Moved from Community Help to Business > VirusScan Enterprise for better help.
if the systems are not managed by EPO or SaaS you have to configure any change manually. I don´t understand what exatly means point 2 (scheduled job). You cannot point to DAT Files on a share for OnDemad scan. The signatures must always be installed locally.
1) you have to implement one system which is downloading the DAT Files by schedule.This can directly done with a Mirror Task in VSE. Shedule this task running every hour.
2) configure a repository entry that points to this location.
3) schedule the auto update task to update the signatures.
4) schedule an OnDemand scan.
Note: Downloading the DAT Files should be done daily. Also Artemis should be enabled. Otherwise new threats may not be detected by AV.
Is there any EPO server available in an other VLAN in your company?
- Thorsten,I appreciate your input.
Please ignore my point 2 (scheduled job) ... I meant by that to setup scheduled OnDemand scan.
Based on your reply I will design it this way:
1. Download .zip file on a share which is accessible from each machine in VLAN
2. Unzip and copy 3 files to each machine at /McAfee/Engine directory
3. Schedule to start full scan after a while after files being copied
Will it work using that design?
Meanwhile a few questions regarding your respond:
a. I thought to use some python script to go to download site and download .zip file. None of my PC's could see the world ( except that share ) hence I'm not sure what you meant by "his can directly done with a Mirror Task in VSE"
b. not sure what you meant by "schedule the auto update task to update the signatures" ... When I did it manually I unzipped .zip file and copied 3 files into \McAfee\Engine dierctory. Is it possible to setup autoupdate by pointing to those unziped files? Could I configure autoupdate to do this?
c. I am planning to scan only once a week e.g. Sunday ... hence I could download Sunday's .zip and use it. Is it correct?
d. Why you said this: "Note: Downloading the DAT Files should be done daily. Also Artemis should be enabled. Otherwise new threats may not be detected by AV." ? It's not clear to me.
Anyway ... a lot of thanks for your input. It will help me much.
Hi again, I did one experiment and wanted to ask your opinion again:
1. I downloaded latest 7602xdat.exe and placed it on a shared folder.
2. From target PC I executed this file. It started McAfee SuperDAT wizard. I completed the wizard and it resulted in updating files in \McAfee\Engine folder.
3. I was able to do a scan with a new DAT
I assume to do the following:
1. schedule a script to download .exe
2. schedule a script on target PC to run that .exe
3. schedule scan after 2. completed.
A. could I execute Wizard from command line
B. Does this design make sense for you?
Note: this approach sounds easier for me to implement.
this would be the easiest way from my side:
1) You don´t need a script to download the DAT Files. Just install VSE on a system which is able to connect to the internet. Open the VSE console and configure a "Mirror Task" to download the signatures. Afterwards copy the files to a system in the VLAN where your systems are located. Share this folder. The benefit is, VSE uses incremental DAT,which are small in size.
2) define on any system a Repository in the VSE GUI which points to this repository
3) schedule an autoupdate task which will update the signatures in the morning.
4) define anOnDemand scan a litte bit later.
With this configuration i think you have less effort. But feel free to implement your own mechanism.I prefer functions which are directly included in the product. They are easy to configure and are working well.
From your prospective are these 20 systems critical systems?. If yes, your approach is not really secure.
Why DATs daily. There are some things which are important. There are many new threats every day. Therefore updatings signatures every day is absolutely recommended to detect and remove threats. But, actually there are so much known threats so it is not possible to add any known threat to the DATs. Also you need to close the time gap between new malware is detected to your endpoint is protected. Artemis also informs the engine how a threat can be removed.
Therefore from my side it is absolutely necessary to enable artemis.
Conclusion,it is your decision which level of security you need and what level you want to implement. Today only installing and updating an AV product is good but it is not possibel to detect "more advanced" threats.
And how about the reporting?
your input is invaluable! It will definitely help me to implement it. I think now it's much clearer than a few days ago. Only one point was not clear: "2) define on any system a Repository in the VSE GUI which points to this repository" . Could you please clarify it?
Sure .... I need reporting but didn't think about it. Maybe I will put all reports in one repository and then daily parse it ... Not sure about it yet.
BUT let me explain my situation. All 20 PC's are not connected to Internet hence based on my understanding they can't be infected. Each of PC is connected to robotic device. Technicians from those vendors come inspect those devices from time to time either fix it or upgrade. We don't have control of those technicians. Our VLAN exists for 3 years and we never had any issues with virus. We thought that we should not care much since they are not connected to Internet. Until next week when our IT ( which does not care much about our VLAN ) but likely scan it from time to time found a few viruses in our VLAN. Then we realized that one of the technician used thumb drive with Vendor software and infected one of the PC.
That was a history why my management requested me to implement this infrastructure. BTW each of those PC has weekly scheduled scan but since they are not connected to Internet they ran it against 3 years old DAT
My conclusion: since VLAN is not connected to Internet I don't think we are under high risk and the only option is thumb drives usage which we can't avoid to use. That's why I want to implement some sort of structure that scan and prevent the issue like happened last week.
thanks again and your input is invaluable.
how to define a repository in the VSE GUI.
-> under Tools -> edit auto Repository List -> you can add a repository. A repository list is just a "list" where VSE can download signature files. VSE can access this repositories using HTTP/FTP/UNC. If you start an Update Task in the VSE GUI (manually or scheduled) the repository list is used by VSE looking for Signature files. If this is configured you just have to update one repository. Anything else is running automatically. :-)
if you want to prevent unauthorized installation of software, perhaps also take a look at application control (solidcore).
Well ... I started to test this design and immediately hit the issue.
1. I selected PC that has access to Internet. I wanted to set a Mirror Task and point it to shared place but it failed all the time until I pointed it to local drive folder. Well ... after mirror was created I copied it to shared folder.
2. On a target PC I disabled all repositories (anyway they were not accessible) and created a new repository pointing to shared folder using UNC path where I copied stuff from step 1.
3. Then I ran AutoUpdate but it failed with the error "Unable to find a valid repository, Update process failed". I checked from target PC that shared folder was accessible ...
Well ... looks that using Mirror Task is not working for me for some reason.
Well .. I tried to follow your recommendations but I failed to run New Mirror Task and etc and based on my situation as I described above I don't think that my VLAN should be considered of 'High level' of security and I came up with another design.
1. Download once a week ( or every day ) xdat.exe file and place it on shared location
2. from each PC in VLAN setup Schedule job to execute command: xdat.exe /F /silent (it updated DAT)
3. setup weekly full PC scan (it ran with the latest DAT)
Well I tested it and it worked as I described above. I understand it's not 'as recommended' but in my environment with 'low' risk it should be adequate.
BTW .. - Thorsten ... I still didn't get why you insist me to update DAT daily? I could do it for sure and keep all in one share folder but in case I will scan once a week e.g. Sunday ... why I can't simply run xdat.exe Saturday and use it Sunday?
Anyway ... I highly appreciate your input. It really helped me.
P.S. I still have to think about reporting ... but I'll do it later