Product Guide: Intro/Overview Flashcards
What are the four steps to the protection approach for VSE?
Part 1 – Prevention: Avoiding Threats – The best way to protect a system is to keep any malware from ever gaining access to your system
Part 2 – Detecting: Finding threats – Files that are opened or copied from other file systems or the Internet might provide access to your system. Also, application programming interface calls and scripts can pose a threat to your system. These threats are found during the following VSE scan processes:
Part 3 – Response: Handling Threats – VirusScan Enterprise can be configured to perform any of the following steps, when a threat is found:
Part 4 – Monitoring, Analyzing, and Fine-Tuning Your Protection - Once your protection is up and running, you should monitor your system using ePolicy Orchestrator queries and reports. Then you could decide to make changes to your security settings in order to increase or reduce the amount of system protection. Alternatively, you might also use VirusScan Console logs and Simple Network Management Protocol (SNMP) traps to monitor your systems.
What is the purpose of VSE
Offers scalable protection, fast performance, and a mobile design to protect your environment from:
Viruses, worms, and Trojan horses
Access point violations and exploited buffer overflows
Potentially unwanted code and programs
-It detects threats, then takes the actions you configured to protect your environment
What are the client side components of VSE?
Client System
DAT files - Detection definition files, also called malware signatures, work with the scanning engine to identify and take action on threats
Scan Engine – Used to scan the files, folders, and disks on the client computer and compares them to the information in the DAT files for known viruses.
Artemis(Heuristic network check for suspicious files) - Looks for suspicious programs and DLLs running on client systems that are protected by VSE. When the real-time malware defense detects a suspicious, it sends a DNS request containing a fingerprint of the suspicious file to a central database server hosted by McAfee Labs
McAfee Agent (Optional) - Provides secure communication between McAfee managed products and ePO server. The agent also provides local services like updating, logging, reporting events and properties, task scheduling, communication, and policy storage.
What are the McAfee Headquarter components of VSE?
DAT updates – Stored on a McAfee central database server, and using AutoUpdate, these DAT updates files are copied to the VSE clients or optional DAT repositories to provide information to fight known threats and new lists of known viruses as they are found in real time.
Scan Engine Updates – Stored on a central database server, scan engine updates are downloaded as needed to keep the VSE scan engine up to date
McAfee Labs – This threat library has detailed information on virus, Trojan, hoax, and PUP threats – where they come from, how they infect your system, and how to handle them. The Artemis feature sends the fingerprint of the suspicious file to McAfee Labs, where they analyze the file and determine what action to take.
What are the server components of VSE?
EPO - Centrally manages and enforces VSE policies, then uses queries and dashboards to track activity and detections
DAT repository – Retrieves the DAT updates from the McAfee download site. From there, DAT files can be replicated throughout your organization, providing access for all other computers. This minimizes the amount of data transferred across your network by automating the process of copying updated files to your share sites
What is the purpose of the Prevention stage of the security strategy? What are some components?
Stop intrusions before they gain access to your environment. Configure these features to prevent intrusions:
User Interface Security – Set display and password protection to control access to the VSE user interface
Access Protection – Use access protection rules to protect your computer from undesirable behavior with respect to files, registry, and ports
Buffer Overflow Protection – Prevent abnormal programs or threats from overrunning the buffer’s boundary and overwriting adjacent memory while writing data to a buffer. These exploited buffer overflows can execute arbitrary code on your computer.
Unwanted Program Protection – Eliminate potentially unwanted programs such as spyware and adware from your computer
What is the purpose of the Detection stage of the security strategy? What are the components?
Detect intrusions when they occur
Update Task – Get automatic updates of DAT and scanning engine from the McAfee download website
On-Access Scanner – Detect potential threats from any possible source as files are read from or written to disk. You can also scan for potentially unwanted cookies in the cookies folder.
On-Demand Scan Tasks – Detect potential threats using immediate and scheduled scan tasks. You can also scan for potentially unwanted cookies and spyware-related registry entries that were not previously cleaned.
On-Delivery and On-Demand Email Scanner – Detect potential threats on Microsoft Outlook email clients using on-delivery scanning of messages, attachments, and public folders. Detect potential threats on Lotus Notes email clients when messages are accessed.
Quarantine Manager Policy – Specify the quarantine location and the length of time to keep quarantined items. Restore quarantined items as necessary.
What is the purpose of the Response stage of the Security strategy? What are the components?
Determine the best course of actions to handle detections when they happen
Actions – Configure features to take action on detections
Log files – Monitor product log files to view a history of detected items
Queries and dashboards – use ePO queries and dashboards to monitor scanning activity and detections.
What is the purpose of the Tuning stage of the Security strategy? What are the components?
Monitor and Analyze your configuration to improve system and network performance, plus enhance your level of virus protection.
- Log files (VirusScan Console) — View a history of detected items. Analyzing this information could tell you if you need to enhance your protection or change the configuration to improve system performance.
- Queries and dashboards (ePolicy Orchestrator console) — Monitor scanning activity and detections. Analyzing this information could tell you if you need to enhance your protection or change the configuration to improve system performance.
- Scheduled tasks — Modify tasks (like AutoUpdate) and scan times to improve performance by running them during off-peak times.
- DAT repositories — Reduce network traffic over the enterprise Internet or intranet by moving these source files closer to the clients needing the updates.
- Modifying the scanning policies — Increase performance or virus protection depending on your analysis of the log files or queries. For example, configuring exclusions, when to use high and low risk profile scanning, and when to disable scan on write can all improve performance.
What are the steps to be taken after installing VSE?
1 Set user interface security. Configure the display and password options to prevent users from accessing specific components or the entire VirusScan Enterprise user interface. See Controlling Access to the User Interface for more information.
2 Update DAT files. Perform an Update Now task to ensure that you have the most current DAT files. See Updating detection definitions for more information.
3 Prevent intrusions. Configure these features to prevent potential threats from accessing your systems:
- Access Protection. Configure access protection rules to prevent unwanted changes to your computer and enable the option to prevent McAfee processes from being terminated. See Protecting your system access points for more information.
- Buffer Overflow Protection. Enable buffer overflow detection and specify exclusions. See Blocking buffer overflow exploits for more information.
- Unwanted Programs Policy. Configure the policy that the on-access, on-demand, and email scanners use to detect potentially unwanted programs. Select unwanted program categories to detect from a predefined list, then define additional programs to detect or exclude. See Restricting potentially unwanted programs for more information.
4 Detect intrusions. Configure these features to detect potential threats on your systems, then notify you and take action when detections occur:
- AutoUpdate. Configure update tasks to get the most current DAT files, scanning engine, and product upgrades. See Updating detection definitions for more information.
- On-Access Scanner. Configure the scanner to detect and take action on potential threats as the threats are accessed in your environment. Enable scanning of unwanted programs and scan for cookies in the cookies folder. See Scanning items on-access for more information.
- On-Demand Scanner. Configure scan tasks to detect and take action on potential threats in your environment. Enable scanning of unwanted programs and scan for cookies in the cookies folder and potentially unwanted spyware-related registry entries that were not previously cleaned. See Scanning items on-demand for more information.
- Email Scanners. Configure the on-delivery and on-demand scanning of Microsoft Outlook and Lotus Notes email clients. Enable scanning of unwanted programs. See Scanning email on-delivery and on-demand for more information.
5 Send alerts and quarantine threats. Configure these features to alert you when detections occur and manage quarantined items:
- Alerts and Notifications. Configure how and when you receive detection notifications and alerts. See Configuring alerts and notifications for more information.
- Quarantine Manager Policy. Configure the location of the quarantine folder and the number of days to keep quarantined items before automatically deleting them. See Quarantined items for more information
