I think we should have a sticky here with policy best practices. I know myself and others often find themselves looking for policies for virus scanning, etc...
Topics we could have:
1. Virus scan exclusions - too often this information is scattered to the four winds
2. Virus scan settings - personally I use the DISA guides, but it may be helpful to have detailed setting recommendations here.
3. EPO Policy settings - Again, having policy setting best practices posted would be helpful. It would be really nice if EPO had a policy import feature based on best practices as well.
Microsoft has had group policy templates for years, c'mon McAfee, let's get with the program and make EPO a little more friendly on the policy side!
Windows 2003 SP2 EPO Server 4.0.0 (Patch 4) EPO Agent 184.108.40.2061 (Patch 2) McAfee VirusScan 8.5i - Patch 8 x over 130 VirusScan 8.7i - tested on Servers and Workstations VirusScan 8.7i - waiting for Patch 1 before re-evaluating
I'd also be looking for best/worst practices on logging information. I presently am having more and more DB size issues because we log a lot of information... and I'm afraid if I purge or log less I won't find the necessary information when needed :(
Cdb.exe Cidaemon.exe Store.exe Emsmta.exe Mad.exe Mssearch.exe Inetinfo.exe W3wp.exe Exchsrvr\Conndata Exchsrvr\Mailroot Exchsrvr\Mdbdata Exchsrvr\Mtadata Exchsrvr\server_name.log Exchsrvr\Srsdata %systemroot%\IIS Temporary Compressed Files %SystemRoot%\System32\Inetsrv All .edb; .stm (on Exchange 2000 Server); .log Exchange files M: drive (on Exchange 2000 Server) SBS: C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail
SQL Server: SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension
Ok. So we have this nice list of things to not scan, but how do we go about getting things into the policies? According to the cursory documentation that McAfee provides, are the nice hints that we can put multiple items on the same line separated by spaces.
What do you do if you have paths that have spaces? %systemroot%\IIS Temporary Compressed Files
So by all assumptions (based of course on the cursory documentation provided) then this would exclude the following items from being scanned: %systemroot%\IIS Temporary %systemroot%\IIS Compressed %systemroot%\IIS Files
Which is not what I want.
FMI...is there anyone who knows where more detailed documentation is for ePO and VSE? McAfee does not seem to have anything and i don't want to have to call tech support for every little thing like this.
I have found that a lot of trial and error on a local installation is the best way to test wildcards. You never know what results you're going to get without playing around with a stand-alone installation and chnaging the policies on the fly.
Jeff Gerard Senior Security Administrator
Winnipeg, MB, Canada