revision 1.0
COPYRIGHT
Copyright 2005 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP DESIGN (STYLIZED E), DESIGN (STYLIZED , N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NA NETWORK ASSOCIATES, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NETWORK ASSOCIATES, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA), YOUR NETWORK. OUR BUSINESS. are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
Attributions
This product includes or may include: Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public Young and software written by Tim J. Hudson. License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader Software originally written by than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. Software originally written by Robert Nordier, Copyright 1996-7 Robert Nordier. Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software written by Douglas W. Sauder. Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license International Components for Unicode (ICU) Copyright agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. Software developed by CrystalClear Software, Inc., Copyright 2000 1995-2002 International Business Machines Corporation and others. FEAD Optimizer technology, Copyright Netopsystems AG, Berlin, Germany. Outside In Viewer Technology CrystalClear Software, Inc. Software copyrighted by Thai Open Source Software 1992-2001 Stellent Chicago, Inc. and/or Outside In HTML Export, 2001 Stellent Chicago, Inc. Software copyrighted by Expat maintainers. Software copyrighted by The Regents of the Center Ltd. and Clark Cooper, 1998, 1999, 2000. Software copyrighted by Gunnar Ritter. Software copyrighted by Sun Microsystems , Inc. 2003. Software University of California, 1989. copyrighted by Gisle Aas. 1995-2003. Software copyrighted by Michael A. Chase, 1999-2000. Software copyrighted by Neil Winton, Software copyrighted by RSA Data Security, Inc., 1990-1992. Software copyrighted by Sean M. Burke, 1999, 2000. Software 1995-1996. Software copyrighted by Brad Appleton, 1996-1999. Software copyrighted by Michael G. Schwern, copyrighted by Martijn Koster, 1995. 2001. Software copyrighted by Graham Barr, 1998. Software copyrighted by Larry Wall and Clark Cooper, 1998-2000. Software Software copyrighted by the Python Software Foundation, Copyright 2001, 2002, 2003. A copy of the license copyrighted by Frodo Looijaard, 1997 . Software copyrighted by Beman Dawes, 1994-1999, 2002. Software written by agreement for this software can be found at www.python.org. Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek 1997-2000 University of Notre Dame. Software copyrighted by Simone Bordet & Marco Cravero, Software copyrighted by Stephen Purcell, 2001. Software developed by the Indiana University Extreme! Lab 2002. Software (http://www.extreme.indiana.edu/). Software copyrighted by International Business Machines Corporation and others, 1995-2003. developed by the University of California, Berkeley and its contributors. Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in Software copyrighted by Kevlin Henney, 2000-2002. Software copyrighted by Peter Dimov and the mod_ssl project (http://www.modssl.org/). Software copyrighted by David Abrahams, 2001, 2002. See http://www.boost.org/libs/bind/bind.html for Multi Media Ltd. 2001, 2002. documentation. Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, 2000. Software copyrighted by Software copyrighted by Nicolai M. Josuttis, 1999. Software copyrighted by Jeremy Siek, 1999-2001. Software Boost.org, 1999-2002. copyrighted by Daryle Walker, 2001. Software copyrighted by Chuck Allison and Jeremy Siek, 2001, 2002. Software copyrighted by Samuel Krempp, 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted by Doug Gregor Software copyrighted by Cadenza New Zealand Ltd., 2000. Software copyrighted by Jens Maurer, 2000, (gregod@cs.rpi.edu), 2001, 2002. Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), 1999, 2000. Software copyrighted by Ronald Garcia, 2002. Software 2001. copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, 1999-2001. Software copyrighted by Stephen Cleary (shammah@voyager.net), Software copyrighted by Housemarque Oy <http://www.housemarque.com>, 2001. Software copyrighted by Paul Moore, 1999. 2000. Software copyrighted by Dr. John Maddock, 1998-2002. Software copyrighted by Greg Colvin and Beman Dawes, 1998, 1999. Software copyrighted by Peter Dimov, 2001, 2002. Software copyrighted by Jeremy Siek and John R. Bandela, 2001. Software copyrighted by Joerg Walter and Mathias Koch, 2000-2002.
Issued June 2005 / McAfee System Compliance Profiler software version 1.1
DOCUMENT BUILD 005.1-<EN>
Contents
System Compliance Profiler overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Whats new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 How System Compliance Profiler works with ePolicy Orchestrator . . . . . . . . . 11 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
29
29 30 33 37 41 43
Overview of using compliance rules in on-demand scans . . . . . . . . . . . . . . . About System Compliance Profiler rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and editing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using rules and rule groups for scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scheduling System Compliance Profiler on-demand scan tasks . . . . . . . . . . Update pre-defined System Compliance Profiler rules from McAfee . . . . . .
46
System Compliance Profiler reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 About running System Compliance Profiler reports in ePolicy Orchestrator. 49 Generating System Compliance Profiler reports . . . . . . . . . . . . . . . . . . . . . . . 51
54
54 55 55 56
58
iii
System Compliance Profiler 1.1 is client scanner that scans computers on your network to determine whether they comply with policies that you set up in ePolicy Orchestrator. Whats covered in this chapter System Compliance Profiler overview Whats new in this release How System Compliance Profiler works with ePolicy Orchestrator Using this guide Resources
System Compliance Profiler integrates into the McAfee ePolicy Orchestrator management software. This means that you use ePolicy Orchestrator to configure and deploy the software. For details on the ePolicy Orchestrator and System Compliance Profiler interfaces, see Accessing System Compliance Profiler through the ePolicy Orchestrator console on page 12. System Compliance Profiler works by installing remote scanning software on each computer that you want to monitor. This scanning software periodically scans for files, registry keys, patches, and services. It then relays the information it collects back to the ePolicy Orchestrator server. Once the software finishes its scans and reports back, you can use System Compliance Profiler and ePolicy Orchestrator to run reports based on the collected data.
Benefits
After applying a patch on your managed machines, they may require a reboot. Until they are rebooted, they will continue to show up as non-compliant in your System Compliance Profiler reports. This feature is an indication that rebooting the machines may make them compliant in the next System Compliance Profiler scan, and gives a more accurate snapshot of system status.
Where to find
The Compliant/Non-Compliant Summary report will include the reboot state awareness category. The graph has a new pie container for systems that need rebooting.
See Compliance & Non-Compliance Summary on page 47 for more information on how computer compliance data is reflected in reports.
Benefits
Use registry keys to reference file paths dynamically, rather than having to hardcode the file paths into your rules.
Where to find
The Edit Rule page of the System Compliance Profiler Rules policy page, the File path drop-down list contains a new option for HKEY_LOCAL_MACHINE to specify a registry key containing a file path.
Benefits
The list of security patches can become quite long. Using filtering and sorting can make the list more manageable.
Where to find
To access this feature: 1 Open the Rules page of the System Compliance Profiler policy pages. 2 Select the Security Patch Rules group or any patch rules group or rules within Security Patch Rules to enable the new Filter button. 3 Click Filter to open the Filtering and Sorting page. Specify a filter criteria as needed.
Benefits
Improves performance by running only those rules that are relevant for the software installed on a given computer. It also eliminates the false positive violations that are generated when a scan does not find a patch on that computer because the relevant software is not installed.
Where to find
The Edit Group page contains an Application rule drop-down list. Select an application from this list to test for on the computer before running the rule or rule group.
Benefits
Where to find
Benefits
Where to find
The Edit Rule page. To get here: 1 In the ePolicy Orchestrator console, go to System Compliance Profiler | Rules policy page. 2 Select any rule in one of your Custom Rules list. 3 Click Edit.
Use ePolicy Orchestrator pull tasks to update predefined McAfee rules automatically
Current release ePolicy Orchestrator updates the pre-defined McAfee rules automatically with source repository pull tasks. This uses the same automated update architecture that ePolicy Orchestrator uses to update DAT anti-virus signatures, anti-virus engines, and Desktop Firewall IDS signatures. Once the repository has been updated, use a replication task to copy the rule updates to any distributed repositories, then run an ePolicy Orchestrator Agent Update client task to update client rules.
Benefits
Using regularly scheduled Repository Pull tasks to update pre-defined rules means System Compliance Profiler is scanning for the most up-to-date rules.
Where to find
In the ePolicy Orchestrator console, select Repository from the console tree to find the Pull Now or New Pull Task features. Update pre-defined System Compliance Profiler rules from McAfee on page 43 See the ePolicy Orchestrator Product Guide for more information on pull tasks and agent update client tasks.
Use wildcards when matching filenames and registry keys in compliance rules
Current release You may use wildcards to match a file name or registry key. Using the ? wildcard matches a single character. The * wildcard matches any number of characters.
Benefits
Using wildcards in your rules can help make sure the rule can account for small variations in file names or registry keys.
10
Where to find
The Edit Rule page. To get here: 1 In the ePolicy Orchestrator console, go to System Compliance Profiler | Rules policy page. 2 Select any rule in one of your Custom Rules. 3 Click Edit.
Defining criteria for rules on page 34 See the ePolicy Orchestrator Product Guide for more information on pull tasks and agent update client tasks.
Note
2 Deploy System Compliance Profiler to client computers. Use the ePolicy Orchestrator console to deploy System Compliance Profiler to computers in your Directory console tree. You must deploy the software to each computer that you want to scan.
11
3 Configure System Compliance Profiler policies and scans. Once your System Compliance Profiler system is set up, you can start scanning computers for files, services, patches, and registry keys. To do this, you first set up rules in ePolicy Orchestrator. These rules make up your policies. Once you finish defining policies for different users, you set up System Compliance Profiler scan tasks. Scan tasks are instructions that ePolicy Orchestrator sends to computers running System Compliance Profiler. You can scan individual computers, or groups of computers. You can also schedule scans to occur at specific times. 4 System Compliance Profiler runs scans on client computers. ePolicy Orchestrator sends the scan tasks to computers running System Compliance Profiler. At the scheduled time, these computers run the scans that you specified, collect the scan results, and transmit them to ePolicy Orchestrator. System Compliance Profiler scans do not require many local or network resources. While the exact amount of network traffic will vary based on how many rules a given computer receives, the average bandwidth requirement is approximately 200 bytes per rule. 5 Run reports in ePolicy Orchestrator to view scan results. Once ePolicy Orchestrator receives scan results from System Compliance Profiler, it adds the information to its database. After the results are stored, you can use the ePolicy Orchestrator console to run reports that list any vulnerabilities that System Compliance Profiler found.
Note
Policies are the rules that you define for each computer scanned by System Compliance Profiler. You use the ePolicy Orchestrator console to configure the policies for how you want to scan selected computers using System Compliance Profiler rules. The ePolicy Orchestrator agent on the client computer where System Compliance Profiler is installed collects these policy updates at regular intervals. You then configure scan tasks to run on the clients using the policies you specify.
12
To access the System Compliance Profiler policy pages: 1 Select the Directory, or a site, group, or computer node in the Directory tree. 2 In the details pane, click the Policies tab. 3 Expand the policy list to System Compliance Profiler 1.1 | Rules, then click the policy name. 4 View the policy pages in the lower details pane.
Figure 1-1 The System Compliance Profiler Rules policy page
The Rules page lets you enable and disable configured rules, create and edit customized rules, and update pre-defined McAfee rules from the McAfee web site. Use client tasks to configure on-demand scans on client computers The System Compliance Profiler policy pages (NAP file) includes an on-demand scan task for creating and scheduling scan tasks on client computers. When you check the NAP file into the master repository on the ePolicy Orchestrator server, the System Compliance Profiler on-demand scan task is available in the list of available client scan tasks. To access the System Compliance Profiler on-demand scan task: 1 Select the Directory, or a site, group, or computer node in the console tree. 2 In the details pane, click the Tasks tab. 3 Right-click the details pane and select Schedule Task. 4 From the Schedule Task page, select System Compliance Profiler 1.1 On-Demand Scan.
13
Run System Compliance Profiler reports To see the results of your System Compliance Profiler scans, generate reports in ePolicy Orchestrator. System Compliance Profiler automatically adds its custom reports to the Reporting area of the ePolicy Orchestrator console when you install the software. For more information on these reports, see Working with Scan Results on page 46.
Audience
This information is intended primarily for network administrators who are responsible for their companys anti-virus and security program.
Conventions
This guide uses the following conventions:
Bold Serif
All words from the user interface, including options, menus, buttons, and dialog box names. Example: Type the User name and Password of the desired account.
Courier
The path of a folder or program; a web address (URL); text that represents something the user types exactly (for example, a command at the system prompt). Examples: The default location for the program is: C:\Program Files\Network Associates\VirusScan Visit the McAfee Security web site at: http://www.mcafeesecurity.com Run this command on the client computer: C:\SETUP.EXE
Italic
For emphasis or when introducing a new term; for names of product documentation and topics (headings) within the material. Example: Refer to the VirusScan Enterprise Product Guide for more information.
<TERM>
Angle brackets enclose a generic term. Example: In the console tree under ePolicy Orchestrator, right-click <SERVER>.
Note
Note: Supplemental information; for example, an alternate method of executing the same command.
Tip
Tip: Suggestions for best practices and recommendations from McAfee Security for threat prevention, performance and efficiency.
14
Caution
Caution: Important advice to protect your computer system, enterprise, software installation, or data.
Warning
Warning: Important advice to protect a user from bodily harm when interacting with a hardware product.
Resources
Refer to these sections for additional resources: Getting product information Links from within the ePolicy Orchestrator console Product services Contact information
Help High-level and detailed information accessed from the ePolicy Orchestrator console. Use the Help menu and/or Help button for page-level help. Configuration Guide* For use with ePolicy Orchestrator. Procedures for configuring, deploying, and managing your McAfee Security product through ePolicy Orchestrator management software. Release Notes ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation. Contacts Contact information for McAfee Security services and resources: technical support, customer service, Security Headquarters (AVERT Anti-virus & Vulnerability Emergency Response Team), beta program, and training. This file also includes phone numbers, street addresses, web addresses, and fax numbers for company offices in the United States and around the world. License* The McAfee License Agreement booklet that includes all of the license types you can purchase for your product. The License Agreement sets forth general terms and conditions for the use of the licensed product. * An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site. ^ A printed manual that accompanies the product CD. Note: Some language manuals may be
available only as a .PDF file.
Text files included with the software application and on the product CD.
15
Tip
Virus Information Library Use the Virus Information link to access the McAfee Anti-Virus & Vulnerability Emergency Response Team (AVERT) Virus Information Library. This web site has detailed information on where viruses come from, how they infect your system, and how to remove them. In addition to genuine viruses, the Virus Information Library contains useful information on virus hoaxes, such as those virus warning that you receive via e-mail. A Virtual Card For You and SULFNBK are two of the best-known hoaxes, but there are many others. Next time you receive a well-meaning virus warning, view our hoax page before you pass the message on to your friends. To access the Virus Information Library: 1 Open the ePolicy Orchestrator console. The console opens to the Start Page in the details pane. 2 Select Virus Information. Technical Support Use the Technical Support for ePolicy Orchestrator link to access the McAfee PrimeSupport KnowledgeCenter Service Portal web site. Browse this site to view frequently asked questions (FAQs), documentation, and perform a guided knowledge search. To access McAfee technical support: 1 Open the ePolicy Orchestrator console. The console opens to the Start Page in the details pane. 2 Select Technical Support for ePolicy Orchestrator. 3 Follow the directions on the web site.
16
Product services
The following services are available to help you get the most from your McAfee products: Beta program HotFixes and Patches Product end-of-life support Beta program The McAfee beta program enables you to try our products before full release to the public you can learn about and test new features for existing products, as well as try out entirely new products. This program can help you test and implement updated and new features earlier, and in a safe environment. You get the chance to suggest new product features, as well as deal directly with McAfee engineering staff. To find out more, visit: http://www/mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm HotFixes and Patches HotFixes and Patches are released with updated files, drivers, executables, etc., between the major releases of a product. To access the latest HotFixes and Patches, visit: http://www.mcafeesecurity.com/us/downloads/updates/hotfixes.asp Product end-of-life support Your anti-virus software must be kept up-to-date to remain effective against viruses and other potentially harmful software. It is important to update the virus definition (DAT) files regularly. To enable the software to counter the continuing threat, we often make architectural changes to the way that the DAT files and virus-scanning engine work together. It is therefore important that you update your engine when a new version is released. An older engine will not catch many of the new emerging threats. When we release a new engine, we announce the date after which the existing engine will no longer be supported. For information on our product end-of-life policy and for a full list of supported engines and products, visit: http://www.mcafeesecurity.com/us/products/mcafee/end_of_life.htm
Contact information
Technical Support
Home Page KnowledgeBase Search PrimeSupport Service Portal * http://www.mcafeesecurity.com/us/support/technical_support https://knowledgemap.nai.com/phpclient/homepage.aspx https://mysupport.nai.com
17
Download Site
Home Page DAT File and Engine Updates http://www.mcafeesecurity.com/us/downloads/ http://www.mcafeesecurity.com/us/downloads/updates/default.asp ftp://ftp.mcafeesecurity.com/pub/antivirus/datfiles/4.x Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp
Training
On-Site Training McAfee University http://www.mcafeesecurity.com/us/services/security/home.htm http://www.mcafeesecurity.com/us/services/education/mcafee/university.htm
Customer Service
E-mail Web https://secure.nai.com/us/forms/support/request_form.asp http://www.mcafeesecurity.com/us/index.asp http://www.mcafeesecurity.com/us/support/default.asp US, Canada, and Latin America toll-free: +1-888-VIRUS NO or +1-888-847-8766
For additional information on contacting McAfee including toll-free numbers for other geographic areas see the Contact file that accompanies this product release. * Logon credentials required.
18
This section describes how to add the System Compliance Profiler 1.1 deployment package and NAP file to the ePolicy Orchestrator software repository. You must add both of these to your ePolicy Orchestrator repository to be able to deploy and manage System Compliance Profiler with ePolicy Orchestrator.
Refer to this chapter only if you are running System Compliance Profiler 1.1 with ePolicy Orchestrator 3.0.x. The System Compliance Profiler 1.1 deployment package, NAP file, and reports are installed automatically when you install the ePolicy Orchestrator 3.5 or 3.6 server and console. If you are using ePolicy Orchestrator 3.5 or 3.6, you can skip this chapter.
Note
Whats in this chapter This chapter contains the following topics: ePolicy Orchestrator 3.0.x requirements Adding System Compliance Profiler to the ePolicy Orchestrator server Upgrading System Compliance Profiler from version 1.0 Removing System Compliance Profiler from the ePolicy Orchestrator server
19
Configure firewall ports for System Compliance Profiler communication If you intend to communicate through a firewall with computers running System Compliance Profiler, you must also configure ports 80 and 8081 to allow traffic between your ePO agents and your server. These are the default ports for those components. If you selected different ports during your ePolicy Orchestrator installation, configure your firewall to allow those ports instead.
20
2 Follow the wizard instructions. When prompted: a Select Add new software to be managed as the task type. b Select Patch1100.nap as the file name. 3 After finishing the check-in wizard, wait while the NAP is added to the repository. Add System Compliance Profiler reports to the database Check in the extended reporting NAP file to add System Compliance Profiler reports to the ePolicy Orchestrator reporting database. This will allow you to run reports in ePolicy Orchestrator on the System Compliance Profiler scan results. To check in the extended reporting NAP: 1 Select Repository from the console tree, and click Check in NAP . 2 Follow the wizard instructions. When prompted: a Select Add new reports as the task type. b Select Patch_Reports.nap as the file name. 3 After finishing the check-in wizard, wait while the NAP is added to the repository. System Compliance Profiler is now stored in the Repository. You must also deploy the System Compliance Profiler software to your ePolicy Orchestrator server before running any scans. See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22 for details. You can verify that the System Compliance Profiler software is in ePolicy Orchestrators
Repository by selecting any computer, group, or site from the console tree. Click the Policies tab to make it active. System Compliance Profiler should appear in the list of
available software.
Tip
21
3 Edit the default deployment task to Install the System Compliance Profiler 1.1, and set the action for System Compliance Profiler 1.0 to Ignore, to have ePolicy Orchestrator install version 1.1 on client computers in your network. The installer for SCP 1.1 will automatically upgrade SCP 1.0 installations to SCP 1.1 on clients. Note when you are finished that there will be two entries in the Policy tab on the ePolicy Orchestrator console for both versions 1.0 and 1.1. This is similar to the way ePolicy Orchestrator can contain NAP files for multiple versions of other products, such as VirusScan Enterprise. As you begin working with System Compliance Profiler 1.1, be sure to make additional policy changes only in the System Compliance Profiler 1.1 policy pages. In fact, after you have fully installed and deployed version 1.1, you may want to remove the 1.0 NAP file from the ePolicy Orchestrator repository to avoid confusion.
22
Removing System Compliance Profiler reports 1 Start ePolicy Orchestrator. 2 Expand Reporting to see its contents. 3 Expand Report Repository. 4 Locate and right-click System Compliance Profiler. 5 Click Remove. 6 Click Yes when ePolicy Orchestrator asks whether to remove the reports.
23
This chapter describes the process for deploying System Compliance Profiler 1.1 to client computers. You must deploy System Compliance Profiler to any computer that you want to scan for patch compliancethe software can only scan locally on the same computer on which it is installed. Whats in this chapter System requirements Using ePolicy Orchestrator to deploy System Compliance Profiler Installing System Compliance Profiler manually on clients Removing System Compliance Profiler from clients
System requirements
The System Compliance Profiler client scanner only functions as part of an ePolicy Orchestrator deployment, and therefore will only be installed on computers running an ePolicy Orchestrator agent. Computers running an agent already meet the minimum system requirements for the System Compliance Profiler client scanner. Refer to the ePolicy Orchestrator documentation for details on the system requirements for the agent.
Note
24
About using the ePolicy Orchestrator Deployment task The ePolicy Orchestrator agent uses the default deployment task to deploy, or install, client software such as VirusScan Enterprise, Desktop Firewall, or System Compliance Profiler on computers in your network. The following System Compliance Profiler deployment instructions assume that you have: Installed ePolicy Orchestrator server and console. Populated the ePolicy Orchestrator Directory with all of the sites, groups, and computers to which you plan to deploy System Compliance Profiler. Deployed ePolicy Orchestrator agents to any computers where you plan to install System Compliance Profiler. For more information on these processes, see the ePolicy Orchestrator Product Guide.
If you are using System Compliance Profiler with ePolicy Orchestrator 3.0.x, you must deploy System Compliance Profiler scanner to the ePolicy Orchestrator itself. If you do not, reporting does not function properly. This is not required for ePolicy Orchestrator 3.5 or 3.6, although you will most likely want to install System Compliance Profiler on your server anyway.
Caution
Enabling System Compliance Profiler deployment 1 In your ePolicy Orchestrator console, select Directory from the console tree. ePolicy Orchestrator expands the Directory to show all the sites, groups, and computers that it currently manages. 2 Select a site, group, or computer to which you want to deploy System Compliance Profiler. 3 In the upper details pane, click Tasks to display that tab. ePolicy Orchestrator lists all the tasks for this site, group, or computer. 4 Double-click the Deployment task to open the ePolicy Orchestrator Scheduler dialog box. 5 On the Task tab, click Settings to open the Task Settings dialog box. 6 If necessary, deselect the Inherit checkbox.
25
8 Select Install from the Action list. Set any products that you do not want to deploy to Ignore. 9 Click OK to return to the ePolicy Orchestrator Scheduler dialog box. Now that you have configured this task to deploy System Compliance Profiler, create a schedule for the task. Creating a schedule for the Deployment task 1 In the ePolicy Orchestrator Scheduler dialog box, click Task to display that tab. 2 In the Schedule Settings area, deselect Inherit. 3 Select Enable to make the task active. 4 Click the Schedule tab. 5 Deselect the Inherit checkbox, then set up the time when you want the System Compliance Profiler software deployed. To deploy the software immediately, select Run Immediately from the Schedule Task list. The deployment task will then run at the next ePO policy enforcement interval, or when you perform an agent wakeup call. For instructions, see the ePolicy Orchestrator Product Guide. 6 Click OK. ePolicy Orchestrator deploys the System Compliance Profiler software to this site, group, or computer at the time you specified.
26
To verify that the System Compliance Profiler software deployed properly, select the name of the remote computer from the console tree. Select the Properties tab from the details pane. System Compliance Profiler should appear in the list of installed applications. (Allow enough time for the deployment task to run first.)
Running the System Compliance Profiler installer When you execute PATCHSCANINSTALLER.EXE, System Compliance Profiler installs in silent mode. There is no installation interface or options to configure. You can run PATCHSCANINSTALLER.EXE from the command line to uninstall System Compliance Profiler. To do this, run the executable with the /u command line, like this:
PATCHSCANINSTALLER.EXE /u
27
1 Start the ePolicy Orchestrator console and log on to your server. 2 In the console tree, expand the Directory and select the site, group, or computer from which you want to remove System Compliance Profiler. 3 In the ePolicy Orchestrator details pane, click the Tasks tab. 4 Right-click the Deployment task, then select Edit Task to open the ePolicy Orchestrator Scheduler dialog box. 5 On the Task tab, click Settings to open the Task Settings dialog box. 6 If necessary, deselect the Inherit checkbox. 7 In the Product deployment options list, locate System Compliance Profiler. 8 Select Remove from the Action list. 9 Click OK to return to the ePolicy Orchestrator Scheduler dialog box. 10 Click OK to save your changes. ePolicy Orchestrator will remove the System Compliance Profiler clients at the time specified in the task. To change the tasks schedule, use the procedure outlined in Creating a schedule for the Deployment task on page 26. Remove System Compliance Profiler with a command line. You can run PATCHSCANINSTALLER.EXE from the command line to uninstall System Compliance Profiler. To do this, PATCHSCANINSTALLER.EXE must be on the client computer. Run the executable with the /u command line, like this:
PATCHSCANINSTALLER.EXE /u
28
This section describes how to use the ePolicy Orchestrator console to configure the System Compliance Profiler software to scan your network for system compliance. Whats in this chapter Overview of using compliance rules in on-demand scans About System Compliance Profiler rules Creating and editing rules Using rules and rule groups for scanning Scheduling System Compliance Profiler on-demand scan tasks Update pre-defined System Compliance Profiler rules from McAfee
29
Note
File-based scanning and MD5 hashes File-based System Compliance Profiler rules are useful for checking whether specific files exist, and at what version number. In some cases, however, you may need to scan files to verify that they have not been tampered with on target computers. System Compliance Profiler lets you do this by specifying an MD5 hash for scanned files. An MD5 hash is a files digital signature. If anyone tampers with or changes the file, its digital signature changes. Copies of a file should have identical digital signatures. In order to create an MD5-based rule, you must have an existing hash for the file you want to verify. You can use commonly available utilities to generate this digital signature (for example, Command Line Message Digest Utility, available from http://www.fourmilab.ch/md5). Once you have the hash, paste it into your file-based System Compliance Profiler rule. The software will compare it to copies of the file on scanned computers, and alert you if it finds any inconsistencies in the signatures.
30
Enable or disable any rule to include it in your scans Including your rules in your on-demand compliance scans is easyjust enable any rules or rule groups you want to use in your scan by clicking in the appropriate checkbox. You can enable any combination of pre-defined rules and custom rules in this way.
In System Compliance Profiler 1.0, you could only enable pre-defined rules if you first copy them from the rule templates list to your active rules list. This is no longer necessary in version 1.1. You can enable any rule, either custom or pre-defined, simply by selecting it in the Rules list. You must only copy a pre-defined rule to your Custom Rules group if you want to edit it to create a custom rule from it.
Warning
There are several different types of rules in this list. Pre-defined rules from McAfee Custom rules you create yourself Archived rules Each of these are described below. Pre-defined rules from McAfee System Compliance Profiler 1.1 ships with a set of pre-defined rules for common types of patches and files that you will likely want to scan for on computers in your network. These include such things as all recent Windows security patches from Microsoft and common applications you may not want to allow on workstations in your network.
31
You can enable these rules to include them in your client on-demand scans. You can also use them as templates for creating your own custom rules. To do this, you can copy any rule group or rule from any of the pre-defined rule groups into your Custom Rules folder and modify it as needed. While you can edit copies of the pre-defined rules in your Custom Folder, you cannot edit or delete any of the original pre-defined rules.
Table 4-1 Pre-defined Rule Groups
Group name Security Patch Rules Infection Rules Purpose Rules in this group test for the presence of recent Microsoft security patches, hotfixes, and service packs. These templates provide guides for detecting viruses and similar malicious applications. These compliment, but do not replace, dedicated anti-virus software. Templates in this group provide guides for detecting software that should, or should not, be allowed on network computers. This group contains templates that do not fit any of the other default template groups.
To copy a template, right-click its name and select Copy from the menu. This places all of the templates data on your Windows Clipboard, in text-only format. You can then paste the template into another group, or into the System Compliance Profiler Rules list (which makes it an active rule), or share the template with other users by sending them the template data. You can also copy templates sent to you from other users, and import them into your existing Templates and Rules Archive list. Custom rules you create yourself If none of the pre-defined rules meet your needs, you can create custom rules yourself. To do this, you can either create a rule from scratch or copy a pre-defined rule into your Custom Rules folder and edit it. Archived rules You can archive your custom rules in this group. When you do this, this group contains archived copies of any custom rules that you have created rule sets you have saved. Saved rule sets are called archives. You can replace your current rule set with an archived rule set by clicking Activate.
32
Rules
You configure a rule group so that all child rules must match for the system to be compliant with the rule group. Or, you can create a rule where any of the child rules must match for the system to be compliant with that rule.
Figure 4-3 Create groups for similar rules
Use the All rules are true or Any rules are true options to specify which child rules of the group must be true for the system to be compliant with the rule group.
33
34
This can be what versions of Windows to test for, and whether to test for specific files in specific folders, specific registry keys and registry key values, or the presence of a specific Microsoft patch.
Figure 4-4 Enter rule criteria in the Add Rule or Edit Rule page
All rules have the basic criteria of name, severity, and operating system. In addition, you can specify that the rule test for the existence (or nonexistence) of one of the following: A file A registry key A Microsoft patch An NT service
35
Matching a file Select a basic root directory from the File path list, and enter any additional subdirectory names in the text box to complete the path. Enter the file name you want to scan for in the File name text box. You may use wildcards to match a file name. Using the ? wildcard matches a single character. The the * wildcard match any number of characters. From the remaining list, select a matching strategy for the rule (for example, File exists or Version is equal to). If necessary, enter an appropriate value in the associated text field. When matching a version number, the software only accepts numbers and points (e.g., 1.0.1). You cannot enter characters (e.g., 1a). Matching a registry key Select a basic key root from the Registry key list, and enter any additional key names in the text box to complete the path. Enter the name of the key value you want to scan for in the Value name text box.
36
From the remaining list, select a matching strategy for the rule (for example, Registry key exists or Data is equal to). If necessary, enter an appropriate value in the associated text field. When matching using less than, greater than, or equal to operators, you can only match DWORD and String values. You may use wildcards for the value if you use the equal to operator. Using the ? wildcard matches a single character. The the * wildcard match any number of characters. Match a Microsoft patch Enter the patchs unique Microsoft identifier in the Patch name text box. This value should begin with either Q... or KB... (for example, KB824141). Match a service Enter the name of the service in the Service name text box. Some common services that you might want to search for include: IIS Admin Service Internet Connection Sharing Telnet WWW Publishing Service From the remaining list, select a matching strategy for the rule (for example, Service is
running).
37
Enable both pre-defined or custom rules While you can only edit or delete your own custom rules and rule groups, you can enable or disable any rule or rule group, either custom or pre-defined. Enable and disable rules by selecting them in the list To enable a rule: 1 From the Rules page of the System Compliance Profiler policy page, select a rule or group in the list so that its checkbox shows as checked. To enable every rule in a group, select the rule group, which enables all the child rules. 2 Click Apply to save your policy changes. The changes to enabled rules will be passed to the System Compliance Profiler scanner on each client computer when the ePolicy Orchestrator agent for that computer calls into the server at its next ASCI. The newly enabled rules are used by the on-demand scan the next time that scan is scheduled to run.
38
Note
Import a text-based rule or group into System Compliance Profiler You can also view your copied rule or template text in any application that accepts plain text. Valid data starts with --- BEGIN COPIED RULES --- and finishes with --- END COPIED RULES --- Make certain that you include these lines when you import or . export data, or your selected rules or templates will not work properly. To import a plain text rule: 1 Obtain a text version of the rule or template that you wish to use.
39
2 Select and copy the rule text, including the --- BEGIN COPIED RULES --- and --- END COPIED RULES --- lines. 3 On the System Compliance Profiler Rules tab in the ePolicy Orchestrator console. 4 Navigate to the group where you want to import the data. 5 Right-click the group name, and click Paste. System Compliance Profiler uses the imported data as a new rule or group. 6 Click Apply to save your changes.
40
41
3 Select System Compliance Profiler 1.1 On-Demand Scan from the software tasks list.
Figure 4-5 Create a System Compliance Profiler on-demand scan
4 Click OK. 5 Press F-5 to refresh the console and make the new task appear in the list in the Task tab. Note that it is scheduled to run daily at the current day and time. Also note that the Enabled flag is set to Falsewe now need to set this to True and schedule it.
42
1 Right-click the new task in the task list and select Edit Task.
Figure 4-6 Edit the newly created scan task
2 Deselect Inherit under the Schedule Settings section of the ePolicy Orchestrator Scheduler dialog box. 3 Select Enable. This is very importantthe scan does not run unless you enable it! 4 Click the Schedule tab and deselect Inherit. 5 Set the Schedule Task options as desired. For example, you might want to schedule it to run Daily at a specified local time on the machine. See the ePolicy Orchestrator Product Guide for more detailed information on scheduling client tasks. 6 When you have finished scheduling the task, click OK. The task is now listed in the Tasks list with its Enabled property set to True. The task will run at the next scheduled time that you have configured. Note that the task will be passed to System Compliance Profiler clients deployed on computers the next time the agent for each computer calls into the server as part of its regular ASCI. If you want clients to pick up the new scan task immediately (for example, if you have scheduled the task to Run Immediately), you can initiate a manual agent wakeup call. See Performing an agent wakeup call on page 51 or the ePolicy Orchestrator Product Guide for more information on agent wakeup calls.
43
Overview of update process: same as for DATs Basically, update your System Compliance Profiler rules as follows: 1 Pull pre-defined rules from the McAfee web site to your master software repository on your ePolicy Orchestrator server using a repository pull task. This can either be a manual Pull Now server task, or you can create a scheduled pull task to pull updates from the McAfee source repository at regularly scheduled intervals. 2 Replicate the updates in the master repository to any distributed repositories, if you have them. 3 Schedule an ePolicy Orchestrator Agent Update client task to have your client computers update their System Compliance Profiler rules from the nearest repository. See the ePolicy Orchestrator Product Guide for details on how to create and schedule all these to update both DATs and System Compliance Profiler Rules. Be sure to configure selective updating appropriately if youre using ePolicy Orchestrator 3.5 or 3.6 If youre using ePolicy Orchestrator 3.5 or 3.6, remember that the selective updating feature doesnt update all signatures automatically. You can selectively choose which individual updates (DATs, engine files, ePolicy Orchestrator agent or anti-virus software patches, etc) are updated each time an update task runs. By default, all updates except DATs and anti-virus engines are disabled in all client tasks. The selective updating feature allows you to save bandwidth by scheduling different updates for different software exactly when you need them. For example, DATs are updated frequently, so you will want to have one scan task to update them, probably at least once per day. On the other hand, service packs for security products such as VirusScan Enterprise are released much less often. You can create a separate client update task to only update VirusScan Enterprise patches and schedule it to run less frequently, perhaps once a week. Or, you can limit network traffic generated by ePolicy Orchestrator even more by not scheduling this task at all, but rather run it manually when patches are released.
McAfee updates System Compliance Profiler rules about once per month, much less frequently than anti-virus DATs, which are updated weekly or several times per week. To conserve network bandwidth, especially if you are deploying ePolicy Orchestrator to a large network, consider creating a separate client update task for updating compliance scan rules. Schedule it to run less frequently than your DAT update task. For example, while you might want to schedule your DAT client update task to run several times per day, try scheduling your System Compliance Profiler rules update task for once a week. Alternatively, you could schedule it to run immediately and leave it disabled, only running it manually when McAfee posts updated rules.
Tip
To configure an existing client update task to also update your pre-defined McAfee System Compliance Profiler rules: 1 In the ePolicy Orchestrator console tree, select the Directory node for which you want to configure the task (either the Directory root, or a site, group, or individual computer). 2 In the upper details pane, select Tasks tab.
44
3 Double-click your ePolicy Orchestrator Agent Update task by double-clicking it. 4 In the ePolicy Orchestrator Scheduler dialog box, select the Task tab and click Settings. 5 In the Task Settings dialog box, select System Compliance Profiler Rules from the list of Signatures and Engines.
Figure 4-7 Task Settings dialog box
6 Click Apply to save the changes. ePolicy Orchestrator will push the changes to the client update task to each client the next time that computers agent calls into the ePolicy Orchestrator server. The update task will run on the client at the next scheduled time.
The global updating functionality of ePolicy Orchestrator uses the same selective updating feature as the agent update client task. In global updating, selective updating allows you to control what kinds of updates trigger a global update. By default, a global update is triggered only if DAT or engine files are checked into the master repository. Configure global updating on the Settings tab of the ePolicy Orchestrator console. To enable compliance rules for global updating, select the System Compliance Profiler rules option. See the ePolicy Orchestrator Product Guide for more information on how to do this and for using the global updating feature.
Tip
45
When you scan network computers using System Compliance Profiler, the ePolicy Orchestrator agent on these computers sends the scan results to the ePolicy Orchestrator server. To review their results, you run reports using the ePolicy Orchestrator reporting feature. This section provides an overview of how to create System Compliance Profiler reports in ePolicy Orchestrator. Once you generate a report, you can: Save the report in several formats, including HTML, RTF and XLS (Microsoft Excel). , Print the report. Refresh the report. Search the report. For more information on these actions and on reporting, see your ePolicy Orchestrator documentation. Whats in this chapter System Compliance Profiler reports About running System Compliance Profiler reports in ePolicy Orchestrator Generating System Compliance Profiler reports
46
Warning
47
Severity Details
Group Details
Rule Details
48
Enable System Compliance Profiler reports before running them the first time
This section covers a few things you may need to do to enable new System Compliance Profiler reports with ePolicy Orchestrator. Deploy System Compliance Profiler to the ePolicy Orchestrator server if using ePolicy Orchestrator 3.0.x If you are running System Compliance Profiler 1.1 with ePolicy Orchestrator version 3.0.x, you must deploy System Compliance Profiler to your ePolicy Orchestrator server in order for reports to work properly. Install the System Compliance Profiler on your ePolicy Orchestrator server as you would install it on any computer in your network. You can install it manually or use the ePolicy Orchestrator deployment task. See Chapter 3, Deploying the System Compliance Profiler client scanner for more details on how to install System Compliance Profiler on client computers, including the ePolicy Orchestrator server. Log into database with ePolicy Orchestrator admin credentials the first time The first time you access your System Compliance Profiler reports after installing or upgrading the software, you may need to log in to the ePolicy Orchestrator Reporting feature using your ePolicy Orchestrator credentials. Afterward, you can log in using any credentials, such as SQL credentials to your database server. To do this: 1 Start ePolicy Orchestrator and log on to your server. 2 In the console tree, expand Reporting . 3 Expand ePO Databases. Your ePolicy Orchestrator server name should appear below this node. 4 Select your server name to open the ePO Database Login dialog box.
49
5 Enter the user name and password for your ePolicy Orchestrator admin account.
Figure 5-1 Log into the database using ePolicy Orchestrator admin credentials
6 Make sure the Authentication type is set to ePO authentication. 7 Click OK. Wait while the ePolicy Orchestrator downloads the new reports for System Compliance Profiler. You can now generate System Compliance Profiler reports using the event data stored on this ePolicy Orchestrator server.
Make sure latest scan results are in the database before running reports
You cannot create System Compliance Profiler reports unless you have data to base them on. This data comes from computers running System Compliance Profiler. These computers collect data during the scans that you set up. They then send this data to the server each time the ePolicy Orchestrator agent communicates with the server. At each agent ASCI, the data is stored in the ePolicy Orchestrator database for use in your reports. There is always a delay between when a computer finishes a scan and when you can run reports based on its results in ePolicy Orchestrator. Two major factors influence this delay: The completeness of a scan. If a scan fails to finish, System Compliance Profiler may not pass along complete results to ePolicy Orchestrator. The agent-to-server communication interval (ASCI). Your System Compliance Profiler computers communicate with ePolicy Orchestrator at specific intervals, via ePolicy Orchestrator agents. If a scan finishes shortly after an agent/server update, the agent does not pass on the scan results until its next agent/server communication. By default the agent ASCI is set to 60 minutes. The agent-to-server communication interval is determined by your ePolicy Orchestrator Agent policy settings. You can lower the default values to reduce the communication lag between System Compliance Profiler and ePolicy Orchestrator. The key settings are the Agent to Server communication interval on the General tab, and the Event Forwarding settings on the Events tab on the ePolicy Orchestrator Agent | Configuration policy pages. See the ePolicy Orchestrator documentation for more information.
50
Performing an agent wakeup call You can also force ePolicy Orchestrator to collect agent information between communication intervals by performing an Agent Wakeup Call. 1 In ePolicy Orchestrators Directory, right-click the name of the site, group, or computer that you want to update. 2 Select Agent Wakeup Call. The Agent Wakeup Call dialog box appears. 3 Under Type, select Send Agent wakeup call. 4 Change the Agent randomization interval to 0. This forces ePolicy Orchestrator to update the ePO agent(s) immediately. 5 Select Get full product properties. 6 Click OK to send the agent wakeup call.
Tip
To generate a report for System Compliance Profiler: 1 In the ePolicy Orchestrator console tree, expand Reporting, then ePO Databases. 2 Double-click the name of your ePolicy Orchestrator server to expand it.
Reports, Queries, and Events should appear below the server name.
51
ePolicy Orchestrator displays a list of all System Compliance Profiler reports. If the reports dont appear in the expanded list, see Enable System Compliance Profiler reports before running them the first time on page 49. 4 Select the report that you want to run. See System Compliance Profiler reports on page 46 for a list. ePolicy Orchestrator asks whether you want to customize the report. 5 Do one of the following:
Table 5-6
To Generate the report immediately Customize the report Do Click No. Skip the rest of this procedure. Click Yes.
6 In the customization dialog box, set up any filters that you want to apply.
Table 5-7
Tab Use to Filter the results based on rule description criteria. Identify which IP addresses you want to see results from. Identify which levels of rule violations you want to see results from. Filter based on when rule violations occurred. Identify which network domain(s) you want to see results from. Identify which ePolicy Orchestrator site(s) you want to see results from.
52
Table 5-7
Tab Use to Filter based on a specific operating system version (for example, Windows 2000). Filter based on a specific operating system type (for example, Server or Workstation). Identify which computers you want to see results from.
7 Click OK. ePolicy Orchestrator generates the report and displays it in the details pane.
53
This section provides answers to common situations that you might encounter when installing or using the System Compliance Profiler software. This section answers common questions concerning: Installations Policies Scans Reports
Installations
How can I verify that System Compliance Profiler deployed properly? There are two ways to check whether the System Compliance Profiler software is deployed on a remote computer: In the ePolicy Orchestrator console: In the console tree, select the name of the remote computer. Select the Properties tab from the Details pane. System Compliance Profiler should appear in the list of installed applications. On the client computer: Find the ePolicy Orchestrator agent icon in the system tray. Right-click it, and select About. System Compliance Profiler should appear in the Version Information list.
To access the agent About dialog box from the client computer, you must enable the user interface for the ePolicy Orchestrator agent. This option is disabled by default. To enable the interface on the client, use the agent policy pages in the ePolicy Orchestrator console to select the Show agent tray icon option. See the ePolicy Orchestrator documentation for details.
Note
Can I deploy System Compliance Profiler using third-party software? Yes. To deploy System Compliance Profiler using a third-party tool, configure your deployment software to distribute and execute PatchScanInstaller.exe on target computers.
54
If you are using ePolicy Orchestrator 3.0.x, you must deploy the software to your ePolicy Orchestrator server in order for compliance reporting to work (this is not required with ePolicy Orchestrator 3.5 or 3.6). Also, be sure to deploy ePolicy Orchestrator agents to all computers to which you deploy the System Compliance Profiler. Furthermore, before you can use the deployed software, you must: Manually install the System Compliance Profiler NAP on your ePolicy Orchestrator server (see Chapter 2, Adding System Compliance Profiler to ePolicy Orchestrator). Set up rules and scan tasks in ePolicy Orchestrator (see Using compliance rules and scans on page 29). ePolicy Orchestrator will then detect the deployed System Compliance Profiler software and send out rules and scan tasks. To remove the System Compliance Profiler software, configure your deployment tool to run PatchScanInstaller.exe /u from either the target computers system32 or system directory.
Policies
Can I share rules with other System Compliance Profiler administrators? Yes. You can copy a System Compliance Profiler rule, group, or archived rule set, and send the data to other users in plain text format. You can also take data that they send you and paste the plain text version directly into a System Compliance Profiler rule group. For more information, see Importing and exporting rules to and from plain text on page 39. Can I export and import policies using ePolicy Orchestrator? Yes, you can use ePolicy Orchestrators policy export feature to create a copy of a System Compliance Profiler rule set. See your ePolicy Orchestrator documentation for details. Note, however, that when you import the policy, it overwrites all custom, predefined, and archived rules. To avoid affecting a users templates and archived rule sets, use the System Compliance Profiler text export and import features. See Importing and exporting rules to and from plain text on page 39.
Scans
How do I determine whether a scan finished properly? Generate a System Compliance Profiler report and look for results. Check the ePolicy Orchestrator agent log on the scanned computer. When a scan runs successfully, the following entry appears in the ePolicy Orchestrator agent log:
The task <TaskName> is successful.
55
on-demand scan task in ePolicy Orchestrator. See Scheduling System Compliance Profiler on-demand scan tasks on page 41. Can I run a System Compliance Profiler scan from a remote computer? No, you cannot start a System Compliance Profiler task manually on a remote computer. The System Compliance Profiler software is entirely managed by ePolicy Orchestrator.
Reports
Why don't I see any System Compliance Profiler reports in ePolicy Orchestrator? If you are using ePolicy Orchestrator 3.0.x, make certain that you added the Patch_Reports.nap file to the ePolicy Orchestrator Repository. The reporting NAP is added automatically with ePolicy Orchestrator 3.5 and 3.6. (See Adding System Compliance Profiler to the ePolicy Orchestrator server on page 20). Try logging into the ePolicy Orchestrator Reporting feature using your ePolicy Orchestrator admin credentials instead of an NT or SQL account. You only need to do this the first time you access reports. Afterward, you can log in using any credentials. (See If you only want to run a report on one site or group on page 51.) Why don't I see scan results in my reports? If you are using ePolicy Orchestrator 3.0.x, make certain that you deployed the System Compliance Profiler software to your ePolicy Orchestrator server as well as to your remote computers. If you do not deploy the software to the ePolicy Orchestrator server, your reports will not work properly. (See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22.) Make certain that you created and scheduled a System Compliance Profiler scan task in ePolicy Orchestrator. (See Scheduling System Compliance Profiler on-demand scan tasks on page 41.) Make certain that System Compliance Profiler had enough time to report its scan results to ePolicy Orchestrator. There is a time delay between when a scan runs and when the scan results become available to ePolicy Orchestrator, depending on your ASCI. (See About running System Compliance Profiler reports in ePolicy Orchestrator on page 49.) Make certain that System Compliance Profiler should be reporting results. If a computer complies with all your System Compliance Profiler rules, and has never violated them, then you will not see results for that computer in most reports. Only the Compliance/Non-Compliance Summary report shows compliant computers; all other reports show only rule violations.
56
Why do I get the following error message in my report: Please verify that the System Compliance Profiler is deployed to your ePolicy Orchestrator server and that you have received data from the deployed System Compliance Profilers. This message appears in your reports if: If you are using ePolicy Orchestrator 3.0.x, you did not deploy the System Compliance Profiler software to your ePolicy Orchestrator server. (See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22.) Your deployed System Compliance Profilers have not yet returned the results from scans that you set up. (See About running System Compliance Profiler reports in ePolicy Orchestrator on page 49.) What does Unknown Scan Results mean? This message appears in your reports to indicate that System Compliance Profiler does not have the most up-to-date scan results for specific computers or groups. This occurs each time you set up new rules for your System Compliance Profiler scans. When you do this, the software changes the status of all your existing System Compliance Profiler computers to Unknown. They remain in that state until they finish a scan using the new rules, and return those scan results to ePolicy Orchestrator. Once computers return results using the latest set of System Compliance Profiler rules, their status in reports changes to something more informative. To apply your latest System Compliance Profiler rules and get scan results faster, perform an Agent Wakeup Call in ePolicy Orchestrator. See Performing an agent wakeup call on page 51.
57
This section provides metrics for the amount of bandwidth that System Compliance Profiler uses during scans, and the amount of space it uses in ePolicy Orchestrator tables.
Network bandwidth
System Compliance Profiler scans do not require many local or network resources. While the exact amount of network traffic will vary based on how many rules a given computer receives, the average bandwidth requirement is approximately 200 bytes per rule.
Sample data
Table A-1
Policy file contains Five patch-based rules Sixty rules (fifteen of each rule type) Policy file size 661 bytes 20,327 bytes
58
Sample data
Table A-2
Scan details Five rules, failed Five rules, passed Twenty rules, failed Twenty rules, passed Sixty rules, failed Sixty rules, passed Table space used 5,248 bytes 6,148 bytes 19,544 bytes 22,944 bytes 35,744 bytes 44,564 bytes
59
Index
A
accessing reports, 51 agents, 11 agents, ePolicy Orchestrator wakeup calls, 51 audience for this manual, 14 AVERT Anti-Virus & Vulnerability Emergency Response Team, contacting, 18 DAT notification service, 18 WebImmune, 18
G
generating reports, 51 getting information, 15 list of contacts, 17
S
scan results retrieving, 49 scan tasks, 11 security headquarters, contacting AVERT, 18 service portal, PrimeSupport, 17 sharing rules, 39 submitting a sample virus, 18 System Compliance Profiler and ePolicy Orchestrator, 11 reports, 51 system requirements, 19, 24
I
importing rules, 31, 39 installation deploying System Compliance Profiler agents, 25
M
manuals, 15 McAfee University, contacting, 18
B
bandwidth requirements, 11 beta program, contacting, 17
N
new features, 5 notification service, DAT updates, 18
C
consulting services, 18 contacting McAfee, 17 customer service, contacting, 18
T
tasks, scan, 11 technical support accessing from the product, 16 contact information, 17 templates, 31 training web site, 18 training, on-site, 18 troubleshooting FAQs, 54
O
on-site training, 18
D
DAT file updates via AVERT notification service, 18 updates, web site, 18 default rule groups, 31 delays, report, 49 documentation for the product, 15 download web site, 18
P
policy settings, Windows, 25 PrimeSupport, 17 product documentation, 15 product information, resources, 15 product overview, 11 product training, in-house, 18
U
upgrade web site, 18 using this guide, 14 typeface conventions and symbols, 14
R
reports accessing, 51 generating, 51 overview, 46 requirements bandwidth, 11 server and console, 19 system, 19, 24 resources for information, 15 rule groups default, 31 rules exporting, 31, 39 groups, 31
E
ePolicy Orchestrator and System Compliance Profiler, 11 interface, 12 reports, 51 ePolicy Orchestrator agents wakeup calls, 51 ePolicy Orchestrator Reports introduction, 46 exporting rules, 31, 39
V
Virus Information Library, 16, 18 virus, submitting a sample web site, 18
W
wakeup call, ePolicy Orchestrator agent, 51 WebImmune, 18 whats new in this release, 5 Windows policy settings, 25
F
frequently asked questions, troubleshooting, 54
60