We have a mixture of Vscan 8.7 and 8.8 rolled out and every now and then we have had to disable access protection to install/uninstall programs. It appears that a few of my colleagues in the IT dept havent been enabling this after installing/uninstalling programs, so the AV has basically been disabled and now we're not sure how many machines have it disabled.
Is there a way of making sure access protection gets enabled after a set time if its disabled? We have a password that you have to type in before you can enable or disable anything in the console and it appears after a while that locks it self so surely the same can be done with access protection?
I am actually curious as to why would you always enable/disable the access protection just to install some programs ???? Not a good idea to go about doing the things. If I were you, I would probably have the Access protection at a Standard Level to begin with and then would go about customizing it. If we go with the Maximum Protection, that is when McAfee would not allow you to install any programs.
So here, instead of distrubuting the credentials to all the users who have the right to enable/disable the Access Protection, I suggest you to freeze upon a policy which gives you watertight protection but also doesnt be as much a apain as it is now when you install some thing..
To answer your question, please take a look at this.
We need to enable and disable the access protection to install programs as we have the anti spyware module activated which blocks exe's running from the temp directory, so when trying to install office, firefox, chrome etc they all get blocked by the AV unless you disable access protection. Only IT and 2 other people know the password to unlock the virus scan but most people were thinking that like the locking feature after a while the access protection would be able as well.
I think i have got it enable every time it connect to our main AV server for an update so i will settle on that for now
Rather than disabling AP, I will suggest to add those truested Exes to AP exclussions.
Shouldn't the mcafee agent should be enforcing your ePO-set access protection policies?
If you go into ePO, in your system tree for one ofthe system, highlight the group the PC's are in, and go into the Assigned Policies tab, selecting Product McAfee Agent... click on teh policy that is assigned (My_Default if you haven't specified anything custom). There under McAfee Agent > General > [name of policy] what is your Policy enforcement interval (minutes)? What is your Agent to server communication Agent to server communication interval (and is "enable agent to server communication" enabled)?
I believe the job of these features is to handle the exact situation you are describing. Assuming of course, a McAfee agent created by your ePO is installed on these systems and that they're centrally managed by an ePO.
I have noticed if i go into Mcafee Agent Status Monitor and do Enforce Policies this will enable Access Protection, so maybe if i shorten the Policy Enforcement internal to something small like 60 minutes would that sort it? also if i did this what would this do to machines getting policies enforced every hour would it slow them down?
There will be no slow down. Enforcing the policy is a "local action" and will reset VSE to the settings you specified in the assigned ePO VSE policies.
So if AP is enabled there it will be reenabled. Also setting a "not-User-known" password on the VSE GUI would help.
Maybe you'll think we're on the extreme side, but we enforce policy every 15 minutes and it will re-enforce AP.
If someone requires disabling of AP, we disable it centrally by assigning an open AP policy to that device and then remove it once done.
Ok i will change the policy enforcement to 45 mins and see how we get on. Also we have do have a password on the Virusscan Console but that has happened is where my colleagues had been disabling AP to install programs they then never enabled it after, hopefully this will sort it out
The policy enforcement interval in the the environment I work in is actually 5 minutes. I'd definitely crank that down further. It gets annoying when you need to override something on a local client, but you can always have another epo group you can move the host to with a longer policy enforcement intervale "e.g. a triage/cleanup group" and go from there.
We use don't run from temp directory access protection as well, but by populating the exceptions in epo appropriately and saving download files to some directories other than ones with the word temp in them, life can continue without needing to disable access protection for installing programs. We install programs quite frequently, and only on a couple occasions in the past year have I had to disable access protection.
Good luck.on 5/9/11 8:05:47 AM CDT