write access to
scheduling of any of these keys, the
CurrentVersion
scanning and service fails to start.
updating activities. Alerts
VirusScan
Enterprise NT
CurrentVersion
Tasks
all subkeys
Shared
Components
On-Access
Scanner
McShield
Shared
Components
On-Access
scanner
McShield
Configuration
Product Guide 257

Secure Registry

Service full
functionality
McUpdate McUPdate.exe A program used to VirusScan DAT information won't

perform updating of Enterprise NT be updated.
DAT files and software
Current Version
upgrades.
McShield might not
Shared reload the DAT.
Components
On-Access
Scanner
McShield Status information
Configuration cannot be
communicated to the
VirusScan Enterprise
VirusScan Console.
Enterprise NT
CurrentVersion
The user can see the
Tasks Update property page,
but cannot change the
configuration.
VirusScan
Enterprise NT
CurrentVersion
Tasks The user can see the
Upgrade property page,
Update
but cannot change the
configuration.
VirusScan
Enterprise NT
CurrentVersion
Tasks
Upgrade


Service full
functionality
VirusScan McConsol.exe A program that runs VirusScan Update of virus

Enterprise the administrative Enterprise NT definitions does not
Console interface for the CurrentVersion function reliably. Also,
VirusScan Enterprise The user can see the
program. current screen refresh
VirusScan rate, but cannot change
Enterprise NT it.
CurrentVersion
Alerts The Alert Manager
settings visible by
CurrentVersion
selecting Alerts from the
Tools menu appear
VirusScan disabled and do not
Enterprise NT respond when selected.
Also, some start/stop
CurrentVersion tasks that the
Tasks VirusScan Enterprise
Console controls may
not be generated.
Shared
Components
The following options
On-Access
appear disabled and do
Scanner
not respond when
McShield selected:
Configuration Enable/Disable the
on-access scan
task.
VirusScan
Enterprise NT Copy, Paste, Delete,
Rename, Import and
CurrentVersion
Export tasks.
Tasks
The Stop scanning
Xxxx control.
The on-access task

cannot be configured,
enabled, or disabled.
Any key that has been
locked down cannot be
configured.
Product Guide 259

Secure Registry

Service full
functionality
Alert nai alert A component that Shared The user can see the
Manager manager provides immediate Components property pages for the
notification that the Alert Manager alerting methods and
scanner has detected messages, but cannot
a virus, or that the change the
event scheduler has configuration.
encountered a
problem.

Troubleshooting
C
This section contains troubleshooting information for the VirusScan Enterprise
product.
Minimum Escalation Tool
Frequently asked questions
Updating error codes
Minimum Escalation Tool

The McAfee Minimum Escalation Tool (MERTool) is a utility that is designed to
gather reports and logs for the Network Associates software on your system. The
information obtained can be used to help analyze problems.
To get more information about MERTool and access the utility, click the MERTool
file that was installed with the VirusScan Enterprise product.
This file is located in the installation folder. If you accepted the default installation
path, this file is located in:
drive:\Program Files\Network Associates\VirusScan
When you click the MERTool file, it accesses the URL for the MERTool web site.
Follow the instructions on the web site.

This section contains troubleshooting information in the form of frequently asked
questions. The questions are divided into the following categories:
Installation questions
Scanning questions
Virus questions
General questions
Product Guide 261

Troubleshooting
Installation questions
I just installed the software using the Silent Install method, and there is no
VirusScan Enterprise icon in the Windows system tray.
The icon does not appear in the system tray until you restart your system.
However, even though there is no icon, VirusScan Enterprise is running, and your
computer is protected.
You can verify this by checking the following registry key:
HKEY_Local_Machine\SOFTWARE/Microsoft\Windows\CurrentVersion\Run
ShStatEXE=”C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE\STANDALONE
Why can some users on my network configure their own settings in

VirusScan Enterprise and others cannot?
If the administrator configures the user interface to password protect the tasks,
users cannot change the settings.
Different Microsoft Windows operating systems have different user privileges.

Windows NT users have permission to write to the system registry, while
Windows XP or Windows 2000 users do not. Refer to your Microsoft Windows
documentation for more information about user permissions.
During a command-line installation, how can I prevent users who do not

have administrator rights from obtaining administrator rights through the
VirusScan Console?
You can prevent users from obtaining administrator rights during a command-line
installation by adding the following property:
DONOTSTARTSHSTAT=True
This prevents the SHSTAT.EXE from starting upon completion of installation.

Scanning questions
In On-Access Scanning, what is the difference between scanning “when
writing to disk” and scanning “when reading from disk”?
Scanning when writing is a file-writing action. It scans the following:
Incoming files being written to the local hard drive.
Files being created on the local hard drive or a mapped network drive (this
includes new files, modified files, or files being copied or moved from one
drive to another).
Scanning when reading is a file-reading action. It scans the following:
Outgoing files being read from the local hard drive.

NOTE
Select on network drives in the On-Access Scan Properties
dialog box to include remote network files.
Any file being executed on the local hard drive.
Any file opened on the local hard drive.
Any file being renamed on the local hard drive, if the file properties have
changed.
When I detect a virus using On-Demand E-mail Scan or On-Delivery E-mail

Scan, what do the different action options mean?
See Action properties on page 123 for a detailed description of each of the action
options.
Product Guide 263

Troubleshooting
Virus questions
I suspect I have a virus but VirusScan Enterprise is not detecting it.
You can download the latest DAT file while it is still being tested prior to the
official release. To use the daily DAT file, refer to:
www.mcafeeb2b.com/naicommon/avert/avert-research-enter/virus-4d.asp
I cannot get VirusScan Enterprise installed, but I think I have a virus. How
can I determine if my computer is infected?
If you have not been able to install VirusScan Enterprise, you can still run a scan at
the command line, using a single file downloaded from the Network Associates
web site. To run a command-line scan on a computer that does not have anti-virus
software installed:
1 Create a folder in the root of your C drive named Scan.
2 Right-click the Scan folder and select Properties. Make sure that the read-only
attribute is selected.
3 Go to http://nai.com/naicommon/download/dats/superdat.asp. Click
sdatxxxx.exe for Windows-Intel to start the download.
4 Download this file into your new folder (C:\Scan)
5 From the Start menu, select Run and type C:\Scan\sdatxxxx.exe /e in the
text box. Click OK.
6 Open a DOS prompt (also called a Command Prompt). At the C:\> prompt,
type cd c:\Scan. Your prompt now looks like this: C:\Scan>
7 At the C:\Scan> prompt, type:
scan.exe /clean /all /adl /unzip /report report.txt
This scans all local drives and create a report in a file named REPORT.TXT.
8 After scanning, browse to your C:\Scan directory and read the REPORT.TXT file.
NOTE
We recommend that you disconnect the system from the
network before scanning.

On Windows 2000 and Windows XP systems, boot into Safe Mode Command
Prompt only to perform the scan. On Windows NT systems, run the scan from
VGA Mode, then a command prompt.
We recommend that you rerun the command-line scanner until no virus files are
found. You may want to rename the report text file as REPORT2.TXT to record the
second scan and REPORT3.TXT for the third scan, and so on, to avoid overwriting the
reports file each time.
WARNING
You may receive an error that an application is attempting to
directly access the hard disk on Windows NT systems. Click
Ignore to continue. If you do not click Ignore, the scan
terminates.
General questions
The VirusScan Enterprise icon in my system tray appears to be disabled.
If there is a red circle and line covering the VirusScan Enterprise icon, that
indicates that On-Access Scan is disabled. Here are the most common causes and
solutions. If none of these solves your problem, contact technical support.
Make sure that the On-Access Scan is enabled. To do this:
Right-click the VirusScan Enterprise icon in the system tray. If the

on-access scanner is disabled, the words Enable On-Access Scan appear in
the menu.
Select Enable On-Access Scan to enable the on-access scanner.
Make sure that the service is running. To do this:
Open the Services Control Panel using one of these methods:

For Windows NT, select Start|Settings|Control Panel|Services and
confirm that Network Associates McShield has a Status of Started.
For Windows 2000 or XP, select Start|Settings|Control Panel|Admin

Tools|Services and confirm that Network Associates McShield has a
Status of Started.
If it is not started, highlight Network Associates McShield on the list of

services and click Start or Resume.
You can also select Start|Run, then type NetStart McShield.
Product Guide 265

Troubleshooting
Make sure that the service is set to start automatically. To do this:
Open the Services Control Panel using one of these methods:

For Windows NT, select Start|Settings|Control Panel|Services and
confirm that Network Associates McShield has a Startup Type of
Automatic.
If it is not set to Automatic, highlight Network Associates McShield on

the list of services, click Startup, then select Automatic as the Startup
Type.
For Windows 2000 or XP, select Start|Settings|Control Panel|Admin

Tools|Services and confirm that Network Associates McShield has a
Startup Type of Automatic.
If it is not set to Automatic, right-click Network Associates McShield on
the list of services, select Properties and General tab, then select
Automatic as the Startup Type.
I get an error that I cannot download catalog.z.

This error can be caused by many things. Here are a few suggestions to help
determine the source of the problem.
If you are using the Network Associates default download site for updates,
determine if you can download the catalog.z file via a web browser. To do
this, go to the URL:
http://update.nai.com/Products/CommonUpdater/catalog.z
and try to download the file.
If you are not able to download the file, but you can see it (in other words,
your browser does not allow you to download it), that means you have a
proxy issue and need to talk to your network administrator.
If you are able to download the file, that means VirusScan Enterprise
should be able to download it as well. Contact technical support for
assistance in troubleshooting your installation of VirusScan Enterprise.
If you are using a mirror site for updates, make sure that your mirror site is
pointing to the correct site for updates. If you are unsure, try changing your
settings to use the default Network Associates site.

I have some computers that will continue using VirusScan 4.5x and others
using VirusScan Enterprise 7.0. Can all the computers use the same
repository for DAT files?
Yes, a network of computers running multiple versions of VirusScan can all use the
same repository for DAT files. First, make sure that you are using the correct
directory structure in the repository list for VirusScan 4.5.x, then, make sure that
in the McAfee AutoUpdate Architect console, you have selected the option I want
to make my site compatible with legacy software. See the McAfee AutoUpdate
Architect Product Guide for more information.
Where is the location of the HTTP download site?

The CATALOG.Z file, which contains the latest updates, can be downloaded from
the web site:
http://update.nai.com/Products/CommonUpdater/catalog.z
Where is the location of the FTP download site?

The CATALOG.Z file, which contains the latest updates, can be downloaded from
the FTP site:
ftp://ftp.nai.com/CommonUpdater/catalog.z
If I do detect a virus and I have chosen “prompt user for action,” what
action should I choose (Clean, Delete, Move)?
Our general recommendation is to choose Clean if you are not sure what to do with
an infected file. The VirusScan Enterprise default action is to Clean a file, then Move
it.
I tried to Move or Delete a file and it failed.

This can happen when a file is locked by another program, or you do not have
permissions to move or delete the file. As a workaround, you can look in the
VirusScan Enterprise log and see where the file is located, then move or delete it
manually using Windows Explorer.
Product Guide 267

Troubleshooting

When your AutoUpdate fails, review the update log. See Viewing the activity log on
page 198 for information about how to view the log file. Following are common
error codes that you may encounter:
-215: Failed to get site status — The software cannot verify if the repository is
available. Attempt to manually download the PKGCATALOG.Z file using the
network protocol. If this fails, verify the path and user credentials.
-302: Failed to get the agent’s framework interface — The scheduler interface
is not available. Stop and restart the framework service.
-409: Master site not found — The master repository for the update is not
available, is inaccessible, or is in use. Attempt to manually download the
PKGCATALOG.Z file using the network protocol. If this fails, verify the path and
user credentials.
-414: Verify the Domain, User Name, and Password you provided are typed
correctly. Verify that the user account has permissions to the location where
the repository resides — While creating the repository, the credentials entered
were determined invalid when Verify was selected. Either now, or after the
repository is created, correct the credential information. Click Verify again.
Repeat this process until the credentials are verified.
-503: Product package not found — Update files are not present in the
repository or may be corrupt. Ensure that the repository is populated with the
update files. If these files are present, create a replication or pull task to
overwrite the current task setting. If the files were not present, populate the
repository, then attempt to update again.
-530: Site catalog not found — You performed a pull task from a repository
that does not have a catalog file, or contains a corrupted catalog file. To correct
this issue, verify that the source repository contains a valid catalog directory.
-531: Package catalog not found — The PKGCATALOG.Z was not found in the
repository. Try to download the file using the network protocol. If it cannot be
downloaded, perform a replication or pull task (depending on the type of
repository).
-601: Failed to download file — The repository is not accessible. Try to

download the file using network protocol. If it cannot be downloaded, verify
the path and user rights. If the file is downloaded, try stopping and starting the
service.
-602: Failed to upload file — You performed a pull task but the master
repository credentials or settings are invalid (or the location is not available).
Verify the credentials and location.

-804: Sit status not found — You performed a replication task but the master
repository is not available (or the credentials are invalid). Verify that the
master repository is active, accessible, and that the credentials are valid.
-1113: Replication has been done partially — One or more repositories may
be inaccessible at the time of replication. Consequently, not all repositories are
up-to-date. Verify that all repositories are accessible and that no files are
marked as read-only, then perform the task again.
Product Guide 269

Troubleshooting

Glossary
agent
See ePolicy Orchestrator agent.
agent host
See client computer.
Agent Monitor
A dialog box for prompting the agent to send properties or events to the ePolicy Orchestrator
server; enforce policies and tasks locally; check the ePolicy Orchestrator server for new or
updated policies and tasks, then enforce them immediately upon receipt.
agent policies
Settings that affect how the agent behaves.
agent wakeup call

A scheduled task or on-demand command that prompts agents to contact the ePolicy
Orchestrator server when needed, rather than waiting for the next ASCI.
See also SuperAgent Wakeup call.
agent-to-server communication
A communications technique where the agent contacts the server at a predefined interval to see
if there are any new policies or tasks for the agent to enforce or execute.
agent-to-server communications interval (ASCI)

Determines how often the agent and ePolicy Orchestrator server exchange information.
alert
A message or notification regarding computer activity such as virus detection. It can be sent
automatically according to a predefined configuration, to system administrators and users, via
e-mail, pager, or phone.
anti-virus policy
See policy.
archive
A compressed file that must be extracted prior to accessing the files within it.
AutoUpdate
The automatic updating program in McAfee Security anti-virus products; it automatically installs
updates to existing products or upgrades to new versions of products.
Product Guide 271

Glossary
AVERT
Anti-Virus Emergency Response Team, a division of Network Associates, Inc., is an anti-virus
research center that supports the computing public and Network Associates customers by
researching the latest threats, and by uncovering threats that may arise in the future. It is
comprised of three integrated teams that provide Anti-Virus Services and Support, Virus
Analysis, and Advanced Virus Research.
background scanning
A type of on-access scanning, made possible by Microsoft VS API2, in which not all files are
scanned when accessed, reducing the workload of the scanner when it is busy. It scans databases
on which it has been enabled, for example, Mailbox store and Public Folder store.
Centralized Alerting
An alternative to using regular Alert Manager. Alert messages generated by anti-virus software,
such as VirusScan Enterprise 7.0, are saved to a shared folder on a server. Alert Manager is
configured to read alert notifications from that same folder. When the contents of the shared
folder change, Alert Manager sends new alert notifications using whatever alerting methods
Alert Manager is already configured to use, such as sending e-mail messages to a pager.
client computer
A computer on the client-side of the program.
client tasks
Tasks that are executed on client computers.
common framework
A common core technologies architecture to allow different McAfee Security products to share
the same common components and code. The architecture for this is referred to as the common
framework. The Scheduler, AutoUpdate, and ePolicy Orchestrator agent components are
common components that are part of the common framework.
computers
The physical computers on the network.
console tree
The left pane of the console, which contains all console tree items.
console tree items

Every item in the console tree.
DAT files
Virus definition files that allow the anti-virus software to recognize viruses and related
potentially unwanted code embedded in files.
See also EXTRA.DAT file, incremental DAT files, and SuperDAT.
default process
In VirusScan Enterprise, any process that is not defined as a low-risk process or high-risk process.
See also high-risk process and low-risk process.

Glossary
denial of service attack

A means of attack, an intrusion, against a computer, server or network that disrupts the ability to
respond to legitimate connection requests. A denial of service attack overwhelms its target with
false connection requests, so that the target ignores legitimate requests.
deployment
Sending and installing products (and the agent) to groups, computers and users.
details pane
The right pane of the console, which shows details of the currently selected console tree item.
Depending on the console tree item selected, the details pane can be divided into upper and lower
panes.
See also upper details pane and lower details pane.
directional scanning
Scanning where one appliance is dedicated to inbound scanning, and another appliance is
dedicated to outbound scanning.
Directory
Lists all computers to be managed via ePolicy Orchestrator, and is the link to the primary
interfaces for managing these computers.
distributed software repository

Architecture for deploying products and product updates throughout an enterprise; it creates a
central library of supported products and product updates in the master repository.
download site
A repository from which you retrieve product or DAT updates.
See also update site.
EICAR
European Institute of Computer Anti-Virus Research has developed a string of characters that can
be used to test the proper installation and operation of anti-virus software.
ePolicy Orchestrator agent

An intelligent link between the ePolicy Orchestrator server and the anti-virus and security
products. It enforces policies and tasks on client computers; gathers and reports data; installs
products; enforces policies and tasks; and sends events back to the ePolicy Orchestrator server.
ePolicy Orchestrator console

A view of all virus activity and status, with the ability to manage and deploy agents and products.
It provides the ability to set and enforce anti-virus and security policies to all agents on client
computers, or to selected computers; provides a task scheduling feature that targets specific
computers or groups with scheduled tasks and policies; and allows viewing and customizing
reports to monitor deployment, virus outbreaks, and current protection levels.
Product Guide 273

Glossary
ePolicy Orchestrator server

A repository for all data collected from distributed ePolicy Orchestrator agents. It includes a
database that accrues data about product operation on client computers in the network; a
report-generating engine for monitoring the virus protection performance in your company; a
software repository that stores products and product updates for deploying to your network.
events
Generated by supported products, events identify activity on client computers, from service
events to infection detection events. Each event is assigned a severity from informational to
critical. Events and properties comprise the data that appears on reports and queries.
EXTRA.DAT file
Supplemental virus definition file that is created in response to an outbreak of a new virus or a
new variant of an existing virus.
See also DAT files, incremental DAT files, and SuperDAT.
fallback repository
The repository from which client computers retrieve updates when none of the repositories in
their repository list (SITELIST.XML) are available. Only one fallback repository can be defined.
firewall
A program that acts as a filter between your computer and the network or Internet. It can scan all
traffic arriving at your computer (incoming traffic) and all traffic sent by your computer (outgoing
traffic). It scans traffic at the packet level, and either blocks it or allows it, based on rules that you
set up.
force install, force uninstall

See product deployment client task.
FRAMEPKG.EXE
The agent installation package. When it executes, this file installs the ePolicy Orchestrator agent
on a client computer.
frequency
The repetitive interval for which you want to schedule the task.
global administrator
A user account with read, write, and delete permissions, and rights to all operations. Operations
that affect the entire installation are reserved for use only by global administrator user accounts.
Compare to site administrator and global reviewer.
global distributed repository

An identical copy of the packages in the master repository.
global reporting settings

Reporting settings that affect all ePolicy Orchestrator database servers, reports, and queries.

Glossary
global reviewer
A user account with read-only permissions; the global reviewer can view all settings in the
software, but cannot change any of these settings.
Compare to site reviewer and global administrator.
global updating
A method for deploying product updates as soon as the corresponding packages are checked into
the master repository. Packages are immediately replicated to all SuperAgent and global
distributed repositories; the ePolicy Orchestrator server sends a wakeup call to all SuperAgents;
SuperAgents send a broadcast wakeup call to all agents in the same subnet; then all agents
retrieve the update from the nearest repository.
group
In the console tree, a logical collection of entities assembled for ease of management. Groups can
contain other groups or computers. You can assign IP address ranges or IP subnet masks to
groups to sort computers by IP address. If you create a group by importing a Windows NT
domain, you can automatically send the agent installation package to all imported computers in
the domain.
heuristic analysis, heuristics

A method of scanning that looks for patterns or activities that are virus-like, to detect new or
previously undetected viruses.
high-risk process
In VirusScan Enterprise, these are processes that McAfee Security considers to have a higher
possibility of being infected.
See also default process and low-risk process.
host, host computer

See client computer.
inactive agent
An agent that has not communicated with the ePolicy Orchestrator server within a specified time
period.
incremental DAT files

New virus definitions that supplement the virus definitions currently installed. Allows the
update utility to download only the newest DAT files rather than the entire DAT file set.
See also DAT files, EXTRA.DAT file and SuperDAT.
inheritance
See task inheritance and policy inheritance.
item
See console tree item.
joke program
A non-replicating program that may alarm or annoy an end user, but does not do any actual harm
to files or data.
Product Guide 275

Glossary
local distributed repository

Locations accessible only from the client computer; for example, a mapped drive or FTP server
whose address can only be resolved from a local DNS server. Local distributed repositories are
defined in the agent policy for selected client computers.
log
A record of the activities of a component of McAfee anti-virus software. Log files record the
actions taken during an installation or during the scanning or updating tasks.
See also events.
Lost&Found group
A location on the ePolicy Orchestrator server for computers whose appropriate location in the
Directory cannot be determined. The server uses the IP management settings, computer names,
domain names, and site or group names to determine where to place computers. Only global
administrators have full access to the global Lost&Found; site administrators can access only
Lost&Found groups in sites for which they have rights.
lower details pane

In the console, the lower division of the details pane, which displays the configuration settings for
the products listed on the Policies tab in the upper details pane.
See also details pane and upper details pane.
low-risk process
In VirusScan Enterprise, these are processes that McAfee Security considers to have a lower
possibility of being infected.
See also default process and high-risk process.
macro virus
A malicious macro — a saved set of instructions created to automate tasks within certain
applications or systems — that can be executed inadvertently, causing damage or replicating
itself.
master repository
The ePolicy Orchestrator server; it maintains an original copy of the packages in the source
repository, and can replicate packages to distributed repositories. At the master repository level,
you can check in product and product update packages; schedule tasks to replicate packages to
global or SuperAgent distributed repositories; and schedule tasks to pull packages from source or
fallback repositories, and integrate them into the master repository.
McAfee AutoUpdate Architect

McAfee Security software that works with ePolicy Orchestrator to deploy products and product
updates throughout an enterprise.
mirror distributed repository

A local directory on client computers whose replication is done using a Mirror client task and
other client computers can retrieve updates from it.

Glossary
mirror task
Tasks that copy the contents of the first repository in the repository list to the local directory you
specify on the client computer.
.MSI file
A Microsoft Windows Installer package that includes installation and configuration instructions
for the software being deployed.
.NAP file
Network Associates Package file. This file extension is used to designate McAfee software
program files that are installed in the software repository for ePolicy Orchestrator to manage.
node
See console tree items.
on-access scanning
An examination of files in use to determine if they contain a virus or other potentially unwanted
code. It can take place whenever a file is read from the disk and/or written to the disk.
Compare to on-demand scanning.
on-demand scanning
A scheduled examination of selected files to determine if a virus or other potentially unwanted
code is present. It can take place immediately, at a future scheduled time, or at regularly
scheduled intervals.
Compare to on-access scanning.
package
Contains binary files, detection and installation scripts, and a package catalog (PKGCATALOG.Z)
file used to install products and product updates.
package catalog file

A file (PKGCATALOG.Z) that contains details about each update package, including the name of the
product for which the update is intended, language version, and any installation dependencies.
package signing, package security

A signature verification system for securing packages created and distributed by Network
Associates. Packages are signed with a key pair using the DSA (Digital Signature Algorithm)
signature verification system, and are encrypted using 168-bit 3DES encryption. A key is used to
encrypt or decrypt sensitive data.
packed executable
A packed executable is a file that, when run, extracts itself into memory only. Packed
executable files are never extracted to disk.
pane
A subsection of the console.
See details pane and console tree.
Product Guide 277

Glossary
policy
Configuration settings for each product that can be managed via ePolicy Orchestrator, and that
determine how the product behaves on client computers.
Compare to task. See also agent policies.
policy enforcement interval

Determines how often the agent enforces the policies it has received from the ePolicy Orchestrator
server. Because policies are enforced locally, this interval does not require any bandwidth.
policy inheritance
Determines whether the policy settings for any one console tree item under the Directory are
taken from the item directly above it.
policy pages
Part of the ePolicy Orchestrator console; they allow you to set policies and create scheduled tasks
for products, and are stored on individual ePolicy Orchestrator servers (they are not added to the
master repository).
product deployment client task

A scheduled task for deploying all products currently checked into the master repository at once.
It enables you to schedule product installation and removal during off-peak hours or during the
policy enforcement interval.
properties
Properties are attributes or characteristics of an object used to define its state, appearance, or
value.
pull task
See Repository Pull server task.
quarantine
Enforced isolation of a file or folder to prevent infection by a virus. VirusScan Enterprise
quarantines infected files or folders until action can be taken to clean or remove the item.
randomization
A random point within an interval of time that you set for a scheduled task.
real-time scanning
See on-access scanning.
remote console
The console running on a computer that does not have the ePolicy Orchestrator server running
on it. Remote consoles allow more than one person access to the server to review actions or to
manage sites and installations.
See also ePolicy Orchestrator console.
replication task
See Repository Replication server task.

Glossary
repository
The location that stores policy pages used to manage products.
repository list
The SITELIST.XML file that McAfee anti-virus products using AutoUpdate 7.0 use to access
distributed repositories and retrieve packages from them.
Repository Pull server task

A task that specifies the source or fallback repository from which to retrieve packages, then
integrate the packages into the specified branches in the master repository.
Repository Replication server task

A task that updates global and SuperAgent distributed repositories to maintain identical copies
of all packages in all branches that are in the master repository. You can also update selected
distributed repositories.
scan action
The action that takes place when an infected file is found.
scanning
An examination of files to determine if a virus or other potentially unwanted code is present.
See on-access scanning and on-demand scanning.
selective updating
Specifying which version (Evaluation, Current, or Previous) of updates you want client
computers to retrieve.
server tasks
Tasks that the server performs for maintenance on the ePolicy Orchestrator database and
Repository. Default server tasks include Inactive Agent Maintenance, Repository Pull,
Repository Replication, and Synchronize Domains.
silent installation
An installation method that installs a software package onto a computer silently, without need for
user intervention.
site
In the console tree, a logical collection of entities assembled for ease of management. Sites can
contain groups or computers, and can be organized by IP address range, IP subnet mask, location,
department, and others.
site administrator
A user account with read, write, and delete permissions, and rights to all operations (except those
restricted to the global administrator) on the specified site and all groups and computers
underneath it on the console tree.
Compare to global administrator and site reviewer.
Product Guide 279

Glossary
site reviewer
A user account with read-only permissions; the site reviewer can view the same settings as the
site administrator, but cannot change any of these settings.
Compare to global reviewer and site administrator.
source repository
A location from which a master repository retrieves packages.
spam e-mail, spam message

Any unsolicited and unwelcome e-mail messages, including commercial e-mail messages, the
electronic equivalent of “junk mail,” and unwanted non-commercial e-mail messages, such as a
virus hoaxes, joke program, and chain letter.
SPIPE
Secured PIPE, a secured communications protocol used by ePolicy Orchestrator servers.
SuperAgent
An agent with the ability to contact all agents in the same subnet as the SuperAgent, using the
SuperAgent wakeup call. It is used in global updating and supports distributed software
repositories, alleviating the need for a dedicated server. It provides a bandwidth-efficient method
of sending agent wakeup calls.
See also ePolicy Orchestrator agent.
SuperAgent distributed repository

A replication of the master repository, used in place of dedicated servers for global distributed
repositories.
SuperAgent wakeup call

A scheduled task or on-demand command that prompts SuperAgents (and all agents in the same
subnet as each SuperAgent) to contact the ePolicy Orchestrator server when needed, rather than
waiting for the next ASCI.
See also agent wakeup call.
SuperDAT
A utility that installs updated virus definition (SDAT*.EXE) files and, when necessary, upgrades the
scanning engine.
See also DAT files, EXTRA.DAT file, and incremental DAT files.
supplemental virus definition file

See EXTRA.DAT file.
system scan
A scan of the designated system.

Glossary
task
An activity (both one-time such as on-demand scanning, and routine such as updating) that is
scheduled to occur at a specific time, or at specified intervals.
Compare to policy.
task inheritance
Determines whether the client tasks scheduled for any one console tree item under the Directory
are taken from the item directly above it.
Trojan horse
A program that either pretends to have, or is described as having, a set of useful or desirable
features, but actually contains a damaging payload. Trojan horses are not technically viruses,
because they do not replicate.
update package
Package files from Network Associates that provide updates to a product. All packages are
considered product updates with the exception of the product binary (Setup) files.
update site
The repository from which you retrieve product or DAT updates.
See also download site.
updating
The process of installing updates to existing products or upgrading to new versions of products.
upper details pane

In the console, the upper division of the details pane, which contains the Policies, Properties, and
Tasks tabs.
See also details pane and lower details pane.
user accounts
The ePolicy Orchestrator user accounts include global administrator, global reviewer, site
administrator, and site reviewer. Administrator-level user accounts have read, write, and delete
permissions; reviewer-level user accounts have read-only permissions.
See also global administrator, global reviewer, site administrator, and site reviewer.
UTC time
Coordinated Universal Time (UTC). This refers to time on the zero or Greenwich meridian.
virus
A program that is capable of replicating with little or no user intervention, and the replicated
program(s) also replicate further.
virus definition (DAT) files

See DAT files.
VirusScan Enterprise console

The control point for the program’s activities.
Product Guide 281

Glossary
virus-scanning engine
The mechanism that drives the scanning process.
warning priority
The value that you assign each alert message for informational purposes. Alert messages can be
assigned a Critical, Major, Minor, Warning, or Informational priority.
worm
A virus that spreads by creating duplicates of itself on other drives, systems, or networks.

Index
A variables in, 185

activity log for alert method
AutoUpdate task, 198 configuring recipients, 155
mirror task, 217 alert priority
on-access scanning, 79 changing, 183
on-delivery e-mail scanning, 132 types, 183
on-demand e-mail scanning, 148 archive files, scanning, 246
on-demand scanning, 111 arguments, applicable to on-demand scanner, 246
adding file type extensions (using the Additions audience for this manual, 9
feature), 68 automatic scanning, 34
Alert folder AutoUpdate
function, 179 activity log, viewing, 198
Alert Manager description, 190
configuration download sites, 200
e-mail alert, 166 FTP default download site, 200, 205, 219
forwarding an alert, 160 HTTP default download site, 200, 205
launching a program, 173 error codes, 268
network broadcasting, 164 implementing (See Updating with VirusScan
printed messages, 170 Enterprise Implementation Guide)
SNMP, 172 proxy settings, 209
Summary page, 159 repository list, 199
system variables, 185 adding repositories, 202
Alert Manager Properties editing repositories, 201
Summary, 159 importing repositories, 201
alert messages removing and reorganizing
repositories, 208
broadcasting a network alert, 164
tasks
Centralized Alerting, 179
activities during update, 197
customizing, 181
configuring, 193
disabling, 182
creating, 192
editing, 184
overview of update process, 191
e-mail, 166
running, 195
enabling, 182
from the console, 195
forwarding, 160
from the Start menu, 196
launching a program in response to, 173
immediate update, 195
sending to a printer, 170
resumable update, 195
sending via SNMP traps, 172
using Update Now, 197
truncating, 169
scheduling, 195
Product Guide 283

Index
AVERT (Anti-Virus Emergency Response Team), on-access scanning

contacting, 12 messages, viewing, 82
receiving notification, 81
B taking action, 83
beta program, contacting, 12 on-demand scanning
boot sectors receiving notification, 112
scanning from command line, 241 taking action, 113
scanning with on-access scanning, 44 Display Options, 28
scanning with on-demand scanning, 91 documentation for the product, 11
broadcasting network messages, 164 download web site, 12
C E
.CAB, scanning files with extension, 246 Edit menu, 21
CATALOG.Z file, 197 e-mail scanning, on-delivery
Centralized Alerting, 179 activity log, viewing, 132
command line, Windows, 27 scan statistics, viewing, 130
options, 240 tasks, configuring, 116
running the on-demand scanner from, 246 action properties, 123
compressed files advanced properties, 120
scanning from command line alert properties, 126
archive type, 246 detection properties, 118
configuring report properties, 128
AutoUpdate task, 192 e-mail scanning, on-demand
mirror task, 213 activity log, viewing, 148
on-access scanning, 39 tasks, configuring, 132
on-delivery e-mail scanning, 116 action properties, 139
on-demand e-mail scanning, 132 advanced properties, 135
on-demand scanning, 86 alert properties, 142
via ePolicy Orchestrator (See Configuration detection properties, 133
Guide)
report properties, 144
connecting to remote servers, 37
tasks, running, 147
console (See VirusScan Console)
e-mail, sending virus alert via, 166
contacting McAfee Security, 12
enable randomization, 228
conventions used in this manual, 10
excluding files, folders, and drives (using the
customer service, contacting, 12 Exclusions feature), 70
EXTRA.DAT, 187, 198
D
DAT file updates, web site, 12 F
DAT files FAQ (frequently asked questions), 261
rolling back, 217 features, descriptions of, 15
date and time, recorded in log file, 48, 104, 130, 146 file type extensions, what to scan
default processes, 50 to 51 adding file types (using the Additions
definition of terms (See Glossary) feature), 68
detections, virus

Index
adding user-specified types (using the Specified log file size

feature), 69 limiting, 48, 103, 129, 145
excluding file types (using the Exclusions low-risk processes, 50, 60
feature), 70
definition, 61
floppy during shutdown
.LZH, scanning files with extension, 246
scanning with on-access scanning, 44
forwarding alerts
M
large organization, 161
mail server, configuring for e-mail alerting, 168
small organization, 162
manuals, 11
frequently asked questions (FAQ), 261
McAfee Security University, contacting, 12
FTP default download site, 200, 205, 219
menu bar, 20
menus
G
in VirusScan Console, 20
general questions, troubleshooting, 265
Edit, 21
General Settings properties, on-access scanning, 43
Help, 21
getting information, 11
right-click, 25
getting started, 17
Task, 20
glossary, 271
Tools, 21
View, 21
H
Start, 18
Help menu, 21
MERTool (Minimum Escalation Tool), 261
high-risk processes, 50, 60
messages, on-access scanning, 45
definition, 61
clean infected files referenced, 46
HTTP default download site, 200, 205
delete infected file referenced, 46
deny access to network share, 46
I
disconnect remote users, 46
installation (See Installation Guide)
move infected file referenced, 46
installation questions, troubleshooting, 262
remove messages from list, 46
send message to user, 46
K
show messages dialog box, 45
KnowledgeBase search, 12
text to display, 45
viewing, 82
L
Minimum Escalation Tool (MERTool), 261
limiting log file size, 48, 103, 129, 145
Mirror Now command, 217
list of tasks in VirusScan Console, 23
mirror task, 212
lockdown registry, 253 to 260
activity log, viewing, 217
locking user interface, 31
configuring, 214
log file for
creating, 213
AutoUpdate task, 198
running, 216
mirror task, 217
as scheduled, 216
on-access scanning, 79
from the Start command, 216
on-delivery e-mail scanning, 132
immediately, 216
on-demand e-mail scanning, 148
using Mirror Now, 217
on-demand scanning, 111
Product Guide 285

Index
scheduling, 216 tasks

configuring, 89
N action properties, 99
new features, 14 advanced properties, 96
detection properties, 94
O report properties, 102
on-access scanning where properties, 90
activity log, viewing, 79 creating, 86
configuring, 40 from the console, 88
action properties, 57, 75 from the Start menu, 86
advanced properties, 55, 73 from the system tray, 86
detection properties, 52, 65 resumable scanning, 109
general properties, 43 running
message properties, 45 from the console, 107
process properties from the Windows command
assigning risk, 61 line, 246
default, 50 to 51 pausing, 108
high-risk, 50, 60 restarting, 108
low-risk, 50, 60 stopping, 109
report properties, 47 scheduling, 106
messages, viewing, 82 virus detections, responding, 111
scan statistics, viewing, 78 on-demand vs. on-access scanning, 33
virus detections, responding, 80
on-access vs. on-demand scanning, 33 P
on-demand scanning password options, 29
activity log, viewing, 111 pausing on-demand tasks, 108
scan statistics, viewing, 110 PrimeSupport, 12
prioritizing messages sent
across the network, 163, 165, 169, 171 to 172,
174, 176, 178
to another computer, 158
priority level, setting for alerts, 157
product documentation, 11
product features, 15
product training, contacting, 12
proxy settings for updating, 209
Q
quarantine folder
on-delivery e-mail scanning, 124
on-demand e-mail scanning, 141

Index
R operations
registry, secure, 253 to 260 automatic, 34
remote administration, 37 on schedule, 35
Remote Connection, in Tools menu, 37 periodical, 35
report properties, configuring selective, 35
on-access scanning, 47 setting up, 33
on-delivery e-mail scanning, 128 periodically, 35
on-demand e-mail scanning, 144 results, viewing
on-demand scanning, 102 AutoUpdate activity log, 198
repositories, 208 mirror task activity log, 217
repository list on-access scan
adding repositories, 202 activity log, 79
editing repositories, 201 statistics, 78
importing repositories, 201 on-delivery e-mail scan
removing and reorganizing repositories, 208 activity log, 132
restarting on-demand tasks, 108 statistics, 130
resumable scanning, 109 on-demand e-mail scan activity log, 148
right-click menus, 24 on-demand scan
right-click scan, 25 activity log, 111
from system tray, 26 statistics, 110
right-click scan, 25
S from system tray, 26
Scan menu selectively, 35
Statistics, 78 to 79, 131 to 132 shell extension scan, 25
scan time troubleshooting questions, 263
on-access scanning, 44 scanning, scheduled, 35
scanning scheduling, 221
automatically, 34 advanced options, 226
configuring enable randomization., 228
on-access scanner for, 39 schedule properties, 224
on-delivery e-mail scanner for, 116 frequencies, 225
on-demand e-mail scanner for, 132 task properties, 223
on-demand scanner for, 86
immediately, 107
on access vs. on-demand scanning, 33
on schedule, 35
on-access, 39
on-delivery e-mail, 116
on-demand, 86
on-demand e-mail, 132
Product Guide 287

Index
tasks configuring
at logon, 234 AutoUpdate task, 192
at system startup, 233 mirror task, 213
AutoUpdate, 195 on-access scanner, 39
daily, 227 on-delivery e-mail scanner, 116
mirror, 216 on-demand e-mail scanner, 132
monthly, 230 on-demand scanner, 86
once, 232 definition of, 23
on-demand scanning, 106 pausing, 108
to run immediately, 236 restarting, 108
to run on dialup, 237 running immediately, 107
weekly, 229 stopping, 109
when idle, 235 types available in VirusScan Enterprise, 23
secure registry, 253 to 260 technical support, 12
security headquarters, contacting AVERT, 12 testing alerting configuration, 156
service portal, PrimeSupport, 12 toolbar, 22
session settings, recorded in log file, 48, 104, 130, Tools menu, 21
146 training web site, 12
session summary, recorded in log file, 48, 104, 130, troubleshooting, 261
146
frequently asked questions
SMTP mail server, configuring for e-mail
alerting, 168 general, 265
SNMP installation, 262
sending alerts via, 172 scanning, 263
specifying file type extensions (using the Specified viruses, 264
feature), 69 Minimum Escalation Tool, 261
Start menu, 18 update error codes, 268
startup, scanning at, 44 truncating alert message, forced, 169
Statistics, in Scan menu, 78 to 79, 131 to 132
statistics, viewing U
on-access scanning, 78 unlocking user interface, 31
on-delivery e-mail scanning, 130 Update Now command, 197
on-demand scanning, 110 updating
status bar, 24 activities, 197
submitting a sample virus, 12 download sites, 200
system startup, scanning at, 44 FTP default download site, 200, 205, 219
system tray, setting options, 26 HTTP default download site, 200, 205
system variables, 189 error codes, 268
system variables, alerting, 185 manually, 219
mirror task, 214
T proxy settings, 209
task list, 23 repository list, 199
Task menu, 20 editing repositories, 201
tasks removing and reorganizing

Index
repositories, 208 menus (See menus)

strategies, 188 status bar, 24
tasks task list, 23
configuring, 193 toolbar, 22
running VirusScan Enterprise
immediate updates, 195 product features, 15
resumable update, 195 what’s new in this release, 14
upgrade web site, 12
user interface W
options what’s new in this release, 14
display, 28
locking, 31 Z
password, 29 .ZIP, scanning files with extension, 246
setting, 27
unlocking, 31
orientation, 18
user name, recorded in log file, 48, 104, 130, 146
UTC Coordinated Universal Time (UTC), 228
.UUE, scanning files with extension, 246
V
variables, system, 189
View menu, 21
Virus Information Library, 12, 35
virus, submitting a sample, 12
viruses
detections
frequently asked questions, 264
submitting a sample, 36
VirusScan Console, 19
configuring
AutoUpdate via (See AutoUpdate)
mirror task via (See mirror task)
on-access scanning via (See on-access
scanning)
on-delivery e-mail scanning via (See e-mail
scanning, on-delivery)
on-demand e-mail scanning via (See e-mail
scanning, on-demand)
on-demand scanning via (See on-demand
scanning)
connecting to remote servers via, 37
Product Guide 289

Index

Mcafee Product Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mcafee Product Guide

Uploaded by

Copyright:

Available Formats

Product Guide

Issued SEPTEMBER 2003 / VirusScan® Enterprise software version 7.1.0

1 Introducing VirusScan Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 13

Product Guide iii

Unlocking and locking the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

iv VirusScan® Enterprise software version 7.1.0

5 E-mail Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Report properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

6 Virus Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

vi VirusScan® Enterprise software version 7.1.0

8 Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Product Guide vii

A Command-Line Scanner Program . . . . . . . . . . . . . . . . . . . . . . . 239

B Secure Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

viii VirusScan® Enterprise software version 7.1.0

 Overview of the product.

 Descriptions of product features.

 Descriptions of all new features in this release of the software.

 Detailed instructions for configuring and deploying the software.

 Procedures for performing tasks.

 Network administrators who are responsible for their company’s anti-virus

FRMINST.EXE /INSTALL=AGENT /SITEINFO=C:\TEMP\SITELIST.XML

Italic Names of product manuals and topics (headings) within the

<TERM> Angle brackets enclose a generic term.

NOTE Supplemental information; for example, an alternate method of

WARNING Important advice to protect a user, computer system, enterprise,

10 VirusScan® Enterprise software version 7.1.0

Contacting McAfee Security & Network Associates

12 VirusScan® Enterprise software version 7.1.0

 VirusScan version 4.5.1 software for workstations.

 NetShield® NT version 4.5 software for servers.

 NetShield for Celerra™ version 4.5 for Celerra™ filers.

 VirusScan Enterprise version 7.0. for workstations and servers.

The following topics are addressed in this section:

 What’s new in this release

What’s new in this release

 Check Point™ VPN-1®/FireWall-1® SCV integration — The VirusScan

 McAfee Installation Designer™ and McAfee Desktop Firewall™ integration

 Smaller installation package — The VirusScan Enterprise installation package

 Visibility of ePolicy Orchestrator tasks — If you are using ePolicy

14 VirusScan® Enterprise software version 7.1.0

See VirusScan Console on page 19.

 On-access scanner. The on-access scanner gives you continuous anti-virus

See On-Access Scanning on page 39.

 On-demand scanner. The on-demand scanner allows you to initiate a scan at

See On-Demand Scanning on page 85.

See E-mail Scanning on page 115.

 AutoUpdate. The AutoUpdate feature allows you to update virus definition

See Updating on page 187.

See Virus Alerting on page 149 for specific details.

 Command-line scanner. The command-line scanner can be used to initiate

See Command-Line Scanner Program on page 239.

16 VirusScan® Enterprise software version 7.1.0

The following topics are addressed in this section:

 Orientation to the user interface

 Setting user interface options

 Setting up scanning operations

 Virus Information Library

 Submitting a virus sample

 Setting up remote administration

Orientation to the user interface

These interfaces are addressed in this section:

Overview of the product.

Descriptions of product features.

Descriptions of all new features in this release of the software.

Detailed instructions for configuring and deploying the software.

Procedures for performing tasks.

Network administrators who are responsible for their company’s anti-virus

VirusScan version 4.5.1 software for workstations.

NetShield® NT version 4.5 software for servers.

NetShield for Celerra™ version 4.5 for Celerra™ filers.

VirusScan Enterprise version 7.0. for workstations and servers.

What’s new in this release

Check Point™ VPN-1®/FireWall-1® SCV integration — The VirusScan

McAfee Installation Designer™ and McAfee Desktop Firewall™ integration

Smaller installation package — The VirusScan Enterprise installation package

Visibility of ePolicy Orchestrator tasks — If you are using ePolicy

On-access scanner. The on-access scanner gives you continuous anti-virus

On-demand scanner. The on-demand scanner allows you to initiate a scan at

AutoUpdate. The AutoUpdate feature allows you to update virus definition

Command-line scanner. The command-line scanner can be used to initiate

Orientation to the user interface

Setting user interface options

Setting up scanning operations

Virus Information Library

Submitting a virus sample

Setting up remote administration

Access Alert Manager configuration, if Alert Manager is installed.

Access the VirusScan Console.

Open the on-access scan property pages.

Open the on-demand scan property pages. This is a one-time unsaved

Click Start, select Programs|Network Associates|VirusScan Console.

On-Access Scan. This task allows you to perform automatic on-access

New Scan task. Create a new on-demand scan task.

New Update task. Create a new update task.

New Mirror task. Create a new mirror task.

Paste. Paste a copied task into the task list.

VirusScan Console. Display the VirusScan Console.

Disable On-Access Scan. Deactivate the on-access scanner. This function

On-Access Scan Properties. Open the on-access scanner property pages to

On-Demand Scan. Open the on-demand scanner property pages to configure

Update Now. Perform an immediate update of the default update task.

About VirusScan Enterprise. View specific information about the installed

Unlocking and locking the user interface

No password. This option is selected by default.

Select Password protection for all items listed below.

Select Password protection for the selected items below.

Enable or disable on-access scanning — The menu items to enable and