Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
121171 Views 48 Replies Latest reply: Aug 14, 2012 7:20 AM by greatscott RSS 1 2 3 ... 5 Previous Next
Newcomer 18 posts since
Sep 5, 2008
Currently Being Moderated

Apr 17, 2009 8:56 AM

Virus Scan Policy Best Practices

I think we should have a sticky here with policy best practices. I know myself and others often find themselves looking for policies for virus scanning, etc...

Topics we could have:

1. Virus scan exclusions - too often this information is scattered to the four winds

2. Virus scan settings - personally I use the DISA guides, but it may be helpful to have detailed setting recommendations here.

3. EPO Policy settings - Again, having policy setting best practices posted would be helpful. It would be really nice if EPO had a policy import feature based on best practices as well.

Microsoft has had group policy templates for years, c'mon McAfee, let's get with the program and make EPO a little more friendly on the policy side!

Windows 2003 SP2
EPO Server 4.0.0 (Patch 4)
EPO Agent 4.0.0.1421 (Patch 2)
McAfee VirusScan 8.5i - Patch 8 x over 130
VirusScan 8.7i - tested on Servers and Workstations
VirusScan 8.7i - waiting for Patch 1 before re-evaluating
  • JeffGerard The Place at McAfee Member 173 posts since
    Apr 15, 2009
    Currently Being Moderated
    1. Apr 17, 2009 9:05 AM (in response to rathbunr)
    RE: Virus Scan Policy Best Practices
    /me raises his hand high....damned good idear!!!

    Jeff Gerard
    Senior Security Administrator
    Winnipeg, MB, Canada
  • tonyb99 Champion 3,844 posts since
    Apr 10, 2006
    Currently Being Moderated
    2. Apr 17, 2009 9:16 AM (in response to JeffGerard)
    RE: Virus Scan Policy Best Practices
    Fine its now sticky. ( MOD hat on)

    fill em in then.........

    As a start I would check out the MS recommended exclusions for DC and PDC and exchange
    also there are recommeded citrix exclusions


    McAfee Maniac (Volunteer Moderator)
    x1 4.5.4 ePolicy Orchestrator Server (Build 1082)
    x1 5.0.1 ePolicy Orchestrator Server (Build 228)
    x1 4.6.3 ePolicy Orchestrator Server (Build 197)
    x1 4.6.6 ePolicy Orchestrator Server (Build 176)
    Mcafee Agent 4.6.0.2292/4.6.0.2935/4.8.0.887
    Groupshield 7.0
    VSE 8.8.0.975 & 8.7.0.570 x 20000
    DLP Endpoint 9.2.1
    EEPC 6.2.1.315/7.0.1.354
    HIPS 8
    EMM 10.2
    x70 Sophos 10.2 Endpoint Security & Control





  • SergeM Apprentice 249 posts since
    Aug 12, 2008
    Currently Being Moderated
    3. Apr 21, 2009 9:53 AM (in response to rathbunr)
    RE: Virus Scan Policy Best Practices
    Hi,

    Excellent idea. I know we've had a few threads about this already... will look for them later (EOD)



    For a starter, here are a few links from Microsoft sites :

    Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

    I'd also be looking for best/worst practices on logging information. I presently am having more and more DB size issues because we log a lot of information... and I'm afraid if I purge or log less I won't find the necessary information when needed :(

    Serge
  • Gazz300 Newcomer 44 posts since
    Jan 3, 2008
    Currently Being Moderated
    4. Apr 21, 2009 10:42 AM (in response to SergeM)
    RE: Virus Scan Policy Best Practices

    Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

    In summary of the above:

    wsusscn2.cab
    package*.cab
    %windir%\SoftwareDistribution\Datastore\
    %windir%\SoftwareDistribution\Datastore\Datastore.edb
    %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
    %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
    %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
    %windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
    %windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
    %windir%\security\*.edb
    %windir%\security\*.sdb
    %windir%\security\*.log
    %windir%\security\*.chk
    %windir%\softwaredistribution\*.cab
    %windir%\system32\ccm\cache\*.cab
    %windir%\SoftwareDistribution\Datastore\Logs\res1.log
    %windir%\SoftwareDistribution\Datastore\Logs\res2.log
    %windir%\security\database\*.sdb

    I just wish you could feed multiple exclusions into multiple policies in ePO. Maybe 4.5 eh McAfee?
  • Gazz300 Newcomer 44 posts since
    Jan 3, 2008
    Currently Being Moderated
    5. Apr 21, 2009 10:43 AM (in response to SergeM)
    RE: Virus Scan Policy Best Practices
    Oh I just found this as well,

    General exclusions Windows Server 2003, Windows 2000, Windows XP, or Windows Vista:

    %windir%\ntfrs
    %windir%\SoftwareDistribution\Datastore\Datastore.edb
    %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
    %windir%\SoftwareDistribution\Datastore\Logs\Res1.log
    %windir%\SoftwareDistribution\Datastore\Logs\Res2.log
    %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
    %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb
    For Windows 2000 & 2003 DC’s
    %windir%\ntds\Ntds.dit
    %windir%\ntds\Ntds.pat
    %windir%\ntds\EDB*.log
    %windir%\ntds\Res1.log
    %windir%\ntds\Res2.log
    %windir%\ntds\Temp.edb
    %windir%\ntds\Edb.chk
    %systemroot%\sysvol (only this folder, not all subfolders!!!)
    %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
    %systemroot%\sysvol\staging
    %systemroot%\sysvol\staging areas
    %systemroot%\sysvol\sysvol

    Clusters:
    %windir%\Cluster
    Q:\ (quorum)
    DHCP: %windir%\system32\dhcp
    DNS: %windir%\system32\dns
    WINS: %windir%\system32\wins

    Exchange Server:

    Cdb.exe
    Cidaemon.exe
    Store.exe
    Emsmta.exe
    Mad.exe
    Mssearch.exe
    Inetinfo.exe
    W3wp.exe
    Exchsrvr\Conndata
    Exchsrvr\Mailroot
    Exchsrvr\Mdbdata
    Exchsrvr\Mtadata
    Exchsrvr\server_name.log
    Exchsrvr\Srsdata
    %systemroot%\IIS Temporary Compressed Files
    %SystemRoot%\System32\Inetsrv
    All .edb; .stm (on Exchange 2000 Server); .log Exchange files
    M: drive (on Exchange 2000 Server)
    SBS:
    C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail
    C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail

    SQL Server: SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

    WSUS: MSSQL$WSUS and WSUS content directory

    References:

    Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
    http://support.microsoft.com/kb/822158

    Overview of Exchange Server 2003 and antivirus software
    http://support.microsoft.com/kb/823166

    Guidelines for choosing antivirus software to run on the computers that are running SQL Server
    http://support.microsoft.com/kb/309422

    Recommended Forefront Client Security file and folder exclusions for Microsoft products
    http://support.microsoft.com/kb/943556

    Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file or the Wsusscn2.cab file is copied
    http://support.microsoft.com/kb/900638

    Not sure who to credit for this list though sorry. I saved it in a document a while back and don't recall the source but sharing is good. :D

    Gazz.
  • Newcomer 5 posts since
    Apr 24, 2009
    Currently Being Moderated
    6. Apr 24, 2009 12:05 PM (in response to rathbunr)
    ePO exclusion entries
    Ok. So we have this nice list of things to not scan, but how do we go about getting things into the policies? According to the cursory documentation that McAfee provides, are the nice hints that we can put multiple items on the same line separated by spaces.

    What do you do if you have paths that have spaces?
    %systemroot%\IIS Temporary Compressed Files

    So by all assumptions (based of course on the cursory documentation provided) then this would exclude the following items from being scanned:
    %systemroot%\IIS Temporary
    %systemroot%\IIS Compressed
    %systemroot%\IIS Files

    Which is not what I want.

    FMI...is there anyone who knows where more detailed documentation is for ePO and VSE? McAfee does not seem to have anything and i don't want to have to call tech support for every little thing like this.

    Thanks PCS
  • Newcomer 5 posts since
    Apr 24, 2009
    Currently Being Moderated
    7. Apr 24, 2009 12:29 PM (in response to mr_paul_psmith)
    AhHa!
    Finally, I found a little tiny piece of info on how to correctly use wild cards and create paths.

    This is what I so enjoy about McAfee. The hunt for the simple answers....

    https://kc.mcafee.com/corporate/index?page=content&id=KB50998&pmv=print
  • JeffGerard The Place at McAfee Member 173 posts since
    Apr 15, 2009
    Currently Being Moderated
    8. Apr 28, 2009 10:29 AM (in response to mr_paul_psmith)
    RE: AhHa!
    I have found that a lot of trial and error on a local installation is the best way to test wildcards. You never know what results you're going to get without playing around with a stand-alone installation and chnaging the policies on the fly.

    Jeff Gerard
    Senior Security Administrator
    Winnipeg, MB, Canada
  • SergeM Apprentice 249 posts since
    Aug 12, 2008
    Currently Being Moderated
    9. Apr 29, 2009 3:19 AM (in response to JeffGerard)
    More references
    There have already been several threads on similar issues (VSE exclusions) so I'll mention them here for additional reference

    VSE and MS SQL : thread 223368

    Server Exclusions : thread 223361

    Exclusions for servers : thread 225146

    enjoy
    Serge
1 2 3 ... 5 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (25)