McAfee Epolicy 3, 3.5, 3.6 System Compliance Profiler

Configuration Guide
revision 1.0
System Compliance Profiler

version 1.1
For use with ePolicy Orchestrator 3.0.x, 3.5, or 3.6 Beta
McAfee System Protection
Industry-leading intrusion prevention solutions
COPYRIGHT
Copyright 2005 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP DESIGN (STYLIZED E), DESIGN (STYLIZED , N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NA NETWORK ASSOCIATES, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NETWORK ASSOCIATES, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA), YOUR NETWORK. OUR BUSINESS. are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Attributions
This product includes or may include: Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public Young and software written by Tim J. Hudson. License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader Software originally written by than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. Software originally written by Robert Nordier, Copyright 1996-7 Robert Nordier. Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software written by Douglas W. Sauder. Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license International Components for Unicode (ICU) Copyright agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. Software developed by CrystalClear Software, Inc., Copyright 2000 1995-2002 International Business Machines Corporation and others. FEAD Optimizer technology, Copyright Netopsystems AG, Berlin, Germany. Outside In Viewer Technology CrystalClear Software, Inc. Software copyrighted by Thai Open Source Software 1992-2001 Stellent Chicago, Inc. and/or Outside In HTML Export, 2001 Stellent Chicago, Inc. Software copyrighted by Expat maintainers. Software copyrighted by The Regents of the Center Ltd. and Clark Cooper, 1998, 1999, 2000. Software copyrighted by Gunnar Ritter. Software copyrighted by Sun Microsystems , Inc. 2003. Software University of California, 1989. copyrighted by Gisle Aas. 1995-2003. Software copyrighted by Michael A. Chase, 1999-2000. Software copyrighted by Neil Winton, Software copyrighted by RSA Data Security, Inc., 1990-1992. Software copyrighted by Sean M. Burke, 1999, 2000. Software 1995-1996. Software copyrighted by Brad Appleton, 1996-1999. Software copyrighted by Michael G. Schwern, copyrighted by Martijn Koster, 1995. 2001. Software copyrighted by Graham Barr, 1998. Software copyrighted by Larry Wall and Clark Cooper, 1998-2000. Software Software copyrighted by the Python Software Foundation, Copyright 2001, 2002, 2003. A copy of the license copyrighted by Frodo Looijaard, 1997 . Software copyrighted by Beman Dawes, 1994-1999, 2002. Software written by agreement for this software can be found at www.python.org. Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek 1997-2000 University of Notre Dame. Software copyrighted by Simone Bordet & Marco Cravero, Software copyrighted by Stephen Purcell, 2001. Software developed by the Indiana University Extreme! Lab 2002. Software (http://www.extreme.indiana.edu/). Software copyrighted by International Business Machines Corporation and others, 1995-2003. developed by the University of California, Berkeley and its contributors. Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in Software copyrighted by Kevlin Henney, 2000-2002. Software copyrighted by Peter Dimov and the mod_ssl project (http://www.modssl.org/). Software copyrighted by David Abrahams, 2001, 2002. See http://www.boost.org/libs/bind/bind.html for Multi Media Ltd. 2001, 2002. documentation. Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, 2000. Software copyrighted by Software copyrighted by Nicolai M. Josuttis, 1999. Software copyrighted by Jeremy Siek, 1999-2001. Software Boost.org, 1999-2002. copyrighted by Daryle Walker, 2001. Software copyrighted by Chuck Allison and Jeremy Siek, 2001, 2002. Software copyrighted by Samuel Krempp, 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted by Doug Gregor Software copyrighted by Cadenza New Zealand Ltd., 2000. Software copyrighted by Jens Maurer, 2000, (gregod@cs.rpi.edu), 2001, 2002. Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), 1999, 2000. Software copyrighted by Ronald Garcia, 2002. Software 2001. copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, 1999-2001. Software copyrighted by Stephen Cleary (shammah@voyager.net), Software copyrighted by Housemarque Oy <http://www.housemarque.com>, 2001. Software copyrighted by Paul Moore, 1999. 2000. Software copyrighted by Dr. John Maddock, 1998-2002. Software copyrighted by Greg Colvin and Beman Dawes, 1998, 1999. Software copyrighted by Peter Dimov, 2001, 2002. Software copyrighted by Jeremy Siek and John R. Bandela, 2001. Software copyrighted by Joerg Walter and Mathias Koch, 2000-2002.
Issued June 2005 / McAfee System Compliance Profiler software version 1.1
DOCUMENT BUILD 005.1-<EN>
Contents
Introducing System Compliance Profiler
System Compliance Profiler overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Whats new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 How System Compliance Profiler works with ePolicy Orchestrator . . . . . . . . . 11 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Adding System Compliance Profiler to ePolicy Orchestrator 19

ePolicy Orchestrator 3.0.x requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Adding System Compliance Profiler to the ePolicy Orchestrator server . . . . 20 Upgrading System Compliance Profiler from version 1.0 . . . . . . . . . . . . . . . . 21 Removing System Compliance Profiler from the ePolicy Orchestrator server 22
Deploying the System Compliance Profiler client scanner 24

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using ePolicy Orchestrator to deploy System Compliance Profiler . . . . . . . . Installing System Compliance Profiler manually on clients . . . . . . . . . . . . . . Removing System Compliance Profiler from clients . . . . . . . . . . . . . . . . . . . . 24 24 27 27
Using compliance rules and scans
29
29 30 33 37 41 43
Overview of using compliance rules in on-demand scans . . . . . . . . . . . . . . . About System Compliance Profiler rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and editing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using rules and rule groups for scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scheduling System Compliance Profiler on-demand scan tasks . . . . . . . . . . Update pre-defined System Compliance Profiler rules from McAfee . . . . . .
Working with Scan Results
46
System Compliance Profiler reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 About running System Compliance Profiler reports in ePolicy Orchestrator. 49 Generating System Compliance Profiler reports . . . . . . . . . . . . . . . . . . . . . . . 51
Frequently Asked Questions
54
54 55 55 56
Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Compliance Profiler metrics
58
Client memory use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Network bandwidth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 ePolicy Orchestrator impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
iii

Overview of the product, how it works with ePolicy Orchestrator, and new features in this release
System Compliance Profiler 1.1 is client scanner that scans computers on your network to determine whether they comply with policies that you set up in ePolicy Orchestrator. Whats covered in this chapter System Compliance Profiler overview Whats new in this release How System Compliance Profiler works with ePolicy Orchestrator Using this guide Resources
System Compliance Profiler overview

System Compliance Profilers features include: Microsoft patch compliance reporting. Customizable compliance assessment based on scans for specific files, registry entries, services and Microsoft patches. Downloadable rule templates. File and patch integrity verification (with MD5 fingerprinting). Complete integration with McAfee ePolicy Orchestrator, for centralized administration and host-based compliance reporting. Graphical compliance reports with drill-down paths. The System Compliance Profiler software scans remote computers to determine whether they comply with policies that you set up. Policies consist of rules, each of which tells the software to look for a specific file, registry key, patch, or service on scanned computers. Computers that meet all of your rule criteria are in compliance with your policies. Computers that do not meet rule criteria have rule violations. You can use System Compliance Profiler to create graphical and tabular reports that show which network computers do and do not comply with company policies.
System Compliance Profiler 1.1 Configuration Guide

Whats new in this release
System Compliance Profiler integrates into the McAfee ePolicy Orchestrator management software. This means that you use ePolicy Orchestrator to configure and deploy the software. For details on the ePolicy Orchestrator and System Compliance Profiler interfaces, see Accessing System Compliance Profiler through the ePolicy Orchestrator console on page 12. System Compliance Profiler works by installing remote scanning software on each computer that you want to monitor. This scanning software periodically scans for files, registry keys, patches, and services. It then relays the information it collects back to the ePolicy Orchestrator server. Once the software finishes its scans and reports back, you can use System Compliance Profiler and ePolicy Orchestrator to run reports based on the collected data.

This release of System Compliance Profiler includes the following new features or enhancements: Reboot state awareness. Using registry keys to dynamically resolve file paths. Filtering and sorting for security patch templates. Running rules only when specific applications are present. Improved rules interface and features. More flexibility and granularity for defining rules. Use ePolicy Orchestrator pull tasks to update predefined McAfee rules automatically. Each of these new features is detailed in the sections that follow.
Reboot state awareness

Current release The goal of this feature is to determine if a system is in violation of a rule only because the machine has not been rebooted yet. If the file being checked is in violation of the rule, and it is scheduled to be replaced at the next reboot, then the violation event contains extra data to indicate that a reboot is needed. This information will be displayed in the rule violation reports.
Benefits
After applying a patch on your managed machines, they may require a reboot. Until they are rebooted, they will continue to show up as non-compliant in your System Compliance Profiler reports. This feature is an indication that rebooting the machines may make them compliant in the next System Compliance Profiler scan, and gives a more accurate snapshot of system status.

Where to find
The Compliant/Non-Compliant Summary report will include the reboot state awareness category. The graph has a new pie container for systems that need rebooting.
For more information
See Compliance & Non-Compliance Summary on page 47 for more information on how computer compliance data is reflected in reports.
Using registry keys to dynamically resolve file paths

Current release Use registry key values when specifying file path locations for file based rules. In the Edit Rule page, the drop-down box for the file path contains an additional choice labeled HKEY_LOCAL_MACHINE. If you choose this, you can specify the registry key location for the registry key that contains the file path of the file being searched for. Note that this registry path will also contain the registry value being examined.
Benefits
Use registry keys to reference file paths dynamically, rather than having to hardcode the file paths into your rules.
Where to find
The Edit Rule page of the System Compliance Profiler Rules policy page, the File path drop-down list contains a new option for HKEY_LOCAL_MACHINE to specify a registry key containing a file path.
About System Compliance Profiler rules on page 30

Filtering and sorting for security patch templates

Current release Group and filter the predefined McAfee security patch rules to show only the rules you are interested in viewing. When you select the Security Patch Rules group, or any rules under this group, you can click a Filter button to filter and sort based on the following criteria: Microsoft Security Bulletin # Microsoft patch release date Microsoft severity rating Microsoft identifier (K or QB number) Affected operating systems Affected applications
Benefits
The list of security patches can become quite long. Using filtering and sorting can make the list more manageable.
Where to find
To access this feature: 1 Open the Rules page of the System Compliance Profiler policy pages. 2 Select the Security Patch Rules group or any patch rules group or rules within Security Patch Rules to enable the new Filter button. 3 Click Filter to open the Filtering and Sorting page. Specify a filter criteria as needed.
Creating and editing rules on page 33

Running rules only when specific applications are present

Current release Set conditions to evaluate certain rules only if a specified application is present on the computer. For example, if you have a group of rules that scan for Microsoft Exchange Server 2000 patches, you can set a condition to evaluate these rules only if Exchange Server 2000 is actually installed on the computer.
Benefits
Improves performance by running only those rules that are relevant for the software installed on a given computer. It also eliminates the false positive violations that are generated when a scan does not find a patch on that computer because the relevant software is not installed.
Where to find
The Edit Group page contains an Application rule drop-down list. Select an application from this list to test for on the computer before running the rule or rule group.
Creating and editing rules on page 33
Improved rules interface and features

Current release This release contains several new features to improve the usability and interface of the policy pages: All user-defined custom rules are stored in a Custom Rules group in the Rules list. Right-click copy feature has a new Copy to Custom Rules feature to allow you to easily copy any pre-defined rule to the custom rules folder so you can customize it. New Description text box in the Edit Group page allows you to modify rule group descriptions to suit your needs.
Summary View and Advanced View buttons to toggle Rules list between showing and hiding rule details.
Benefits
Improved usability and interface make it easier to work with rules.
Where to find
The main System Compliance Profiler | Rules policy page.
Chapter 4, Using compliance rules and scans

More flexibility and granularity for defining rules

Current release This release includes additional criteria for using file matching rules: File age by the time it was last modified. File size File version can be less than or equal to or greater than or equal to a specified value Registry key values can be less than or equal to or greater than or equal to a specified value. Registry key is in HKEY_LOCAL_MACHINE.
Benefits
Define more focused and flexible rules.
Where to find
The Edit Rule page. To get here: 1 In the ePolicy Orchestrator console, go to System Compliance Profiler | Rules policy page. 2 Select any rule in one of your Custom Rules list. 3 Click Edit.
Chapter 4, Using compliance rules and scans

Use ePolicy Orchestrator pull tasks to update predefined McAfee rules automatically
Current release ePolicy Orchestrator updates the pre-defined McAfee rules automatically with source repository pull tasks. This uses the same automated update architecture that ePolicy Orchestrator uses to update DAT anti-virus signatures, anti-virus engines, and Desktop Firewall IDS signatures. Once the repository has been updated, use a replication task to copy the rule updates to any distributed repositories, then run an ePolicy Orchestrator Agent Update client task to update client rules.
Benefits
Using regularly scheduled Repository Pull tasks to update pre-defined rules means System Compliance Profiler is scanning for the most up-to-date rules.
Where to find
In the ePolicy Orchestrator console, select Repository from the console tree to find the Pull Now or New Pull Task features. Update pre-defined System Compliance Profiler rules from McAfee on page 43 See the ePolicy Orchestrator Product Guide for more information on pull tasks and agent update client tasks.
Use wildcards when matching filenames and registry keys in compliance rules
Current release You may use wildcards to match a file name or registry key. Using the ? wildcard matches a single character. The * wildcard matches any number of characters.
Benefits
Using wildcards in your rules can help make sure the rule can account for small variations in file names or registry keys.
10

How System Compliance Profiler works with ePolicy Orchestrator
Where to find
The Edit Rule page. To get here: 1 In the ePolicy Orchestrator console, go to System Compliance Profiler | Rules policy page. 2 Select any rule in one of your Custom Rules. 3 Click Edit.
Defining criteria for rules on page 34 See the ePolicy Orchestrator Product Guide for more information on pull tasks and agent update client tasks.

This section provides a brief overview of how System Compliance Profiler works within ePolicy Orchestrator. Refer to other chapters of this guide for more details on each of these aspects. This section includes the following topics: At a glance: System Compliance Profiler and ePolicy Orchestrator Accessing System Compliance Profiler through the ePolicy Orchestrator console Accessing System Compliance Profiler through the ePolicy Orchestrator console
At a glance: System Compliance Profiler and ePolicy Orchestrator

Use ePolicy Orchestrator to configure and manage the System Compliance Profiler software. The basic steps involved are: 1 Add System Compliance Profiler to your ePolicy Orchestrator server repository if you are using ePolicy Orchestrator 3.0.x. Before you can use the two products together, you must add the System Compliance Profiler NAP, deployment packages and reports to the ePolicy Orchestrator Repository. For details, see Adding System Compliance Profiler to the ePolicy Orchestrator server on page 20.
This step is only required if you are running ePolicy Orchestrator 3.0.x. The System Compliance Profiler NAP deployment package, and reports are installed by default , with ePolicy Orchestrator 3.5 and 3.6.
Note
2 Deploy System Compliance Profiler to client computers. Use the ePolicy Orchestrator console to deploy System Compliance Profiler to computers in your Directory console tree. You must deploy the software to each computer that you want to scan.
11

3 Configure System Compliance Profiler policies and scans. Once your System Compliance Profiler system is set up, you can start scanning computers for files, services, patches, and registry keys. To do this, you first set up rules in ePolicy Orchestrator. These rules make up your policies. Once you finish defining policies for different users, you set up System Compliance Profiler scan tasks. Scan tasks are instructions that ePolicy Orchestrator sends to computers running System Compliance Profiler. You can scan individual computers, or groups of computers. You can also schedule scans to occur at specific times. 4 System Compliance Profiler runs scans on client computers. ePolicy Orchestrator sends the scan tasks to computers running System Compliance Profiler. At the scheduled time, these computers run the scans that you specified, collect the scan results, and transmit them to ePolicy Orchestrator. System Compliance Profiler scans do not require many local or network resources. While the exact amount of network traffic will vary based on how many rules a given computer receives, the average bandwidth requirement is approximately 200 bytes per rule. 5 Run reports in ePolicy Orchestrator to view scan results. Once ePolicy Orchestrator receives scan results from System Compliance Profiler, it adds the information to its database. After the results are stored, you can use the ePolicy Orchestrator console to run reports that list any vulnerabilities that System Compliance Profiler found.
Accessing System Compliance Profiler through the ePolicy Orchestrator console

You use the ePolicy Orchestrator console to access and configure System Compliance Profiler. To accomplish this, the console includes three areas, presented as tabs on the details pane: The Policies tab, where you create your System Compliance Profiler rules. The Tasks tab, where you create and schedule System Compliance Profiler on-demand scan tasks. The Reports area, where you generate reports based on System Compliance Profiler scan results. The System Compliance Profiler policy pages Manage policies for System Compliance Profiler just as you would for any other security product managed by ePolicy Orchestrator.
If you are using ePolicy Orchestrator 3.0.x, the policy pages for System Compliance Profiler 1.1 are not installed by default. See Chapter 2, Adding System Compliance Profiler to ePolicy Orchestrator.
Note
Policies are the rules that you define for each computer scanned by System Compliance Profiler. You use the ePolicy Orchestrator console to configure the policies for how you want to scan selected computers using System Compliance Profiler rules. The ePolicy Orchestrator agent on the client computer where System Compliance Profiler is installed collects these policy updates at regular intervals. You then configure scan tasks to run on the clients using the policies you specify.
12

To access the System Compliance Profiler policy pages: 1 Select the Directory, or a site, group, or computer node in the Directory tree. 2 In the details pane, click the Policies tab. 3 Expand the policy list to System Compliance Profiler 1.1 | Rules, then click the policy name. 4 View the policy pages in the lower details pane.
Figure 1-1 The System Compliance Profiler Rules policy page
The Rules page lets you enable and disable configured rules, create and edit customized rules, and update pre-defined McAfee rules from the McAfee web site. Use client tasks to configure on-demand scans on client computers The System Compliance Profiler policy pages (NAP file) includes an on-demand scan task for creating and scheduling scan tasks on client computers. When you check the NAP file into the master repository on the ePolicy Orchestrator server, the System Compliance Profiler on-demand scan task is available in the list of available client scan tasks. To access the System Compliance Profiler on-demand scan task: 1 Select the Directory, or a site, group, or computer node in the console tree. 2 In the details pane, click the Tasks tab. 3 Right-click the details pane and select Schedule Task. 4 From the Schedule Task page, select System Compliance Profiler 1.1 On-Demand Scan.
13

Using this guide
Run System Compliance Profiler reports To see the results of your System Compliance Profiler scans, generate reports in ePolicy Orchestrator. System Compliance Profiler automatically adds its custom reports to the Reporting area of the ePolicy Orchestrator console when you install the software. For more information on these reports, see Working with Scan Results on page 46.
Using this guide

This guide provides information on configuring and using your product.
Audience
This information is intended primarily for network administrators who are responsible for their companys anti-virus and security program.
Conventions
This guide uses the following conventions:
Bold Serif
All words from the user interface, including options, menus, buttons, and dialog box names. Example: Type the User name and Password of the desired account.
Courier
The path of a folder or program; a web address (URL); text that represents something the user types exactly (for example, a command at the system prompt). Examples: The default location for the program is: C:\Program Files\Network Associates\VirusScan Visit the McAfee Security web site at: http://www.mcafeesecurity.com Run this command on the client computer: C:\SETUP.EXE
Italic
For emphasis or when introducing a new term; for names of product documentation and topics (headings) within the material. Example: Refer to the VirusScan Enterprise Product Guide for more information.
<TERM>
Angle brackets enclose a generic term. Example: In the console tree under ePolicy Orchestrator, right-click <SERVER>.
Note
Note: Supplemental information; for example, an alternate method of executing the same command.
Tip
Tip: Suggestions for best practices and recommendations from McAfee Security for threat prevention, performance and efficiency.
14

Resources
Caution
Caution: Important advice to protect your computer system, enterprise, software installation, or data.
Warning
Warning: Important advice to protect a user from bodily harm when interacting with a hardware product.
Resources
Refer to these sections for additional resources: Getting product information Links from within the ePolicy Orchestrator console Product services Contact information
Getting product information

ePolicy Orchestrator documentation Product introduction and features, detailed instructions for configuring the software, information on deployment, recurring tasks, and operating procedures.
ePolicy Orchestrator 3.6 Installation Guide. ePolicy Orchestrator 3.6 Product Guide. ePolicy Orchestrator 3.6 Reporting Guide. ePolicy Orchestrator 3.6 Walkthrough Guide.
Help High-level and detailed information accessed from the ePolicy Orchestrator console. Use the Help menu and/or Help button for page-level help. Configuration Guide* For use with ePolicy Orchestrator. Procedures for configuring, deploying, and managing your McAfee Security product through ePolicy Orchestrator management software. Release Notes ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation. Contacts Contact information for McAfee Security services and resources: technical support, customer service, Security Headquarters (AVERT Anti-virus & Vulnerability Emergency Response Team), beta program, and training. This file also includes phone numbers, street addresses, web addresses, and fax numbers for company offices in the United States and around the world. License* The McAfee License Agreement booklet that includes all of the license types you can purchase for your product. The License Agreement sets forth general terms and conditions for the use of the licensed product. * An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site. ^ A printed manual that accompanies the product CD. Note: Some language manuals may be
available only as a .PDF file.
Text files included with the software application and on the product CD.
15

Resources
Links from within the ePolicy Orchestrator console

The Start Page of the ePolicy Orchestrator console provides links to some useful resources: Help Topics Virus Information Library Technical Support Help Topics Use this link to access the online Help topics for the product.
If the products built-in help system (accessed from within the software by clicking the Help menu) displays incorrectly on your system, your version of Microsoft Internet Explorer may not be using ActiveX controls properly. These controls are required to display the help file. Make sure that you install the latest version of Internet Explorer.
Tip
Virus Information Library Use the Virus Information link to access the McAfee Anti-Virus & Vulnerability Emergency Response Team (AVERT) Virus Information Library. This web site has detailed information on where viruses come from, how they infect your system, and how to remove them. In addition to genuine viruses, the Virus Information Library contains useful information on virus hoaxes, such as those virus warning that you receive via e-mail. A Virtual Card For You and SULFNBK are two of the best-known hoaxes, but there are many others. Next time you receive a well-meaning virus warning, view our hoax page before you pass the message on to your friends. To access the Virus Information Library: 1 Open the ePolicy Orchestrator console. The console opens to the Start Page in the details pane. 2 Select Virus Information. Technical Support Use the Technical Support for ePolicy Orchestrator link to access the McAfee PrimeSupport KnowledgeCenter Service Portal web site. Browse this site to view frequently asked questions (FAQs), documentation, and perform a guided knowledge search. To access McAfee technical support: 1 Open the ePolicy Orchestrator console. The console opens to the Start Page in the details pane. 2 Select Technical Support for ePolicy Orchestrator. 3 Follow the directions on the web site.
16

Resources
Product services
The following services are available to help you get the most from your McAfee products: Beta program HotFixes and Patches Product end-of-life support Beta program The McAfee beta program enables you to try our products before full release to the public you can learn about and test new features for existing products, as well as try out entirely new products. This program can help you test and implement updated and new features earlier, and in a safe environment. You get the chance to suggest new product features, as well as deal directly with McAfee engineering staff. To find out more, visit: http://www/mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm HotFixes and Patches HotFixes and Patches are released with updated files, drivers, executables, etc., between the major releases of a product. To access the latest HotFixes and Patches, visit: http://www.mcafeesecurity.com/us/downloads/updates/hotfixes.asp Product end-of-life support Your anti-virus software must be kept up-to-date to remain effective against viruses and other potentially harmful software. It is important to update the virus definition (DAT) files regularly. To enable the software to counter the continuing threat, we often make architectural changes to the way that the DAT files and virus-scanning engine work together. It is therefore important that you update your engine when a new version is released. An older engine will not catch many of the new emerging threats. When we release a new engine, we announce the date after which the existing engine will no longer be supported. For information on our product end-of-life policy and for a full list of supported engines and products, visit: http://www.mcafeesecurity.com/us/products/mcafee/end_of_life.htm
Contact information
Technical Support
Home Page KnowledgeBase Search PrimeSupport Service Portal * http://www.mcafeesecurity.com/us/support/technical_support https://knowledgemap.nai.com/phpclient/homepage.aspx https://mysupport.nai.com
McAfee Beta Program

http://www.mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm
17

Resources
Security Headquarters AVERT: Anti-virus & Vulnerability Emergency Response Team

Home Page Virus Information Library AVERT WebImmune, * Submitting a Sample AVERT DAT Notification Service http://www.mcafeesecurity.com/us/security/home.asp http://vil.nai.com https://www.webimmune.net/default.asp http://vil.mcafeesecurity.com/vil/join-DAT-list.asp
Download Site
Home Page DAT File and Engine Updates http://www.mcafeesecurity.com/us/downloads/ http://www.mcafeesecurity.com/us/downloads/updates/default.asp ftp://ftp.mcafeesecurity.com/pub/antivirus/datfiles/4.x Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp
Training
On-Site Training McAfee University http://www.mcafeesecurity.com/us/services/security/home.htm http://www.mcafeesecurity.com/us/services/education/mcafee/university.htm
Customer Service
E-mail Web https://secure.nai.com/us/forms/support/request_form.asp http://www.mcafeesecurity.com/us/index.asp http://www.mcafeesecurity.com/us/support/default.asp US, Canada, and Latin America toll-free: +1-888-VIRUS NO or +1-888-847-8766
Monday Friday, 8 a.m. 8 p.m., Central Time
For additional information on contacting McAfee including toll-free numbers for other geographic areas see the Contact file that accompanies this product release. * Logon credentials required.
18
Adding System Compliance Profiler to ePolicy Orchestrator

Manually add the NAP file and deployment package to the repository
This section describes how to add the System Compliance Profiler 1.1 deployment package and NAP file to the ePolicy Orchestrator software repository. You must add both of these to your ePolicy Orchestrator repository to be able to deploy and manage System Compliance Profiler with ePolicy Orchestrator.
Refer to this chapter only if you are running System Compliance Profiler 1.1 with ePolicy Orchestrator 3.0.x. The System Compliance Profiler 1.1 deployment package, NAP file, and reports are installed automatically when you install the ePolicy Orchestrator 3.5 or 3.6 server and console. If you are using ePolicy Orchestrator 3.5 or 3.6, you can skip this chapter.
Note
Whats in this chapter This chapter contains the following topics: ePolicy Orchestrator 3.0.x requirements Adding System Compliance Profiler to the ePolicy Orchestrator server Upgrading System Compliance Profiler from version 1.0 Removing System Compliance Profiler from the ePolicy Orchestrator server
ePolicy Orchestrator 3.0.x requirements

This chapter assumes that you have already installed the ePolicy Orchestrator server and console. The System Compliance Profiler user interface installs and runs on an ePolicy Orchestrator server version 3.0.x or higher. You access it using the ePolicy Orchestrator console. For more information on these processes, see the ePolicy Orchestrator Product Guide. If you are running ePolicy Orchestrator 3.0.2, install patch 6 You must install patch 6 for ePolicy Orchestrator 3.0.2 to be able to run System Compliance Profiler 1.1. If you are running ePolicy Orchestrator 3.0.0 or 3.0.1, System Compliance Profiler 1.1 works without requiring any patches or other updates.
19
System Compliance Profiler 1.1 Product Guide

Adding System Compliance Profiler to the ePolicy Orchestrator server
Configure firewall ports for System Compliance Profiler communication If you intend to communicate through a firewall with computers running System Compliance Profiler, you must also configure ports 80 and 8081 to allow traffic between your ePO agents and your server. These are the default ports for those components. If you selected different ports during your ePolicy Orchestrator installation, configure your firewall to allow those ports instead.
Adding System Compliance Profiler to the ePolicy Orchestrator server

This section covers adding the System Compliance Profiler deployment package, NAP file policy pages, and reports to the ePolicy Orchestrator server. You must perform these steps to deploy and manage System Compliance Profiler with ePolicy Orchestrator. It does not cover deploying the System Compliance Profiler to client computers in your network. For details on how to do that, see Chapter 3, Deploying the System Compliance Profiler client scanner. To add System Compliance Profiler to your ePolicy Orchestrator server: 1 Retrieve the PKGCATALOG.Z and PATCH1100.NAP files. 2 Add the deployment package to the master repository. 3 Add the NAP policy pages to the server. Retrieve the PKGCATALOG.Z and PATCH1100.NAP files The PKGCATALOG.Z deployment package and PATCH1100.NAP policy files are included in the System Compliance Profiler 1.1 installation files from McAfee. You find these installation files either on your product CD or on the McAfee web site. Retrieve the files, either from the product CD or McAfee web site, and save them to a temporary folder on your ePolicy Orchestrator server. Add the deployment package to the master repository 1 Log on to the ePolicy Orchestrator console. 2 Select Repository from the console tree. 3 In the details pane under AutoUpdate tasks, click Check in package. 4 Follow the ePolicy Orchestrator wizard instructions. When prompted: a Select Products or updates as the package type. b Navigate to the System Compliance Profiler/Product directory and select PkgCatalog.z as the package name. 5 After finishing the check-in wizard, wait while the deployment package is added to the repository. Add the NAP policy pages to the server 1 Select Repository from the console tree, and under AutoUpdate tasks click Check in NAP .
20

Upgrading System Compliance Profiler from version 1.0
2 Follow the wizard instructions. When prompted: a Select Add new software to be managed as the task type. b Select Patch1100.nap as the file name. 3 After finishing the check-in wizard, wait while the NAP is added to the repository. Add System Compliance Profiler reports to the database Check in the extended reporting NAP file to add System Compliance Profiler reports to the ePolicy Orchestrator reporting database. This will allow you to run reports in ePolicy Orchestrator on the System Compliance Profiler scan results. To check in the extended reporting NAP: 1 Select Repository from the console tree, and click Check in NAP . 2 Follow the wizard instructions. When prompted: a Select Add new reports as the task type. b Select Patch_Reports.nap as the file name. 3 After finishing the check-in wizard, wait while the NAP is added to the repository. System Compliance Profiler is now stored in the Repository. You must also deploy the System Compliance Profiler software to your ePolicy Orchestrator server before running any scans. See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22 for details. You can verify that the System Compliance Profiler software is in ePolicy Orchestrators
Repository by selecting any computer, group, or site from the console tree. Click the Policies tab to make it active. System Compliance Profiler should appear in the list of
available software.
Upgrading System Compliance Profiler from version 1.0

If you are already using System Compliance Profiler 1.0 with ePolicy Orchestrator 3.0.x, you can easily upgrade to version 1.1 without losing any of your custom rules created in version 1.0. To upgrade System Compliance Profiler 1.1 over an existing 1.0 version: 1 Retrieve the 1.1 installation files, either from your product CD or McAfee download site. 2 Check in the System Compliance Profiler 1.1 NAP and deployment package following the instructions in this chapter.
Do not first remove the 1.0 NAP from the ePolicy Orchestrator server! Any custom rules you have defined in System Compliance Profiler 1.0 will be automatically copied to version 1.1 when you install the 1.1 NAP This way, you wont lose any . custom rules you have created. After you have completed the upgrade to version 1.1, you can remove the 1.0 NAP from the repository.
Tip
21

Removing System Compliance Profiler from the ePolicy Orchestrator server
3 Edit the default deployment task to Install the System Compliance Profiler 1.1, and set the action for System Compliance Profiler 1.0 to Ignore, to have ePolicy Orchestrator install version 1.1 on client computers in your network. The installer for SCP 1.1 will automatically upgrade SCP 1.0 installations to SCP 1.1 on clients. Note when you are finished that there will be two entries in the Policy tab on the ePolicy Orchestrator console for both versions 1.0 and 1.1. This is similar to the way ePolicy Orchestrator can contain NAP files for multiple versions of other products, such as VirusScan Enterprise. As you begin working with System Compliance Profiler 1.1, be sure to make additional policy changes only in the System Compliance Profiler 1.1 policy pages. In fact, after you have fully installed and deployed version 1.1, you may want to remove the 1.0 NAP file from the ePolicy Orchestrator repository to avoid confusion.

This section covers removing the System Compliance Profiler deployment package, NAP file, and reports from the ePolicy Orchestrator master repository. It does not cover removing System Compliance Profiler from any client computers to which you have deployed it. For details on how to do that, see Removing System Compliance Profiler from clients on page 27. Removing the System Compliance Profiler NAP from the ePolicy Orchestrator server 1 Start the ePolicy Orchestrator console and log on to your server. 2 If necessary, expand this servers icon in the console tree to see the Repository icon. 3 Expand Repository to see its contents. 4 Expand Managed Products, then Windows. 5 Right-click System Compliance Profiler and select Remove. 6 Click Yes when ePolicy Orchestrator asks whether to remove the software. 7 Click OK. Removing the System Compliance Profiler deployment package from the ePolicy Orchestrator repository 1 Start the ePolicy Orchestrator console and log on to your server. 2 In the console tree, go to Repository | Software Repositories | Master to view the contents of the master repository. 3 In the details pane of the console, scroll through the Packages table to locate the System Compliance Profiler deployment package. The Name is System Compliance Profiler and the Type is Install. 4 Select the deployment package and select Delete. If you are using distributed repositories, be sure to replicate the change to your distributed repositories so ePolicy Orchestrator can delete the package from them as well.
22

Removing System Compliance Profiler reports 1 Start ePolicy Orchestrator. 2 Expand Reporting to see its contents. 3 Expand Report Repository. 4 Locate and right-click System Compliance Profiler. 5 Click Remove. 6 Click Yes when ePolicy Orchestrator asks whether to remove the reports.
23
Deploying the System Compliance Profiler client scanner

Use the ePolicy Orchestrator deployment task to install System Compliance Profiler on client computers
This chapter describes the process for deploying System Compliance Profiler 1.1 to client computers. You must deploy System Compliance Profiler to any computer that you want to scan for patch compliancethe software can only scan locally on the same computer on which it is installed. Whats in this chapter System requirements Using ePolicy Orchestrator to deploy System Compliance Profiler Installing System Compliance Profiler manually on clients Removing System Compliance Profiler from clients
System requirements
The System Compliance Profiler client scanner only functions as part of an ePolicy Orchestrator deployment, and therefore will only be installed on computers running an ePolicy Orchestrator agent. Computers running an agent already meet the minimum system requirements for the System Compliance Profiler client scanner. Refer to the ePolicy Orchestrator documentation for details on the system requirements for the agent.
Using ePolicy Orchestrator to deploy System Compliance Profiler

Deploying System Compliance Profiler involves installing scanning software on remote computers. This software receives the rules and policy information that you set up in ePolicy Orchestrator, runs the tasks that you schedule, and reports back with any results.
If you intend to communicate through a firewall with computers running System Compliance Profiler, you must also configure ports 80 and 8081 to allow traffic between your ePO agents and your server. These are the default ports for those components. If you selected different ports during your ePolicy Orchestrator installation, configure your firewall to allow those instead.
Note
24

About using the ePolicy Orchestrator Deployment task The ePolicy Orchestrator agent uses the default deployment task to deploy, or install, client software such as VirusScan Enterprise, Desktop Firewall, or System Compliance Profiler on computers in your network. The following System Compliance Profiler deployment instructions assume that you have: Installed ePolicy Orchestrator server and console. Populated the ePolicy Orchestrator Directory with all of the sites, groups, and computers to which you plan to deploy System Compliance Profiler. Deployed ePolicy Orchestrator agents to any computers where you plan to install System Compliance Profiler. For more information on these processes, see the ePolicy Orchestrator Product Guide.
If you are using System Compliance Profiler with ePolicy Orchestrator 3.0.x, you must deploy System Compliance Profiler scanner to the ePolicy Orchestrator itself. If you do not, reporting does not function properly. This is not required for ePolicy Orchestrator 3.5 or 3.6, although you will most likely want to install System Compliance Profiler on your server anyway.
Caution
Enabling System Compliance Profiler deployment 1 In your ePolicy Orchestrator console, select Directory from the console tree. ePolicy Orchestrator expands the Directory to show all the sites, groups, and computers that it currently manages. 2 Select a site, group, or computer to which you want to deploy System Compliance Profiler. 3 In the upper details pane, click Tasks to display that tab. ePolicy Orchestrator lists all the tasks for this site, group, or computer. 4 Double-click the Deployment task to open the ePolicy Orchestrator Scheduler dialog box. 5 On the Task tab, click Settings to open the Task Settings dialog box. 6 If necessary, deselect the Inherit checkbox.
25

7 In the Product deployment options list, locate System Compliance Profiler.

Figure 3-1 Configure the deployment task to install System Compliance Profiler
8 Select Install from the Action list. Set any products that you do not want to deploy to Ignore. 9 Click OK to return to the ePolicy Orchestrator Scheduler dialog box. Now that you have configured this task to deploy System Compliance Profiler, create a schedule for the task. Creating a schedule for the Deployment task 1 In the ePolicy Orchestrator Scheduler dialog box, click Task to display that tab. 2 In the Schedule Settings area, deselect Inherit. 3 Select Enable to make the task active. 4 Click the Schedule tab. 5 Deselect the Inherit checkbox, then set up the time when you want the System Compliance Profiler software deployed. To deploy the software immediately, select Run Immediately from the Schedule Task list. The deployment task will then run at the next ePO policy enforcement interval, or when you perform an agent wakeup call. For instructions, see the ePolicy Orchestrator Product Guide. 6 Click OK. ePolicy Orchestrator deploys the System Compliance Profiler software to this site, group, or computer at the time you specified.
26

Installing System Compliance Profiler manually on clients
To verify that the System Compliance Profiler software deployed properly, select the name of the remote computer from the console tree. Select the Properties tab from the details pane. System Compliance Profiler should appear in the list of installed applications. (Allow enough time for the deployment task to run first.)
Installing System Compliance Profiler manually on clients

You dont need to use ePolicy Orchestrator to deploy System Compliance Profiler to client computers. If you choose, you can use another method, such as installing it manually, installing it with a network login script, or using another third-party deployment tool. To do this, you can run the PATCHSCANINSTALLER.EXE installer. You can either run this manually from the client computer where you want it to install, or you can distribute the installer for inclusion in login scripts or software deployment using other methods. Where can I find the System Compliance Profiler installer? If you downloaded System Compliance Profiler from the McAfee web site to run with ePolicy Orchestrator 3.0.x, you can find the PATCHSCANINSTALLER.EXE in the product download ZIP file. If you are running ePolicy Orchestrator 3.5 or 3.6, you can find the
PATCHSCANINSTALLER.EXE installer on your ePolicy Orchestrator server. By default, it is
installed in the following folder for 3.5:

C:\Program Files\Network Associates\ePO\3.5.0\DB\Software\Current\PATCH__1100\Install\0000
And the following folder in 3.6

C:\Program Files\McAfee\ePO\3.6.0\DB\Software\Current\PATCH__1100\Install\0000
Running the System Compliance Profiler installer When you execute PATCHSCANINSTALLER.EXE, System Compliance Profiler installs in silent mode. There is no installation interface or options to configure. You can run PATCHSCANINSTALLER.EXE from the command line to uninstall System Compliance Profiler. To do this, run the executable with the /u command line, like this:
PATCHSCANINSTALLER.EXE /u
Removing System Compliance Profiler from clients

You can use the deployment task in the ePolicy Orchestrator console to remove System Compliance Profiler from client computers, or you can run the installer from the command line on the client system. Using the deployment task to remove System Compliance Profiler To use the ePolicy Orchestrator deployment task to remove System Compliance Profiler:
27

Removing System Compliance Profiler from clients
1 Start the ePolicy Orchestrator console and log on to your server. 2 In the console tree, expand the Directory and select the site, group, or computer from which you want to remove System Compliance Profiler. 3 In the ePolicy Orchestrator details pane, click the Tasks tab. 4 Right-click the Deployment task, then select Edit Task to open the ePolicy Orchestrator Scheduler dialog box. 5 On the Task tab, click Settings to open the Task Settings dialog box. 6 If necessary, deselect the Inherit checkbox. 7 In the Product deployment options list, locate System Compliance Profiler. 8 Select Remove from the Action list. 9 Click OK to return to the ePolicy Orchestrator Scheduler dialog box. 10 Click OK to save your changes. ePolicy Orchestrator will remove the System Compliance Profiler clients at the time specified in the task. To change the tasks schedule, use the procedure outlined in Creating a schedule for the Deployment task on page 26. Remove System Compliance Profiler with a command line. You can run PATCHSCANINSTALLER.EXE from the command line to uninstall System Compliance Profiler. To do this, PATCHSCANINSTALLER.EXE must be on the client computer. Run the executable with the /u command line, like this:
PATCHSCANINSTALLER.EXE /u
28

Create rules and client on-demand scans to check compliance on client computers
This section describes how to use the ePolicy Orchestrator console to configure the System Compliance Profiler software to scan your network for system compliance. Whats in this chapter Overview of using compliance rules in on-demand scans About System Compliance Profiler rules Creating and editing rules Using rules and rule groups for scanning Scheduling System Compliance Profiler on-demand scan tasks Update pre-defined System Compliance Profiler rules from McAfee
Overview of using compliance rules in on-demand scans

Once you have installed and deployed System Compliance Profiler, you can configure the policies, or rules, that the compliance scanner should use when it scans each computer. Then you can configure scans to run at scheduled times that scan computers for compliance or violation of the rules you specify. Basically, the process involves: 1 Creating and editing rules that specify what you want System Compliance Profiler to scan for. 2 Scheduling System Compliance Profiler on-demand scan tasks in ePolicy Orchestrator, to make it enforce your System Compliance Profiler rules. After you set up rules and run scans, you can run reports in ePolicy Orchestrator to see the results. See Working with Scan Results on page 46 for more information.
29

About System Compliance Profiler rules

System Compliance Profiler uses rules to determine what it should scan for on target computers. A rule is a set of conditions that the scanner looks for on client machines. Computers that meet these rules are compliant, those that do not are in violation of the rules. You can create rules that scan for specific files, registry keys, services, or Microsoft patches. For example, you can use System Compliance Profiler rules to search for specific patches that have been released by Microsoft to see how many computers on your network have the latest and most important security patches installed. How System Compliance Profiler on-demand scans use rules In most cases you can specify whether the item should or should not exist on a target computer. For example, you could create a rule to tell System Compliance Profiler that the file sample.exe should not exist on a specific computer. In some cases you can specify a value that items need to match in some way. For example, you could check an applications version number to make certain it is higher than 1.0. Rules describe what a target computer should have installed. If System Compliance Profiler finds that one of your rules does not apply for example, an application is not installed where it should be it considers this situation a rule violation. Severity of rule violations To help you distinguish between critical and less critical rule violations, rules have severity levels associated with them. When you create a new rule, you select Critical, Major, Minor, Warning , or Informational. If System Compliance Profiler finds a computer that doesnt meet the criteria in your rule, it attaches your chosen severity level to the violation data and relays this to ePolicy Orchestrator. When you create compliance reports to see your System Compliance Profiler scan results, you can view and filter the results based on these severity levels.
Non-compliant rule groups have a severity level associated with them in System Compliance Profiler reports. You do not specify this level when you create a group. Instead, ePolicy Orchestrator assigns the group a severity level when it generates a report. If more than one rule in the group failed, ePolicy Orchestrator uses the highest severity level of the failed rules. For example, if both a Minor rule and a Critical rule failed, ePolicy Orchestrator would list the groups severity level as Critical in your reports.
Note
File-based scanning and MD5 hashes File-based System Compliance Profiler rules are useful for checking whether specific files exist, and at what version number. In some cases, however, you may need to scan files to verify that they have not been tampered with on target computers. System Compliance Profiler lets you do this by specifying an MD5 hash for scanned files. An MD5 hash is a files digital signature. If anyone tampers with or changes the file, its digital signature changes. Copies of a file should have identical digital signatures. In order to create an MD5-based rule, you must have an existing hash for the file you want to verify. You can use commonly available utilities to generate this digital signature (for example, Command Line Message Digest Utility, available from http://www.fourmilab.ch/md5). Once you have the hash, paste it into your file-based System Compliance Profiler rule. The software will compare it to copies of the file on scanned computers, and alert you if it finds any inconsistencies in the signatures.
30

Types of rules used by System Compliance Profiler

The main Rules page of the System Compliance Profiler NAP file contains the list of rules available.
Figure 4-1 The main Rules page
Enable or disable any rule to include it in your scans Including your rules in your on-demand compliance scans is easyjust enable any rules or rule groups you want to use in your scan by clicking in the appropriate checkbox. You can enable any combination of pre-defined rules and custom rules in this way.
In System Compliance Profiler 1.0, you could only enable pre-defined rules if you first copy them from the rule templates list to your active rules list. This is no longer necessary in version 1.1. You can enable any rule, either custom or pre-defined, simply by selecting it in the Rules list. You must only copy a pre-defined rule to your Custom Rules group if you want to edit it to create a custom rule from it.
Warning
There are several different types of rules in this list. Pre-defined rules from McAfee Custom rules you create yourself Archived rules Each of these are described below. Pre-defined rules from McAfee System Compliance Profiler 1.1 ships with a set of pre-defined rules for common types of patches and files that you will likely want to scan for on computers in your network. These include such things as all recent Windows security patches from Microsoft and common applications you may not want to allow on workstations in your network.
31

You can enable these rules to include them in your client on-demand scans. You can also use them as templates for creating your own custom rules. To do this, you can copy any rule group or rule from any of the pre-defined rule groups into your Custom Rules folder and modify it as needed. While you can edit copies of the pre-defined rules in your Custom Folder, you cannot edit or delete any of the original pre-defined rules.
Table 4-1 Pre-defined Rule Groups
Group name Security Patch Rules Infection Rules Purpose Rules in this group test for the presence of recent Microsoft security patches, hotfixes, and service packs. These templates provide guides for detecting viruses and similar malicious applications. These compliment, but do not replace, dedicated anti-virus software. Templates in this group provide guides for detecting software that should, or should not, be allowed on network computers. This group contains templates that do not fit any of the other default template groups.
Application Rules Misc Rules
To copy a template, right-click its name and select Copy from the menu. This places all of the templates data on your Windows Clipboard, in text-only format. You can then paste the template into another group, or into the System Compliance Profiler Rules list (which makes it an active rule), or share the template with other users by sending them the template data. You can also copy templates sent to you from other users, and import them into your existing Templates and Rules Archive list. Custom rules you create yourself If none of the pre-defined rules meet your needs, you can create custom rules yourself. To do this, you can either create a rule from scratch or copy a pre-defined rule into your Custom Rules folder and edit it. Archived rules You can archive your custom rules in this group. When you do this, this group contains archived copies of any custom rules that you have created rule sets you have saved. Saved rule sets are called archives. You can replace your current rule set with an archived rule set by clicking Activate.
32

Creating and editing rules
About rule groups

All rules are organized in rule groups. When you create custom rules, you must first create a rule group container for them. Rule groups are logical collections of rules that System Compliance Profiler can test for together. You can enable rule groups to enable all the child rules within that group.
Figure 4-2 Rules are organized into groups (folders)
Rules
You configure a rule group so that all child rules must match for the system to be compliant with the rule group. Or, you can create a rule where any of the child rules must match for the system to be compliant with that rule.
Figure 4-3 Create groups for similar rules
Use the All rules are true or Any rules are true options to specify which child rules of the group must be true for the system to be compliant with the rule group.

You can create new custom rules in your Custom Rules folder, or you can open any custom rule you have already created and edit it.
33

Creating, editing and deleting rules Defining criteria for rules
Creating, editing and deleting rules

From the list of rules on the main Rules policy page, you can create new rules, or edit and delete existing ones. You can only do this for rules in your Custom Rules folder. You cannot create or edit rules in any of the pre-defined rule groups. Creating a new rule 1 On the System Compliance Profiler Rules page, right click a group in the Custom Rules group and select Add Rule. 2 Enter rule criteria in the Add Rule page. 3 Click OK to save the changes to the rule. 4 Click Apply at the top of the page to save your policy changes. Edit an existing rule 1 On the System Compliance Profiler Rules page, right click an existing rule in the Custom Rules group and select Edit. 2 Make changes to the rule criteria in the Edit Rule page. 3 Click OK. 4 Click Apply at the top of the page to save your policy changes. Delete an existing rule 1 On the System Compliance Profiler Rules page, highlight an existing rule in the Custom Rules group by clicking on it once. 2 Click Delete button. 3 Click Apply at the top of the page to save the policy change.
Defining criteria for rules

Use the Add Rule page, or Edit Rule page for editing existing rules, to specify the criteria for the rule. The interface of the Add Rule and Edit Rule page are very similar. This section discusses the Add Rule page for adding rules, but much of this explanation also holds for editing existing rules in the Edit Rule page.
34

This can be what versions of Windows to test for, and whether to test for specific files in specific folders, specific registry keys and registry key values, or the presence of a specific Microsoft patch.
Figure 4-4 Enter rule criteria in the Add Rule or Edit Rule page
All rules have the basic criteria of name, severity, and operating system. In addition, you can specify that the rule test for the existence (or nonexistence) of one of the following: A file A registry key A Microsoft patch An NT service
Each of these is covered in greater detail in the sections that follow.
35

Basic Criteria: severity and operating system

Table 4-2
Field Name of rule Description Type a descriptive name for the rule in this field. This is how the rule displays in the rule list. Creating a meaningful name that describes what the rule is designed to scan for makes reading your System Compliance Profiler reports easier. For example, use MS Outlook RegKey for a rule that scans for Microsoft Outlook registry keys. Severity Specify a severity for the event that will be generated when a computer is found to be non-compliant with the rule. These severity levels are the same as for other ePolicy Orchestrator events: Critical, Major, Minor, Warning , and Informational. Severity level is a mechanism for determining how and when events, in this case scan results of rule violations, are sent by the ePolicy Orchestrator agent back to the server. You can also use severity to filter your compliance reports. Note: Consider how you have your ePolicy Orchestrator agent policies configured for sending events back to the ePolicy Orchestrator server. By default, the agent forwards Critical events immediately to the server; events of all other severity types are saved by the agent and sent to the server at the agents regular ASCI. Unless you change your default settings, it may take some time for non-critical scan results to be sent back to the server. Operating System Specify which operating systems the current rule pertains to. For example, assume a certain registry key or Microsoft patch only exists with certain versions of Windows, you can deselect the Windows versions that dont apply. Some scans only work on certain operating systems. As a result, if you select Match a Microsoft patch or Match a service, then System Compliance Profiler automatically deselects Windows 98 and Windows ME.
Matching a file Select a basic root directory from the File path list, and enter any additional subdirectory names in the text box to complete the path. Enter the file name you want to scan for in the File name text box. You may use wildcards to match a file name. Using the ? wildcard matches a single character. The the * wildcard match any number of characters. From the remaining list, select a matching strategy for the rule (for example, File exists or Version is equal to). If necessary, enter an appropriate value in the associated text field. When matching a version number, the software only accepts numbers and points (e.g., 1.0.1). You cannot enter characters (e.g., 1a). Matching a registry key Select a basic key root from the Registry key list, and enter any additional key names in the text box to complete the path. Enter the name of the key value you want to scan for in the Value name text box.
36

Using rules and rule groups for scanning
From the remaining list, select a matching strategy for the rule (for example, Registry key exists or Data is equal to). If necessary, enter an appropriate value in the associated text field. When matching using less than, greater than, or equal to operators, you can only match DWORD and String values. You may use wildcards for the value if you use the equal to operator. Using the ? wildcard matches a single character. The the * wildcard match any number of characters. Match a Microsoft patch Enter the patchs unique Microsoft identifier in the Patch name text box. This value should begin with either Q... or KB... (for example, KB824141). Match a service Enter the name of the service in the Service name text box. Some common services that you might want to search for include: IIS Admin Service Internet Connection Sharing Telnet WWW Publishing Service From the remaining list, select a matching strategy for the rule (for example, Service is
running).

Topics covered in this section are: Enabling and Disabling rules and rule groups Using pre-defined rules as templates for custom rules Copying rules or groups from one custom group to another Importing and exporting rules to and from plain text Archiving your custom rules for later use
Enabling and Disabling rules and rule groups

The Rules page lists all of the custom and pre-defined rules that exist for your installation of System Compliance Profiler. Just because theyre in this list, however, doesnt mean that an SCP on-demand scan on a client computer, can use them. You first have to enable the rules you want the on-demand client scan task to test for. All rules are disabled by default, and you must enable those rules that you want your System Compliance Profiler scan task to scan for. You can enable and disable individual rules, or rule groups, in the rule list so that System Compliance Profiler only applies the rules that you consider appropriate at a given time.
37

Enable both pre-defined or custom rules While you can only edit or delete your own custom rules and rule groups, you can enable or disable any rule or rule group, either custom or pre-defined. Enable and disable rules by selecting them in the list To enable a rule: 1 From the Rules page of the System Compliance Profiler policy page, select a rule or group in the list so that its checkbox shows as checked. To enable every rule in a group, select the rule group, which enables all the child rules. 2 Click Apply to save your policy changes. The changes to enabled rules will be passed to the System Compliance Profiler scanner on each client computer when the ePolicy Orchestrator agent for that computer calls into the server at its next ASCI. The newly enabled rules are used by the on-demand scan the next time that scan is scheduled to run.
Using pre-defined rules as templates for custom rules

You can copy any existing pre-defined rule or rule group into your Custom Rules group and edit it there. This can save you time over creating a rule from scratch. To do this: 1 On the System Compliance Profiler Rules tab, deselect Inherit if necessary. 2 In the list of pre-defined rules, select Copy to | Custom Rules. The rule or rule group is added to your Custom Rules group. 3 Open the copy of the rule in your Custom Rules folder and edit it as needed. 4 Click Apply to save the policy changes.
Copying rules or groups from one custom group to another

You can also move rules and groups around in your Custom Rules folder. For example, you may want to move a rule from one group to another. Use the Copy to Clipboard feature to copy and paste rules from one group to another. To do this: 1 On the System Compliance Profiler Rules tab, deselect Inherit if necessary. 2 Right-click the rule or group you want to copy and select Copy to | Clipboard. 3 Select a target group to which to add the copied rule or group. 4 Right-click the target group and select Paste. 5 Click Apply to save the policy changes.
38

Importing and exporting rules to and from plain text

In addition to using the Copy to Clipboard feature to paste copied rules or groups into other rule groups in your Custom Rules folder, you can also paste the rules into text files or e-mail messages. This allows you share your System Compliance Profiler rules and rule groups with other users, for example another ePolicy Orchestrator administrator. You can also import other rules by pasting text rules into your System Compliance Profiler rule list in the ePolicy Orchestrator console. To export a rule or group to a text file 1 On the System Compliance Profiler Rules tab, deselect Inherit if necessary. 2 Right-click the rule or group you want to export and select Copy to | Clipboard. 3 Open a text editor or e-mail message (or any Windows application field that accepts pasted text from the Windows Clipboard). 4 Paste the rule from the clipboard by using Ctrl-V or other Windows paste command. In text format, exported rules look something like this, beginning with a BEGIN COPIED RULES header and ending with END COPIED RULES:
-- BEGIN COPIED RULES --RuleLabel_0=MS02-055 Unchecked buffer in Windows RuleEnabled_0=true RuleGroup_0=false RuleType_0=2 ... RulePath_1_1=Internet Explorer RuleName_1_1=iexplore.exe RuleCompare_1_1=1 RuleValue_1_1=6.0.3790.0 -- END COPIED RULES --While you can view, copy, and paste text versions of your rules and templates, System Compliance Profiler does not support editing them in text form. To edit a rule or template, paste its text into System Compliance Profiler, and then modify the resulting rule or template using the softwares Edit Rule page.
Note
Import a text-based rule or group into System Compliance Profiler You can also view your copied rule or template text in any application that accepts plain text. Valid data starts with --- BEGIN COPIED RULES --- and finishes with --- END COPIED RULES --- Make certain that you include these lines when you import or . export data, or your selected rules or templates will not work properly. To import a plain text rule: 1 Obtain a text version of the rule or template that you wish to use.
39

2 Select and copy the rule text, including the --- BEGIN COPIED RULES --- and --- END COPIED RULES --- lines. 3 On the System Compliance Profiler Rules tab in the ePolicy Orchestrator console. 4 Navigate to the group where you want to import the data. 5 Right-click the group name, and click Paste. System Compliance Profiler uses the imported data as a new rule or group. 6 Click Apply to save your changes.
Archiving your custom rules for later use

The Archive button saves a snapshot of all groups and rules in your Custom Rules folder. You can use this feature to save the rules and rule groups that are currently in your Custom Rules group as a rule set. Archiving a rule set 1 On the System Compliance Profiler Rules tab, deselect the Inherit checkbox. 2 In the System Compliance Profiler Rules list, select your rule set. 3 Click Archive. System Compliance Profiler asks for a name for the archived rule set. It uses the name of the current rule set by default. 4 Enter an archive name, then click OK. System Compliance Profiler adds the archived rule set to the Archives group in the Templates and Rules Archive list. Restoring an archived rule set 1 On the System Compliance Profiler Rules tab, deselect the Inherit checkbox. 2 In the Archive list, open your Archives group. 3 Select the name of the rule set that you want to use. 4 Click Activate. System Compliance Profiler asks you to verify that you want to overwrite your existing rule set with the archived rule set. 5 Click OK.
40

Scheduling System Compliance Profiler on-demand scan tasks

You can configure, schedule, and run client-side scan tasks for the System Compliance Profiler through the ePolicy Orchestrator console just as you would create update tasks for the agent or on-demand scans for other security products installed on client computers like VirusScan Enterprise or GroupShield for Exchange servers. System Compliance Profiler includes an On-Demand Scan client task. This scan task is included in ePolicy Orchestrator 3.5 and 3.6 by default. In ePolicy Orchestrator 3.0, it is added when you install the System Compliance Profiler NAP file. System Compliance Profiler uses the on-demand scan to collect compliance information about the computer on which it is installed. This is the only way that System Compliance Profiler collects this information, so it is important to schedule these scans to run frequently and regularly. At the next agent-to-server communication (ASCI) after a successful scan completes, the agent communicates the scan results back to the ePolicy Orchestrator server. These results are stored in the database, where you can view task results by generating System Compliance Profiler reports. You can set up scan tasks for a single computer, or for all the computers that belong to a group or site. Whats in this section This section covers the basics on how use the ePolicy Orchestrator console to create, configure, and schedule an on-demand scan for System Compliance Profiler. Many aspects of creating and scheduling this scan are similar to other client tasks in ePolicy Orchestrator. For more information about running client tasks through ePolicy Orchestrator, see the ePolicy Orchestrator Product Guide. How to set up a System Compliance Profiler on-demand scan 1 Create a new System Compliance Profiler on-demand scan. 2 Enable and schedule the new on-demand scan task. The rest of this section covers these steps in more detail.
Create a new System Compliance Profiler on-demand scan

1 In the console tree, right-click the site, group, or node for which you want to create a new task, then select Schedule Task. 2 In the Schedule Task dialog box, enter a descriptive name for the task, such as Daily SCP on-demand scan, in the New Task Name text box.
41

3 Select System Compliance Profiler 1.1 On-Demand Scan from the software tasks list.
Figure 4-5 Create a System Compliance Profiler on-demand scan
4 Click OK. 5 Press F-5 to refresh the console and make the new task appear in the list in the Task tab. Note that it is scheduled to run daily at the current day and time. Also note that the Enabled flag is set to Falsewe now need to set this to True and schedule it.
Enable and schedule the new on-demand scan task

After youve created a new task, enable and schedule it so that it runs at regular intervals that you specify. How often you schedule the task is up to you. The example in these instructions shows how to schedule it to run once a day. See the ePolicy Orchestrator Product Guide for more information on scheduling client tasks. To enable and schedule the new task you just created.
42

Update pre-defined System Compliance Profiler rules from McAfee
1 Right-click the new task in the task list and select Edit Task.
Figure 4-6 Edit the newly created scan task
2 Deselect Inherit under the Schedule Settings section of the ePolicy Orchestrator Scheduler dialog box. 3 Select Enable. This is very importantthe scan does not run unless you enable it! 4 Click the Schedule tab and deselect Inherit. 5 Set the Schedule Task options as desired. For example, you might want to schedule it to run Daily at a specified local time on the machine. See the ePolicy Orchestrator Product Guide for more detailed information on scheduling client tasks. 6 When you have finished scheduling the task, click OK. The task is now listed in the Tasks list with its Enabled property set to True. The task will run at the next scheduled time that you have configured. Note that the task will be passed to System Compliance Profiler clients deployed on computers the next time the agent for each computer calls into the server as part of its regular ASCI. If you want clients to pick up the new scan task immediately (for example, if you have scheduled the task to Run Immediately), you can initiate a manual agent wakeup call. See Performing an agent wakeup call on page 51 or the ePolicy Orchestrator Product Guide for more information on agent wakeup calls.

McAfee may release new templates for System Compliance Profiler from time to time. To obtain the latest software and template releases, you must update the software. System Compliance Profiler 1.1 allows you to automatically update pre-defined McAfee rules by using the same update procedure that youre already using for updating anti-virus DAT and engine files used by your anti-virus software, such as VirusScan Enterprise. You should be already using regularly scheduled repository pull and replication tasks to update your software repositories with new DATs and engines, and then using scheduled client update tasks to deploy these updates to client computers on your network. You can use these same update tasks to also update your System Compliance Profiler rules.
43

Overview of update process: same as for DATs Basically, update your System Compliance Profiler rules as follows: 1 Pull pre-defined rules from the McAfee web site to your master software repository on your ePolicy Orchestrator server using a repository pull task. This can either be a manual Pull Now server task, or you can create a scheduled pull task to pull updates from the McAfee source repository at regularly scheduled intervals. 2 Replicate the updates in the master repository to any distributed repositories, if you have them. 3 Schedule an ePolicy Orchestrator Agent Update client task to have your client computers update their System Compliance Profiler rules from the nearest repository. See the ePolicy Orchestrator Product Guide for details on how to create and schedule all these to update both DATs and System Compliance Profiler Rules. Be sure to configure selective updating appropriately if youre using ePolicy Orchestrator 3.5 or 3.6 If youre using ePolicy Orchestrator 3.5 or 3.6, remember that the selective updating feature doesnt update all signatures automatically. You can selectively choose which individual updates (DATs, engine files, ePolicy Orchestrator agent or anti-virus software patches, etc) are updated each time an update task runs. By default, all updates except DATs and anti-virus engines are disabled in all client tasks. The selective updating feature allows you to save bandwidth by scheduling different updates for different software exactly when you need them. For example, DATs are updated frequently, so you will want to have one scan task to update them, probably at least once per day. On the other hand, service packs for security products such as VirusScan Enterprise are released much less often. You can create a separate client update task to only update VirusScan Enterprise patches and schedule it to run less frequently, perhaps once a week. Or, you can limit network traffic generated by ePolicy Orchestrator even more by not scheduling this task at all, but rather run it manually when patches are released.
McAfee updates System Compliance Profiler rules about once per month, much less frequently than anti-virus DATs, which are updated weekly or several times per week. To conserve network bandwidth, especially if you are deploying ePolicy Orchestrator to a large network, consider creating a separate client update task for updating compliance scan rules. Schedule it to run less frequently than your DAT update task. For example, while you might want to schedule your DAT client update task to run several times per day, try scheduling your System Compliance Profiler rules update task for once a week. Alternatively, you could schedule it to run immediately and leave it disabled, only running it manually when McAfee posts updated rules.
Tip
To configure an existing client update task to also update your pre-defined McAfee System Compliance Profiler rules: 1 In the ePolicy Orchestrator console tree, select the Directory node for which you want to configure the task (either the Directory root, or a site, group, or individual computer). 2 In the upper details pane, select Tasks tab.
44

3 Double-click your ePolicy Orchestrator Agent Update task by double-clicking it. 4 In the ePolicy Orchestrator Scheduler dialog box, select the Task tab and click Settings. 5 In the Task Settings dialog box, select System Compliance Profiler Rules from the list of Signatures and Engines.
Figure 4-7 Task Settings dialog box
6 Click Apply to save the changes. ePolicy Orchestrator will push the changes to the client update task to each client the next time that computers agent calls into the ePolicy Orchestrator server. The update task will run on the client at the next scheduled time.
The global updating functionality of ePolicy Orchestrator uses the same selective updating feature as the agent update client task. In global updating, selective updating allows you to control what kinds of updates trigger a global update. By default, a global update is triggered only if DAT or engine files are checked into the master repository. Configure global updating on the Settings tab of the ePolicy Orchestrator console. To enable compliance rules for global updating, select the System Compliance Profiler rules option. See the ePolicy Orchestrator Product Guide for more information on how to do this and for using the global updating feature.
Tip
45

Run reports in ePolicy Orchestrator to display scan results
When you scan network computers using System Compliance Profiler, the ePolicy Orchestrator agent on these computers sends the scan results to the ePolicy Orchestrator server. To review their results, you run reports using the ePolicy Orchestrator reporting feature. This section provides an overview of how to create System Compliance Profiler reports in ePolicy Orchestrator. Once you generate a report, you can: Save the report in several formats, including HTML, RTF and XLS (Microsoft Excel). , Print the report. Refresh the report. Search the report. For more information on these actions and on reporting, see your ePolicy Orchestrator documentation. Whats in this chapter System Compliance Profiler reports About running System Compliance Profiler reports in ePolicy Orchestrator Generating System Compliance Profiler reports
System Compliance Profiler reports

When you install the System Compliance Profiler software, you add several report templates to ePolicy Orchestrator as well. To generate a System Compliance Profiler report, you must select one of these reports and, if necessary, customize it to show only the information you want. For example, you can select the time period that you want to generate reports on. Drilling-down for detailed report information In many cases you can drill down for more details on a report. When viewing reports, look for areas where your mouse pointer turns into a magnifying glass icon. This icon represents report data that you can get more information on. Double-click the report data. ePolicy Orchestrator will produce a Details report. The following table describes the reports available for each System Compliance Profiler report, including any detailed reports.
46

Historical Summary by Severity

This report displays information about all detected rule violations, broken down by severity level. This data is shown both in bar graph form, and in a summary table.
Table 5-1 Drill-down details
Detail Severity Details Description Provides a list of the groups that contain rule violations for a specific severity level. Also indicates how many violations each group registered. Provides a list of rules violated within a specific group, and the number of times each rule was violated. Provides detailed information on a specific rule, indicating which computers violated it, and when.
Group Details Rule Details
Compliance & Non-Compliance Summary

This report shows the number of scanned computers that are: Compliant with System Compliance Profiler rules; Not compliant with one or more rules; Unknown, either because they have not run any scan yet, or because they have not run the most recent scan.
Version 1.1 includes a reboot required field for computers that were not compliant when the scan ran, but who most likely would be if they were rebooted. This can happen when the System Compliance Profiler scan runs after a patch or service pack in installed but before a required reboot of that system occurs. Computers in this state will likely become compliant as soon as they are rebooted.
Warning
This information is shown in both a pie chart and in a summary table.

Detail Non-Compliant Computers Computer Details Group Details Description Provides a list of computers that contributed to the percentage of non-compliant computers. For a specific computer, provides system information and a list of groups containing rule violations. For a specific group, provides a list of violated rules, the time when these were detected, and the associated severity levels.
47

Non-compliance by Computer Name

This report presents a table that shows how many rules each non-compliant computer violates. The table lists each scanned computers host name and IP address.
Detail Computer Summary Rule Violation Details Description Provides system information for a specific computer, and a list of the groups that have rule violations. Provides a list of the rules violated within a specific group, as well as when these violations occurred, and at what severity level.
Non-Compliance Summary by Group

This report shows how many rule violations System Compliance Profiler found for each of your rule groups. The information is presented in both tabular and bar graph format.
Detail Group Details Description Provides a list of the rules violated within a specific group, as well as when these violations occurred, and at what severity level. Provides a list of computers that violated a specific rule. Provides system information for a specific computer, and the time when it violated the selected rule.
Computer Summary Violation Time Details
Non-Compliance Summary by Severity

This report shows how many rule violations System Compliance Profiler found for each rule severity level. The information is presented in both tabular and bar graph format.
Detail Description Provides a list of groups that contributed to the total number of violations at a specific severity level. Provides a list of the rules violated within a specific group, and a count of how many computers violated each rule. Provides detailed information on a specific rule, indicating which computers violated it, and their general system information.
Severity Details
Group Details
Rule Details
48

About running System Compliance Profiler reports in ePolicy Orchestrator

Before running reports on System Compliance Profiler scan results for the first time, follow the instructions in this section to enable new System Compliance Profiler reports. You may need to do these even if you are running ePolicy Orchestrator 3.5 or 3.6, and the System Compliance Profiler reports were added automatically when you installed the ePolicy Orchestrator server. This section covers the following topics: Enable System Compliance Profiler reports before running them the first time. Make sure latest scan results are in the database before running reports. If you only want to run a report on one site or group.
Enable System Compliance Profiler reports before running them the first time
This section covers a few things you may need to do to enable new System Compliance Profiler reports with ePolicy Orchestrator. Deploy System Compliance Profiler to the ePolicy Orchestrator server if using ePolicy Orchestrator 3.0.x If you are running System Compliance Profiler 1.1 with ePolicy Orchestrator version 3.0.x, you must deploy System Compliance Profiler to your ePolicy Orchestrator server in order for reports to work properly. Install the System Compliance Profiler on your ePolicy Orchestrator server as you would install it on any computer in your network. You can install it manually or use the ePolicy Orchestrator deployment task. See Chapter 3, Deploying the System Compliance Profiler client scanner for more details on how to install System Compliance Profiler on client computers, including the ePolicy Orchestrator server. Log into database with ePolicy Orchestrator admin credentials the first time The first time you access your System Compliance Profiler reports after installing or upgrading the software, you may need to log in to the ePolicy Orchestrator Reporting feature using your ePolicy Orchestrator credentials. Afterward, you can log in using any credentials, such as SQL credentials to your database server. To do this: 1 Start ePolicy Orchestrator and log on to your server. 2 In the console tree, expand Reporting . 3 Expand ePO Databases. Your ePolicy Orchestrator server name should appear below this node. 4 Select your server name to open the ePO Database Login dialog box.
49

5 Enter the user name and password for your ePolicy Orchestrator admin account.
Figure 5-1 Log into the database using ePolicy Orchestrator admin credentials
6 Make sure the Authentication type is set to ePO authentication. 7 Click OK. Wait while the ePolicy Orchestrator downloads the new reports for System Compliance Profiler. You can now generate System Compliance Profiler reports using the event data stored on this ePolicy Orchestrator server.
Make sure latest scan results are in the database before running reports
You cannot create System Compliance Profiler reports unless you have data to base them on. This data comes from computers running System Compliance Profiler. These computers collect data during the scans that you set up. They then send this data to the server each time the ePolicy Orchestrator agent communicates with the server. At each agent ASCI, the data is stored in the ePolicy Orchestrator database for use in your reports. There is always a delay between when a computer finishes a scan and when you can run reports based on its results in ePolicy Orchestrator. Two major factors influence this delay: The completeness of a scan. If a scan fails to finish, System Compliance Profiler may not pass along complete results to ePolicy Orchestrator. The agent-to-server communication interval (ASCI). Your System Compliance Profiler computers communicate with ePolicy Orchestrator at specific intervals, via ePolicy Orchestrator agents. If a scan finishes shortly after an agent/server update, the agent does not pass on the scan results until its next agent/server communication. By default the agent ASCI is set to 60 minutes. The agent-to-server communication interval is determined by your ePolicy Orchestrator Agent policy settings. You can lower the default values to reduce the communication lag between System Compliance Profiler and ePolicy Orchestrator. The key settings are the Agent to Server communication interval on the General tab, and the Event Forwarding settings on the Events tab on the ePolicy Orchestrator Agent | Configuration policy pages. See the ePolicy Orchestrator documentation for more information.
50

Generating System Compliance Profiler reports
Performing an agent wakeup call You can also force ePolicy Orchestrator to collect agent information between communication intervals by performing an Agent Wakeup Call. 1 In ePolicy Orchestrators Directory, right-click the name of the site, group, or computer that you want to update. 2 Select Agent Wakeup Call. The Agent Wakeup Call dialog box appears. 3 Under Type, select Send Agent wakeup call. 4 Change the Agent randomization interval to 0. This forces ePolicy Orchestrator to update the ePO agent(s) immediately. 5 Select Get full product properties. 6 Click OK to send the agent wakeup call.
If you only want to run a report on one site or group

ePolicy Orchestrator allows you to run reports for computers in specific sites or groups in the console tree Directory. To do this: 1 In ePolicy Orchestrators console tree, expand Reporting, then ePO Databases. 2 Right-click the name of your ePolicy Orchestrator server. 3 Select Set Directory Filter to open the Directory Filtering dialog box. 4 Select any ePolicy Orchestrator groups that you want your System Compliance Profiler reports to cover. 5 Click OK.

When you generate a System Compliance Profiler report, you have the option of customizing it. This means that you can specify what information you want included in the report, what filters you want to apply, and how you want the report displayed.
As a best practice, McAfee recommends that you perform an Agent Wakeup Call for all System Compliance Profiler computers before generating any reports. This guarantees that your reports will include all the latest scan results. See Performing an agent wakeup call on page 51 for instructions.
Tip
To generate a report for System Compliance Profiler: 1 In the ePolicy Orchestrator console tree, expand Reporting, then ePO Databases. 2 Double-click the name of your ePolicy Orchestrator server to expand it.
Reports, Queries, and Events should appear below the server name.
51

3 Expand Reports, then System Compliance Profiler.

Figure 5-2 System Compliance Profiler reports in ePolicy Orchestrator
ePolicy Orchestrator displays a list of all System Compliance Profiler reports. If the reports dont appear in the expanded list, see Enable System Compliance Profiler reports before running them the first time on page 49. 4 Select the report that you want to run. See System Compliance Profiler reports on page 46 for a list. ePolicy Orchestrator asks whether you want to customize the report. 5 Do one of the following:
Table 5-6
To Generate the report immediately Customize the report Do Click No. Skip the rest of this procedure. Click Yes.
6 In the customization dialog box, set up any filters that you want to apply.
Table 5-7
Tab Use to Filter the results based on rule description criteria. Identify which IP addresses you want to see results from. Identify which levels of rule violations you want to see results from. Filter based on when rule violations occurred. Identify which network domain(s) you want to see results from. Identify which ePolicy Orchestrator site(s) you want to see results from.
Rule Description IP Address Severity Event Time Domain Name Directory
52

Table 5-7
Tab Use to Filter based on a specific operating system version (for example, Windows 2000). Filter based on a specific operating system type (for example, Server or Workstation). Identify which computers you want to see results from.
OS Type OS Platform Computer Name
7 Click OK. ePolicy Orchestrator generates the report and displays it in the details pane.
53

Answers to common questions around installing and using System Compliance Profiler with ePolicy Orchestrator
This section provides answers to common situations that you might encounter when installing or using the System Compliance Profiler software. This section answers common questions concerning: Installations Policies Scans Reports
Installations
How can I verify that System Compliance Profiler deployed properly? There are two ways to check whether the System Compliance Profiler software is deployed on a remote computer: In the ePolicy Orchestrator console: In the console tree, select the name of the remote computer. Select the Properties tab from the Details pane. System Compliance Profiler should appear in the list of installed applications. On the client computer: Find the ePolicy Orchestrator agent icon in the system tray. Right-click it, and select About. System Compliance Profiler should appear in the Version Information list.
To access the agent About dialog box from the client computer, you must enable the user interface for the ePolicy Orchestrator agent. This option is disabled by default. To enable the interface on the client, use the agent policy pages in the ePolicy Orchestrator console to select the Show agent tray icon option. See the ePolicy Orchestrator documentation for details.
Note
Can I deploy System Compliance Profiler using third-party software? Yes. To deploy System Compliance Profiler using a third-party tool, configure your deployment software to distribute and execute PatchScanInstaller.exe on target computers.
54

Policies
If you are using ePolicy Orchestrator 3.0.x, you must deploy the software to your ePolicy Orchestrator server in order for compliance reporting to work (this is not required with ePolicy Orchestrator 3.5 or 3.6). Also, be sure to deploy ePolicy Orchestrator agents to all computers to which you deploy the System Compliance Profiler. Furthermore, before you can use the deployed software, you must: Manually install the System Compliance Profiler NAP on your ePolicy Orchestrator server (see Chapter 2, Adding System Compliance Profiler to ePolicy Orchestrator). Set up rules and scan tasks in ePolicy Orchestrator (see Using compliance rules and scans on page 29). ePolicy Orchestrator will then detect the deployed System Compliance Profiler software and send out rules and scan tasks. To remove the System Compliance Profiler software, configure your deployment tool to run PatchScanInstaller.exe /u from either the target computers system32 or system directory.
Policies
Can I share rules with other System Compliance Profiler administrators? Yes. You can copy a System Compliance Profiler rule, group, or archived rule set, and send the data to other users in plain text format. You can also take data that they send you and paste the plain text version directly into a System Compliance Profiler rule group. For more information, see Importing and exporting rules to and from plain text on page 39. Can I export and import policies using ePolicy Orchestrator? Yes, you can use ePolicy Orchestrators policy export feature to create a copy of a System Compliance Profiler rule set. See your ePolicy Orchestrator documentation for details. Note, however, that when you import the policy, it overwrites all custom, predefined, and archived rules. To avoid affecting a users templates and archived rule sets, use the System Compliance Profiler text export and import features. See Importing and exporting rules to and from plain text on page 39.
Scans
How do I determine whether a scan finished properly? Generate a System Compliance Profiler report and look for results. Check the ePolicy Orchestrator agent log on the scanned computer. When a scan runs successfully, the following entry appears in the ePolicy Orchestrator agent log:
The task <TaskName> is successful.
55

Reports
<TaskName> is the name you assigned to the System Compliance Profiler
on-demand scan task in ePolicy Orchestrator. See Scheduling System Compliance Profiler on-demand scan tasks on page 41. Can I run a System Compliance Profiler scan from a remote computer? No, you cannot start a System Compliance Profiler task manually on a remote computer. The System Compliance Profiler software is entirely managed by ePolicy Orchestrator.
Reports
Why don't I see any System Compliance Profiler reports in ePolicy Orchestrator? If you are using ePolicy Orchestrator 3.0.x, make certain that you added the Patch_Reports.nap file to the ePolicy Orchestrator Repository. The reporting NAP is added automatically with ePolicy Orchestrator 3.5 and 3.6. (See Adding System Compliance Profiler to the ePolicy Orchestrator server on page 20). Try logging into the ePolicy Orchestrator Reporting feature using your ePolicy Orchestrator admin credentials instead of an NT or SQL account. You only need to do this the first time you access reports. Afterward, you can log in using any credentials. (See If you only want to run a report on one site or group on page 51.) Why don't I see scan results in my reports? If you are using ePolicy Orchestrator 3.0.x, make certain that you deployed the System Compliance Profiler software to your ePolicy Orchestrator server as well as to your remote computers. If you do not deploy the software to the ePolicy Orchestrator server, your reports will not work properly. (See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22.) Make certain that you created and scheduled a System Compliance Profiler scan task in ePolicy Orchestrator. (See Scheduling System Compliance Profiler on-demand scan tasks on page 41.) Make certain that System Compliance Profiler had enough time to report its scan results to ePolicy Orchestrator. There is a time delay between when a scan runs and when the scan results become available to ePolicy Orchestrator, depending on your ASCI. (See About running System Compliance Profiler reports in ePolicy Orchestrator on page 49.) Make certain that System Compliance Profiler should be reporting results. If a computer complies with all your System Compliance Profiler rules, and has never violated them, then you will not see results for that computer in most reports. Only the Compliance/Non-Compliance Summary report shows compliant computers; all other reports show only rule violations.
56

Reports
Why do I get the following error message in my report: Please verify that the System Compliance Profiler is deployed to your ePolicy Orchestrator server and that you have received data from the deployed System Compliance Profilers. This message appears in your reports if: If you are using ePolicy Orchestrator 3.0.x, you did not deploy the System Compliance Profiler software to your ePolicy Orchestrator server. (See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22.) Your deployed System Compliance Profilers have not yet returned the results from scans that you set up. (See About running System Compliance Profiler reports in ePolicy Orchestrator on page 49.) What does Unknown Scan Results mean? This message appears in your reports to indicate that System Compliance Profiler does not have the most up-to-date scan results for specific computers or groups. This occurs each time you set up new rules for your System Compliance Profiler scans. When you do this, the software changes the status of all your existing System Compliance Profiler computers to Unknown. They remain in that state until they finish a scan using the new rules, and return those scan results to ePolicy Orchestrator. Once computers return results using the latest set of System Compliance Profiler rules, their status in reports changes to something more informative. To apply your latest System Compliance Profiler rules and get scan results faster, perform an Agent Wakeup Call in ePolicy Orchestrator. See Performing an agent wakeup call on page 51.
57
This section provides metrics for the amount of bandwidth that System Compliance Profiler uses during scans, and the amount of space it uses in ePolicy Orchestrator tables.
Client memory use

The deployed System Compliance Profiler software uses 630,977 bytes of memory on all remote computers.
Network bandwidth
System Compliance Profiler scans do not require many local or network resources. While the exact amount of network traffic will vary based on how many rules a given computer receives, the average bandwidth requirement is approximately 200 bytes per rule.
Sample data
Table A-1
Policy file contains Five patch-based rules Sixty rules (fifteen of each rule type) Policy file size 661 bytes 20,327 bytes
ePolicy Orchestrator impact

System Compliance Profiler stores data in the ePolicy Orchestrator event table. The amount of space used varies depending on the scan results that System Compliance Profiler receives.
58

ePolicy Orchestrator impact
Sample data
Table A-2
Scan details Five rules, failed Five rules, passed Twenty rules, failed Twenty rules, passed Sixty rules, failed Sixty rules, passed Table space used 5,248 bytes 6,148 bytes 19,544 bytes 22,944 bytes 35,744 bytes 44,564 bytes
59
Index
A
accessing reports, 51 agents, 11 agents, ePolicy Orchestrator wakeup calls, 51 audience for this manual, 14 AVERT Anti-Virus & Vulnerability Emergency Response Team, contacting, 18 DAT notification service, 18 WebImmune, 18
G
generating reports, 51 getting information, 15 list of contacts, 17
importing, 31, 39 structure, 30 templates, 31
S
scan results retrieving, 49 scan tasks, 11 security headquarters, contacting AVERT, 18 service portal, PrimeSupport, 17 sharing rules, 39 submitting a sample virus, 18 System Compliance Profiler and ePolicy Orchestrator, 11 reports, 51 system requirements, 19, 24
I
importing rules, 31, 39 installation deploying System Compliance Profiler agents, 25
M
manuals, 15 McAfee University, contacting, 18
B
bandwidth requirements, 11 beta program, contacting, 17
N
new features, 5 notification service, DAT updates, 18
C
consulting services, 18 contacting McAfee, 17 customer service, contacting, 18
T
tasks, scan, 11 technical support accessing from the product, 16 contact information, 17 templates, 31 training web site, 18 training, on-site, 18 troubleshooting FAQs, 54
O
on-site training, 18
D
DAT file updates via AVERT notification service, 18 updates, web site, 18 default rule groups, 31 delays, report, 49 documentation for the product, 15 download web site, 18
P
policy settings, Windows, 25 PrimeSupport, 17 product documentation, 15 product information, resources, 15 product overview, 11 product training, in-house, 18
U
upgrade web site, 18 using this guide, 14 typeface conventions and symbols, 14
R
reports accessing, 51 generating, 51 overview, 46 requirements bandwidth, 11 server and console, 19 system, 19, 24 resources for information, 15 rule groups default, 31 rules exporting, 31, 39 groups, 31
E
ePolicy Orchestrator and System Compliance Profiler, 11 interface, 12 reports, 51 ePolicy Orchestrator agents wakeup calls, 51 ePolicy Orchestrator Reports introduction, 46 exporting rules, 31, 39
V
Virus Information Library, 16, 18 virus, submitting a sample web site, 18
W
wakeup call, ePolicy Orchestrator agent, 51 WebImmune, 18 whats new in this release, 5 Windows policy settings, 25
F
frequently asked questions, troubleshooting, 54
60

McAfee Epolicy 3, 3.5, 3.6 System Compliance Profiler

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

McAfee Epolicy 3, 3.5, 3.6 System Compliance Profiler

Diunggah oleh

Hak Cipta:

Format Tersedia

Configuration Guide

System Compliance Profiler

For use with ePolicy Orchestrator 3.0.x, 3.5, or 3.6 Beta

McAfee System Protection

Industry-leading intrusion prevention solutions

LICENSE INFORMATION License Agreement

Introducing System Compliance Profiler

Adding System Compliance Profiler to ePolicy Orchestrator 19

Deploying the System Compliance Profiler client scanner 24

Using compliance rules and scans

Working with Scan Results

Frequently Asked Questions

System Compliance Profiler metrics

Introducing System Compliance Profiler

System Compliance Profiler overview

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

Whats new in this release

Reboot state awareness

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

For more information

Using registry keys to dynamically resolve file paths

For more information

About System Compliance Profiler rules on page 30

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

Filtering and sorting for security patch templates

For more information

Creating and editing rules on page 33

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

Running rules only when specific applications are present

For more information

Creating and editing rules on page 33

Improved rules interface and features

Improved usability and interface make it easier to work with rules.

The main System Compliance Profiler | Rules policy page.

For more information

Chapter 4, Using compliance rules and scans

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

More flexibility and granularity for defining rules

Define more focused and flexible rules.

For more information

Chapter 4, Using compliance rules and scans

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

For more information

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

For more information

How System Compliance Profiler works with ePolicy Orchestrator

At a glance: System Compliance Profiler and ePolicy Orchestrator

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

Accessing System Compliance Profiler through the ePolicy Orchestrator console

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

System Compliance Profiler 1.1 Configuration Guide

Introducing System Compliance Profiler

Using this guide