Release Notes for McAfee(R) VirusScan(R) Enterprise Version 8.

0i with Patch 1 Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved ========================================================== - DAT Version: - Engine Version: 4382 4.3.20

========================================================== Thank you for using VirusScan(R) Enterprise software. This file contains important information regarding this release. We strongly recommend that you read the entire document. IMPORTANT: McAfee does not support automatic upgrading of a pre-release version of the software. To upgrade to a production release of the software, you must first uninstall the existing version of the software. __________________________________________________________ WHAT'S IN THIS FILE New Features Changed Features Installation & System Requirements - Testing Your Installation Resolved Issues - Version 8.0i with Patch 1 - Version 8.0i Known Issues - Installing, Upgrading, and Uninstalling - Compatibility with other products - Alert Manager(TM) - Common Management Agent - ePolicy Orchestrator(R) - GroupShield(TM) - ProtectionPilot(TM) - Third Party Software - Access Protection - Adding File Type Extensions - AutoUpdate - Buffer Overflow Protection - Log File Format - Lotus Notes - Mirror Tasks - Scanning - Unwanted Programs Policy Documentation Participating in the McAfee Beta Program Contact Information Copyright & Trademark Attributions

License & Patent Information

__________________________________________________________ NEW FEATURES This version of VirusScan Enterprise provides several new features that help to prevent and more effectively detect intrusions: Product Version Number The new version is 8.0i. The product version number has changed from 7.1 to 8.0 to reflect the major changes within the product since the last release. See the following "New Features" and "Changed Features" for more information. The "i" has been added to represent that McAfee VirusScan Enterprise is the first anti-virus product in the world that contains proactive Intrusion Prevention Systems (IPS) protection capabilities. These IPS capabilities are provided in the Buffer Overflow Protection feature which comes from McAfee Entercept, our host intrusion prevention security product. Access Protection. Use this feature to prevent intrusions by restricting access to ports, files, shares, and folders. You can block ports by creating rules to specify which ports to block and whether to restrict access to inbound or outbound processes. You can also exclude processes from the rule if you want a specific process, or list of processes, to be allowed access to the otherwise blocked port. When you block a port, both TCP and UDP accesses are blocked. You can restrict access to shares by making them read-only or blocking read and write access to all shares. You can block files and folders by creating rules that specify which processes to block from the files or folders you define, which file actions to prevent, and what action to take when an attempt is made to access a blocked item. These Access Protection features can be very effective in preventing intrusions. In the event of an outbreak, the administrator can block access to the infected areas until a DAT is released.

NOTE: If you block a port that is used by the ePolicy Orchestrator agent or the Entercept agent, the agent's processes are trusted by the filter and are allowed to communicate with the blocked port. All other traffic not related to these agent processes will be blocked. This version of VirusScan Enterprise provides some sample port blocking rules and some sample file and folder blocking rules. With a default installation, some of these rules are in warning mode and others are in blocking mode. WARNING: These rules have been chosen to protect against a broad range of common threats but they may also block legitimate activity. Before deploying VirusScan Enterprise, we recommend that you review these rules to ensure they are suitable for your environment. Things to consider: Whitelists. Each Port Blocking rule includes a list of applications which are excluded from being blocked. These lists have been populated with many of the most common e-mail clients and web browsers. Be certain to review each of these lists to ensure they include all programs that are allowed to send email and download files. Including these programs in the whitelist ensures that these programs will not be blocked. Blocking of file system activity that originates on the network. Some rules such as "Prevent remote creation/modification/deletion of files (.exe)" are very effective at stopping viruses that copy themselves from share to share. However, they may also block management systems that rely on pushing files to workstations. For example, when the ePolicy Orchestrator server deploys an agent, it does this by pushing the agent installer onto the workstations' administrative share and running it. Be certain to select the correct mode (off, warn or block) for each rule before deployment. McAfee Installation Designer can be used to configure a VirusScan package for deployment. WARNING: The default rules cannot provide complete protection for your environment. The

restrictions that you need depend on your environment. The rules that we provide are examples of what the feature can do and how rules can be used to prevent some specific threats. As new threats are discovered, the Virus Information Library will provide recommendations on how access protection rules can be used to block these new threats. Access the Virus Information Library at this location: http://vil.mcafee.com Source IP (On-access scanning). When the on-access scanner detects a virus written to a file share, it displays the Source IP for the detection in the on-access scan statistics dialog box and the on-access scan messages dialog box. Blocking (On-access scanning). Use this feature to block further access by remote computers that have placed infected files in a shared folder. You can specify how long to block these connections. If you want to unblock all connections before the specified time limit, you can do so from the on-access scanning statistics dialog box. Buffer Overflow Protection. Use this feature to block exploited buffer overflows from executing code on your computer. Buffer Overflow Protection detects code starting to run from data in a heap or stack and prevents that code from running. It does not stop data from being written to the heap or stack. Do not rely on the exploited application remaining stable after being exploited, even if Buffer Overflow Protection stops the exploited code from running. VirusScan Enterprise protects against buffer overflows for approximately 30 of the most commonly used and exploited software applications and Microsoft Windows services. These protected applications are defined in a separate Buffer Overflow Protection Definitions (DAT) file. This DAT file is available for download along with the Virus Definitions file during regular updates. As of the date of this product release, these applications are included in the Buffer Overflow Protection Definitions file: dllhost.exe

EventParser.exe excel.exe explorer.exe frameworkservice.exe ftp.exe iexplore.exe inetinfo.exe lsass.exe mapisp32.exe mplayer2.exe msaccess.exe msimn.exe mstask.exe msmsgs.exe NaimServ.exe Naprdmgr.exe outlook.exe powerpnt.exe rpcss.exe services.exe sqlservr.exe SrvMon.exe svchost.exe visio32.exe VSEBOTest.exe w3wp.exe winword.exe wmplayer.exe wuauclt.exe This list will change when the Buffer Overflow Protection Definitions file is updated.

Unwanted Programs Policy. Use this feature to detect and take action on unwanted programs, such as spyware, adware, dialers, jokes, etc. You can select whole categories of programs or specific programs within those categories from a pre-defined list which comes from the current DAT file. You can also add your own programs to detect. Configuration is a two-step process: First, you configure what programs to detect in the Unwanted Programs Policy. This policy is enabled by default in each of the scanner s property pages. Second, you independently configure each of the scanners (on-access scanner, on-demand scanner, and e-mail scanners) to specify what actions you want the scanner to take when an unwanted program is detected. The actions you specify here are independent of your other scan settings.

The actual detection and subsequent cleaning of unwanted programs is determined by the DAT file, just as it is for a virus. If you detect a program and you have the primary action set to "Clean," the DAT file tries to clean the program using the information in the DAT file. If the detected program cannot be cleaned, or is not in the DAT file, for example a user-defined program, the clean action fails and the secondary action is taken. If you select "Delete" only the process defined as unwanted is deleted and modified registry keys may be left intact. Script Scanning (On-access scanning). Use this feature to scan JavaScript and VBScript scripts before they are executed. The script scanner operates as a proxy component to the real Windows scripting host component. It intercepts the execution of a script, for example an Internet Explorer web page script, and scans it. If the script is clean, it is passed on to the real host. If the script is infected, it is not executed. Lotus Notes (E-mail scanning). Both the on-delivery e-mail scanner and the on-demand e-mail scanner now scan Lotus Notes messages and databases, in addition to MAPI-based e-mail, such as Microsoft Outlook. You configure one set of properties that applies to whichever e-mail client you have installed. The client scanners have some behavior differences that are described in the E-mail Scanning section of the Product Guide. For example, Microsoft Outlook messages are scanned on delivery, but Lotus Notes mail is scanned when it is accessed. Selective Updating (AutoUpdate). Selectively update just the DAT file, scanning engine, product upgrades, HotFixes, Patches, or Service Packs, etc., using the AutoUpdate task in the VirusScan Console. If you are managing VirusScan Enterprise with ePolicy Orchestrator, the selective updating feature is only available in ePolicy Orchestrator 3.5 or later. It does not work with earlier versions of ePolicy Orchestrator. Alert Manager Local Alerting. Generate SNMP traps and local event log entries without installing Alert Manager Server

locally. - Repair Installation. A new item in the VirusScan Console Help menu allows you to repair the installation. You have the option of restoring the product to the original installation settings or reinstalling the program files. The user must have administrative rights to perform these functions. The administrator can protect this feature by setting a password for it from the User Interface Options, Password Options dialog box. WARNING: Customized settings will be lost when restoring the product to the original installation settings. HotFixes, Patches, and Service Packs will be overwritten when reinstalling the program files. Error Reporting Service. When enabled, the Error Reporting Service provides constant background monitoring of Network Associates applications and prompts the user when it detects a problem. When an error is detected, the user can choose to either submit data for analysis or ignore the error. Enable the Error Reporting Service from the Tools menu in the VirusScan Console. _____________________________________________________ CHANGED FEATURES These features have changed since the previous release of VirusScan Enterprise: Daily Updating (AutoUpdate). The default AutoUpdate task schedule has been changed from Weekly to Daily. The schedule can be modified by the administrator. Default Download Site (AutoUpdate). When performing an AutoUpdate, the default download site is now HTTP with the FTP site as the secondary site. See the VirusScan Enterprise Product Guide for more information. System Utilization (On-demand scanning). CPU utilization has been changed to system utilization. When an on-demand scan starts, the

feature takes CPU and IO samples over the first 30 seconds, then scans based on the utilization level you specified in the on-demand scan properties. This provides more realistic scaling of both CPU and disk resources. Resumable Scanning. The on-demand scanner has been changed to perform true resumable scanning. The scanner automatically resumes scanning where it left off if the scan is interrupted before it completes. The incremental scan feature of the scanner recognizes the last file it scanned, so the next time it starts, it resumes from where it left off. Scanning of Compressed Files. The "Scan compressed files" option has been removed from the scanning options because the feature has been permanently enabled in each of the scanners. The scanner always scans compressed files. __________________________________________________________ INSTALLATION AND SYSTEM REQUIREMENTS See the product documentation for complete information on installation and system requirements. TESTING YOUR INSTALLATION You can test the operation of the software by running the EICAR Standard AntiVirus Test File on any computer where you have installed the software. The EICAR Standard AntiVirus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations. To test your installation: 1. Copy the following line into its own file, then save the file with the name EICAR.COM. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* The file size will be 68 or 70 bytes. 2. Start your anti-virus software and allow it to scan the directory that contains EICAR.COM. When VirusScan Enterprise scans this file, it will report finding the EICAR test file. 3. Delete the file when you have finished testing

your installation to avoid alarming unsuspecting users. IMPORTANT: Please note that this file is NOT A VIRUS. __________________________________________________________ RESOLVED ISSUES This section describes issues that have been resolved in this release. Version 8.0i with Patch 1 1. ISSUE: Memory leaks in the TDI driver. Also, on IA 64 systems only, an unaligned memory reference caused an exception. RESOLUTION: This release includes Patch 1, which updated the TDI driver, MVSTDIxx.SYS (where xx can be 4x, 5x, 5a or 5i, depending on your operating system or processor architecture) to resolve the above issues. 2. ISSUE: Using Access Protection to block port 25 stops the process mapisp32.exe from sending mail. The process mapisp32.exe is used by Microsoft Outlook when it is configured for POP3 mail, causing Outlook to appear to hang. RESOLUTION: The process mapisp32.exe has been added to the default list of Excluded Processes for blocking port 25. Version 8.0i 1. ISSUE: The VirusScan Enterprise 7.1 on-access scanner could take action on data contained in quarantine folders of other McAfee anti-virus or security products, unless you excluded those folders from scanning. For example, if you were using McAfee GroupShield or IntruShield on the same computer where VirusScan Enterprise resided, their respective quarantine folders might contain legitimate infected data. Those quarantine folders should have been excluded from on-access scanning to avoid the possibility of cleaning, deleting, or moving the legitimate infected data. RESOLUTION: The installer detects the other products and adds exclusions for them. 2. ISSUE:

Resumable scanning did not work for on-demand scan tasks created and deployed using ePolicy Orchestrator 3.0. This occurred if the on-demand scan that was created in ePolicy Orchestrator ended before the scan completed (due to system shutdown, etc.). When the on-demand scan task started again, it began scanning at the beginning, rather than resuming from the last file scanned. RESOLUTION: Resumable scanning works correctly for on-demand scan tasks that were created and deployed using ePolicy Orchestrator. 3. ISSUE: When a user with user rights (as opposed to an administrator with administrator rights) rolled back DAT files, the following error occurred: "Failed to save the version of the DATs that have just been rolled back" This meant that VirusScan Enterprise failed to create the correct registry key identifying that the rollback had occurred. Because of this, performing an update could allow the rolled-back DATs to be reapplied. This could cause problems if the rolled-back DAT versions were corrupted (usually the reason for performing a DAT rollback). Normally, VirusScan Enterprise did not update DAT versions that had been rolled back. NOTE: This problem only occurred when a non-administrator performed the DAT rollback. When administrators performed it, the rolled-back DAT versions could not be applied through updating. RESOLUTION: Rolled-back DATs cannot be reapplied. 4. ISSUE: The VShield icon did not appear in the system tray when VirusScan Enterprise was deployed via ePolicy Orchestrator or when a silent installation was used. RESOLUTION: The VShield icon now displays in the system tray after deployment via ePolicy Orchestrator or when using a silent installation. 5. ISSUE: When installing VirusScan Enterprise to an Intel 64-bit processor-based system, the VSUPDATE.DLL file did not register correctly with the

REGSVR32.EXE. As a result, when an update was performed after installation, an error occurred and the following error message was displayed: "Error occurred while loading COM component." To correctly register the .DLL, enter the following command at the command prompt: "<drive>:\Winnt\syswow64\regsvr32.exe <installation path>vsupdate.dll" NOTE: If you are installing VirusScan Enterprise to the default location, the installation path is: <drive>:\Program Files\Network Associates\VirusScan\ RESOLUTION: This issue has been resolved in VirusScan Enterprise 8.0 _____________________________________________________ KNOWN ISSUES INSTALLING, UPGRADING, AND UNINSTALLING 1. An optional restart is required at the end of installation to load the TDI network driver. Port Blocking, Infection Trace, and Infection Trace Blocking are disabled until the computer is restarted. 2. Internet Explorer requirement. The VirusScan Enterprise 8.0 Installation Guide incorrectly lists the Internet Explorer requirement as version 5.0 or later. The Internet Explorer requirement is version 4.0 with Service Pack 2 or later. 3. If you plan to install VirusScan Enterprise 8.0 and use the AutoUpdate feature on a computer with a Windows NT4 operating system, you must first install Internet Explorer 4.0 with Service Pack 2 or later on that computer. If Internet Explorer 4.0 with Service Pack 2 or later is not installed before you begin installing VirusScan Enterprise 8.0 on a Windows NT4 operating system, error 1920 "Service Failed to Start" is generated and you are given the option to "Abort," "Retry," or "Continue" the installation. If you "Continue" the installation, the AutoUpdate component is not installed. If you decide later to install the AutoUpdate feature, you must first install Internet Explorer 4.0 with Service Pack 2 or later then completely remove VirusScan Enterprise 8.0 and re-install it.

4. If you are installing VirusScan Enterprise on a Windows NT4 Terminal Server using the uncompressed setup utility; "SETUPVSE.EXE", you must first switch the Terminal Server to "Install Mode" before you execute "SETUPVSE.EXE." For more information, see Knowledge Base article KB37558. 5. To install the VirusScan Enterprise product using MSIEXEC.EXE, complete these steps: a. Extract the .MSI and other files by entering this command at the command prompt: SETUP.EXE -nos_ne [-nos_o"<output path>"] NOTES: The -nos_ne command extracts the setup files from the SETUP.EXE, but does not execute the SETUP.EXE or delete the setup files. The -nos_o"<output path>" command specifies the folder to which you want to extract the setup files. If you do not specify the output path, the files are extracted to the user profile's "Temp" folder. b. Ensure that any competitor's products are removed including previous versions of McAfee VirusScan and VirusScan Enterprise. c. Run MSIEXEC.EXE by entering this command at the command prompt: "msiexec.exe /i vse800.msi" 6. When installing Buffer Overflow Protection, these limitations apply: If Buffer Overflow Protection is installed on a computer that already has the McAfee Entercept agent installed on it, the Buffer Overflow Protection feature is disabled in the VirusScan Console. The McAfee Entercept product provides more complete coverage, so it takes precedence over the Buffer Overflow Protection feature in VirusScan Enterprise. Buffer Overflow Protection cannot be installed on 64-bit platforms. When using Buffer Overflow Protection with Microsoft Windows XP Fast User Switching, only session 0 is protected.

Buffer Overflow Protection does not protect Terminal Sessions for Windows Terminal Server or Citrix MetaFrame. Only the local login is protected.

7. ScriptScan cannot be installed on 64-bit platforms. 8. Right-click scan cannot be installed on 64-bit platforms. 9. This release supports deployment using Administration Installation Points (AIP). However, you must run SETUP.EXE from the AIP to perform upgrades or to uninstall other anti-virus software. To create an AIP, type "setup.exe /a" at the command prompt. A wizard appears to take you through the process of creating the AIP. When the AIP is created, all of the necessary files in the compressed (.ZIP) file are also copied to the AIP. These files are: CMU300.NAP CONTACT.TXT EXAMPLE.SMS EXTRA.DAT INSTALL.PKG INSTMSIW.EXE PKGCATALOG.Z PACKING.LST README.TXT SETUP.INI SETUPVSE.EXE SIGNLIC.TXT UNINST.DLL UNINST.INI VSE800.NAP VSE800DET.MCS Since these files are automatically copied to the AIP, the administrator does not need to manually copy the files. NOTE: If you deploy VirusScan Enterprise via Active Directory group policies, which install using MSIEXEC.EXE, you must remove any existing anti-virus products prior to installing VirusScan Enterprise. 10. When silently over-installing the Computer Associates eTrust Antivirus program, the action is not completely silent. The Computer Associates eTrust Antivirus program displays a message box stating that a restart is needed with an "OK" button. Once you click "OK", the over-installation continues normally. This

problem is a known Computer Associates problem referenced on the Computer Associates' web site under article QO19636. The web site provides a downloadable file that fixes this problem. The problem references Computer Associates eTrust Antivirus version 6.0, but the fix also works for version 7.0. COMPATIBILITY WITH OTHER PRODUCTS Alert Manager 1. VirusScan Enterprise 8.0 can only send alerts to Alert Manager 4.7.x. It cannot send alerts to earlier versions of Alert Manager. Furthermore, VirusScan Enterprise 8.0 cannot be installed on a computer where an Alert Manager version earlier than 4.7.x is already installed. If you are installing VirusScan Enterprise 8.0 onto a system where Alert Manager 4.5 or 4.6 is installed, you should also install Alert Manager 4.7.x, which automatically replaces the older version of Alert Manager. However, also note that Alert Manager 4.7.x can receive alerts from earlier versions of NetShield and VirusScan. You can configure earlier versions of these software programs to send alerts to an installation of Alert Manager 4.7.x. 2. When installing Alert Manager on a Windows 2003 (.NET) Server, alert messages do not automatically display in VirusScan Enterprise 8.0. You must manually start the messenger service: a. From the Start menu, select Settings Control Panel Administrative Tools b. Open the Messenger Properties dialog box. c. On the General tab under "Startup type," select "Automatic." d. On the General tab under "Service status," click "Start." e. Click "OK" to apply the changes and close the Messenger Properties dialog box. Common Management Agent 1. Installing VirusScan Enterprise 8.0 in ePolicy Orchestrator 3.0.x does not automatically upgrade the Common Management Agent from an earlier version to 3.5. If you are using ePolicy Orchestrator 3.0.x and VirusScan Enterprise 7.x, Services Messenger

then add the VirusScan Enterprise 8.0 installation package to the ePolicy Orchestrator repository, the Common Management Agent is not upgraded to version 3.5. To upgrade the Common Management Agent from an earlier version to version 3.5, you must install Common Management Agent version 3.5, then push it to the clients or perform an update task. NOTE: Common Management Agent 3.5 is not required when using ePolicy Orchestrator to manage VirusScan Enterprise 8.0. The only differences between Common Management Agent version 3.5 and earlier versions are: - Common Management Agent 3.5 has the ability to perform selective updating and earlier versions perform updating as a whole. Selective updating allows you to individually update just a DAT, scanning engine, Patch, etc. - Common Management Agent 3.5 does not filter events on the client side. 2. Installing ePolicy Orchestrator 3.0.x fails if Common Management Agent 3.5 is already installed. If you attempt to install ePolicy Orchestrator 3.0.x on the same computer where you installed VirusScan 8.0, the ePolicy Orchestrator installation fails due to an issue with upgrading the Common Management Agent. Since VirusScan Enterprise 8.0 installs Common Management Agent version 3.5 and ePolicy Orchestrator 3.0.x installs an earlier version of the Common Management Agent, the agent cannot be upgraded and the installation fails. To resolve this issue, follow these steps: a. Remove VirusScan Enterprise 8.0. b. Install ePolicy Orchestrator 3.0.x. c. Re-install VirusScan Enterprise 8.0. d. To upgrade the Common Management from an earlier version to version 3.5 in ePolicy Orchestrator 3.0.x, install Common Management Agent 3.5 in ePolicy Orchestrator 3.0.x, then push it to the clients or perform an update task. ePolicy Orchestrator 1. If you are planning to use ePolicy Orchestrator to manage VirusScan Enterprise 8.0, you must use ePolicy Orchestrator version 3.0 with Service

Pack 1 or a later version. 2. Selective updating. To use the new selective updating feature, you must be using ePolicy Orchestrator 3.5 or later to manage VirusScan Enterprise. Earlier versions of ePolicy Orchestrator perform updates but do not support selective updating of just a DAT file, scanning engine, etc. 3. This version of VirusScan Enterprise 8.0 provides two .NAP files that must be added to the ePolicy Orchestrator repository. In addition, if you are running ePolicy Orchestrator version 3.0.x, you must run an update executable to fix an issue related to registering the event parser, after you add both of the .NAP files. NOTE: It is not necessary to run the update executable if you are using ePolicy Orchestrator version 3.5 or later. These files are included in the VirusScan Enterprise 8.0 installation package and can be found in the location where you downloaded the files: VSE800.NAP VSE800REPORTS.NAP. This file is an extended reports .NAP file. VSE800UPDATEFOREPO30.EXE. This file is an update executable.

a. Add both .NAP files to the ePolicy Orchestrator repository. NOTE: We recommend that you install the VSE800REPORTS.NAP file before you install the VSE800.NAP. Installing the .NAP files in this order prevents an issue with the VirusScan Enterprise English description that is displayed under Managed Products. See Known Issue number 8 in this section for more information. b. If you 3.0.x, on the 3.x is are using ePolicy Orchestrator version execute the VSE800UPDATEFOREPO30.EXE computer where ePolicy Orchestrator installed.

This executable registers the event parser .DLL on ePolicy Orchestrator 3.0.x servers. This update fixes an issue with ePolicy Orchestrator that causes the event parser to not be correctly registered when the extended

reports .NAP is added. NOTE: See the VirusScan Enterprise 8.0 Configuration Guide for use with ePolicy Orchestrator for details. 4. Checking the VSEREPORTS.NAP file into the ePolicy Orchestrator version 3.01 or 3.02 repository may result in an "Unspecified error." This is a console time-out error which can be ignored. The server completes the execution of all of the SQL scripts in the .NAP file even if the console timed out. 5. If you are using Microsoft SQL Server version 7.0 with ePolicy Orchestrator 3.01 or later, on-demand scan tasks are not preserved when you check the VSE800.NAP file into the ePolicy Orchestrator Repository. You must have Microsoft SQL Server version 2000 or later installed to preserve on-demand scan tasks. 6. A replicated repository may become corrupted when replicating via UNC from an ePolicy Orchestrator server to a server that has these file blocking rules enabled in the Access Protection Properties: "Prevent remote modification of files (.exe)" "Prevent remote modification of files (.dll)" "Prevent remote creation/modification/deletion of anything in the system root" "Prevent remote creation/modification/deletion of files (.exe)" When these rules are enabled, some file replications are blocked because the ePolicy Orchestrator server remotely opens the files for write access and modifies their contents in the same way that a share-hopping worm performs. If you plan to replicate a repository via UNC from an ePolicy Orchestrator server, be certain to disable these file blocking rules on the target server before you perform the replication. 7. The ePolicy Orchestrator compliance baseline does not recalculate compliance when you remove items from the repository. For example, when you check VirusScan Enterprise 8.0 into the ePolicy Orchestrator repository, it

is flagged as the new compliance baseline for the environment. All computers with VirusScan Enterprise versions earlier than 8.0 are flagged as non-compliant. However, if you remove VirusScan Enterprise 8.0 from the repository, rather than recalculate compliance, the compliance baseline remains at version 8.0. The compliance baseline only increases incrementally, even if you re-check VirusScan Enterprise 7.1 into the repository. 8. The English description for VirusScan Enterprise 8.0 may not be available in the ePolicy Orchestrator Repository under Managed Products Windows VirusScan Enterprise 8.0.0 depending on the order in which you installed the two VirusScan Enterprise 8.0 .NAP files. If you installed the VSE800.NAP to the Repository before you installed the VSE800REPORTS.NAP, the English description is not available. If you installed the VSE800REPORTS.NAP before you installed the VSE800.NAP, the English description is available.

9. Disable event filtering in the ePolicy Orchestrator Event Filtering policy. VirusScan Enterprise generates many event IDs that are not listed in the ePolicy Orchestrator filter list. To ensure that all VirusScan Enterprise events are sent, disable event filtering in the policy: a. Log on to the ePolicy Orchestrator Console. b. Under "Reporting," select "ePO Databases" and expand it. c. Select the server and log in. d. Select "Events." e. In the right pane, select "Do not filter events." f. Click "Apply" to save these settings. GroupShield 1. If you plan to use GroupShield in addition to VirusScan Enterprise 8.0 and Alert Manager 4.7.1, be certain to install GroupShield before you install Alert Manager. This installation sequence is required to ensure alerting works correctly. ProtectionPilot

1. If you plan to use ProtectionPilot to manage VirusScan Enterprise 8.0i, you must use Protection Pilot version 1.0 with Patch 1 or later. 2. Checking the VSEREPORTS.NAP file into the ProtectionPilot repository may result in an "Unspecified error." This is a console time-out error which can be ignored. The server completes the execution of all of the SQL scripts in the .NAP file even if the console timed out. 3. Selective updating does not work with ProtectionPilot. This feature is only available in ePolicy Orchestrator 3.5 or later. Third Party Software 1. Spy Sweeper. If you are using Spy Sweeper to scan the VirusScan Enterprise installation folder, a false detection occurs when it detects BHO.DLL. This file is not spyware; it is a component of ScriptScan that is installed as part of VirusScan Enterprise. 2. Microsoft Windows XP with Service Pack 2. If you are using Microsoft Windows XP with Service Pack 2 and plan to manage VirusScan Enterprise with ePolicy Orchestrator, the Windows XP Firewall will block the ability to do so unless you add FRAMEWORKSERVICE.EXE to the Windows XP Firewall exclusions whitelist. For information about how to do this, refer to the Microsoft Knowledge Base Article 842242. 3. These third party products are not compatible with the Buffer Overflow feature of VirusScan Enterprise 8.0. If you find it necessary to use these products, we recommend that you disable the VirusScan Enterprise Buffer Overflow feature: Tiny Personal Firewall CyberArmour Firewall Zone Alarm Pro NOTE: When VirusScan Enterprise 8.0 and Zone Alarm Pro are both installed on the same computer, Zone Alarm Pro crashes. BlackIce Firewall NOTE: Install VirusScan Enterprise 8.0 before you install BlackIce Firewall to ensure they are compatible.

ACCESS PROTECTION 1. Ports associated with known vulnerabilities and exploits. Use this link to access a web site that provides top lists of exploited TCP ports. http://www.us-cert.gov/current/services_ports.html NOTE: If you cannot access this link by clicking on it, copy and paste it into your web browser to access the site. 2. If you disable the on-access scanner, you also disable the port blocking rules and the file, share, and folder rules that you have configured. 3. If you are using Access Protection in a non-English or localized environment, the default rules may contain references to folders that do not exist on the localized operating system. For information about how to fully utilize these default rules in this scenario, see the VirusScan Enterprise Best Practices Guide. ADDING FILE TYPE EXTENSIONS 1. If you are using wildcards to specify file type extensions in either the Additional File Types or Specified File Types dialog boxes, you cannot use an asterisk (*) as the wildcard. You must use a question mark (?) as the wildcard when specifying file type extensions in these scenarios. AUTOUPDATE 1. Updating from a mapped drive only works if you are logged on when the update occurs and you have at least read rights to that mapped drive location. If no one is logged on to the system, or if you are logged on but do not have at least read rights to the mapped location, the update fails. 2. When editing the repository list to use a UNC path, the "Edit AutoUpdate Repository List" dialog box does not validate that the path entered is in fact a valid UNC share before accepting it. Be sure that you enter a valid UNC server, share, and path name. Entering an invalid UNC path could cause problems when updating from this location.

3. EXTRA.DAT information in VirusScan Enterprise Product Guide. This corrects information in the Updating section of the VirusScan Enterprise Product Guide. In the Updating section under "Activities that occur during an update task" it incorrectly states: "By default, detection for the new virus in the EXTRA.DAT is ignored once the new virus definition is added to the weekly DAT files." This should be corrected to state: "By default, detection for the new virus in the EXTRA.DAT is deleted once the EXTRA.DAT expires." 4. If updating an EXTRA.DAT file manually, for example by copying it to the engine folder, you must restart the VirusScan Enterprise e-mail, on-demand, and on-access scanners before they can detect and use the new EXTRA.DAT file. For E-mail Scan, close and then restart Microsoft Outlook or Lotus Domino. For On-Demand Scan, stop and restart the on-demand scanner if it is running, using the VirusScan Enterprise Console. For On-Access Scan, disable and then re-enable the On-Access scanner using the VirusScan Enterprise Console. NOTE: Updating EXTRA.DAT files using AutoUpdate does not require manually restarting scanners. 5. If you are using content scanning and filtering software on your network, you may experience some problems with updating. This can occur if your content filtering software modifies a McAfee update package. BUFFER OVERFLOW PROTECTION 1. When the sasser worm or any other malware that uses MS04-011 infects your system, the infection may result in an exploited buffer overflow. The Buffer Overflow Protection feature can detect and prevent the buffer overflow code from executing on your computer. Although the execution of malicious code is prevented, the actual buffer overflow is not stopped. If a buffer overflow occurs as a result of the sasser

worm, the LSASS.EXE becomes unstable and the computer automatically restarts. 2. These third party products are not compatible with the Buffer Overflow feature of VirusScan Enterprise 8.0. If you find it necessary to use these products, we recommend that you disable the VirusScan Enterprise Buffer Overflow feature: Tiny Personal Firewall CyberArmour Firewall Zone Alarm Pro NOTE: When VirusScan Enterprise 8.0 and Zone Alarm Pro are both installed on the same computer, Zone Alarm Pro crashes. BlackIce Firewall NOTE: Install VirusScan Enterprise 8.0 before you install BlackIce Firewall to ensure they are compatible. LOG FILE FORMAT 1. The default format for all of the log files is Unicode UTF8 except when installing Virus Enterprise 8.0 on Windows NT operating systems. The default format for log files on Windows NT operating systems is ANSI. LOTUS NOTES 1. When accessing a local database on Windows 2000 Server, Windows 2003 Server, or Windows XP, the user is prompted for a password. When the user types the password, the text search dialog is initiated and the password is inserted into the text search dialog instead of being inserted into the password dialog. The password dialog box is not completely modal. Selecting the dialog box again allows the user to input the password. When using Lotus Client Release later, we recommend that you do password from other notes-based select this option follow these version 6 or not prompt for a programs. To steps:

a. From Lotus Notes, select File Preferences Security User Security Dialog. b. Select "don t prompt for a password from other notes-based programs."

NOTE: This option is not available on other versions of the Lotus Client. 2. If you are using Microsoft Windows XP and Lotus Notes, you will receive a "File not found" error when launching Lotus Notes from the Start menu or any shortcut that calls upon the default e-mail client. For more information about this issue see McAfee Knowledge Base Article KB37774. MIRROR TASKS 1. If you are using a VirusScan Enterprise 8.0 mirror task to mirror the NAIFTP site, the task may fail in two ways. First, the task does not mirror 100% of the files on the FTP site. For example, if a file is missing on the NAIFTP site, the task does not replicate anything other than the "current" folder. Second, if you configured the schedule to do so, it will execute the task again, but will not execute any programs that were specified to run after successful completion of the task. NOTE: If the scheduled mirror task is manually executed in this scenario, the programs that are specified to run after successful completion of the task will run. We recommend that you use McAfee AutoUpdate Architect to create a task to mirror the NAIFTP site. SCANNING 1. On-Delivery Scanning. When Microsoft Outlook is configured to deliver new e-mail to a personal folder and rules are used to move e-mails, the on-delivery scanner may not detect infected e-mails. We do not recommend that you configure Microsoft Outlook to deliver new e-mails to a personal folder if you use rules to move e-mails to other folders in Microsoft Outlook. 2. On-demand or right-click scanning of compressed files. If you are performing an on-demand scan or a right-click scan on an infected compressed file with the primary action set to "continue" (this is the default for right-click scan) and the secondary action is set to delete or move, the secondary action fails. UNWANTED PROGRAMS POLICY

1. Wildcards are not supported when configuring user-defined unwanted programs. __________________________________________________________ DOCUMENTATION Documentation is included on the product CD and/or is available with a valid grant number from the McAfee download site: https://secure.nai.com/us/forms/downloads/upgrades/login.asp NOTE: Electronic copies of all product manuals are saved as Adobe Acrobat .PDF files. The product CD includes the latest version of Acrobat Reader, or you can download any version from the Adobe web site: www.adobe.com/prodindex/acrobat/readstep.html VIRUSSCAN ENTERPRISE DOCUMENTATION Installation Guide. Provides system requirements and instructions for installing the software. Product Guide. Introduces the product, describes product features, provides detailed instructions for configuring the software, deployment, and ongoing operation and maintenance. Help system. A Help file, accessed from within the software application, provides quick access to concepts, definitions, and procedures for using the software. Includes field-level What's This? topics (right-click on a feature), full topic search, indexing, and page-level context-sensitive Help. Configuration Guide. For use with ePolicy Orchestrator(R). Procedures for configuring, deploying, and managing McAfee and third-party products through ePolicy Orchestrator management software. A LICENSE Agreement. The terms under which you may use the product. Read it carefully. If you install the product, you agree to the license terms. This README file. A CONTACT file. Contact information for McAfee services and resources: technical support, customer service,

AVERT, beta program, and training. It also includes a list of phone numbers, street addresses, web addresses, e-mail addresses, and fax numbers for the company's worldwide offices. __________________________________________________________ PARTICIPATING IN THE MCAFEE BETA PROGRAM To download new beta software or to read about the latest beta information, visit the beta web site: http://www.networkassociates.com/us/downloads/beta/mcafeebetahome.htm To submit your feedback on any McAfee beta product, send e-mail to: avbeta@nai.com McAfee is devoted to providing solutions based on your input. __________________________________________________________ CONTACT INFORMATION Technical Support Home Page http://www.networkassociates.com/us/support/ KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx PrimeSupport Service Portal https://mysupport.nai.com Login credentials required. McAfee Beta Program Beta Web Site http://www.networkassociates.com/us/downloads/beta/mcafeebetahome.htm E-mail avbeta@nai.com Security Headquarters: AVERT (Anti-Virus & Vulnerability Emergency Response Team) Home Page http://www.networkassociates.com/us/security/home.asp Virus Information Library http://vil.nai.com AVERT WebImmune https://www.webimmune.net/default.asp

Submit a Virus Sample http://vil.nai.com/vil/submit-sample.asp AVERT DAT Notification Service http://vil.nai.com/vil/join-DAT-list.asp Download Site Home Page http://www.networkassociates.com/us/downloads/ DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/ ftp://ftp.nai.com/pub/antivirus/datfiles/4.x Product Upgrades https://secure.nai.com/us/forms/downloads/upgrades/login.asp Valid grant number required. Contact Customer Service Training McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/university. htm Customer Service US, Canada, and Latin America toll-free: Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday-Friday, 8am-8pm, Central Time E-mail: Web: https://secure.nai.com/us/forms/support/request_form.asp http://www.nai.com/us/index.asp http://www.networkassociates.com/us/support/default.asp

For additional contact information (including addresses and toll-free numbers for worldwide offices), see the CONTACT file that accompanied your original product release. _____________________________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form orbyany means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call +1-972-963-8000.

TRADEMARKS Active Firewall, Active Security, ActiveSecurity (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (Stylized E), Design (Stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon's, Dr Solomon's label, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy Orchestrator, EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HomeGuard, Hunter, IntruShield, Intrusion Prevention Through Innovation, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and Design, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, McAfee VirusScan, NA Network Associates, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Associates Coliseum, NetXray, NotesGuard, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PrimeSupport, Recoverkey, Recoverkey - International, Registry Wizard, RingFence, Router PM, SecureCast, SecureSelect, Sniffer, Sniffer (in Hangul), SpamKiller, Stalker, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Virus Defense, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, Who's Watching Your Network, WinGauge, Your E-Business Defender, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer(R) brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners. _____________________________________________________ LICENSE & PATENT INFORMATION LICENSE AGREEMENT NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED

THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND. LICENSE ATTRIBUTIONS This product includes or may include: *Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). *Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. *Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. *Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. *Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. *Software written by Douglas W. Sauder. *Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. *International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. *FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. *Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. *Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. *Software copyrighted by Expat maintainers. *Software copyrighted by The Regents of the University of California, (C) 1989. *Software copyrighted by Gunnar Ritter. *Software copyrighted by Sun Microsystems(R), Inc. (C) 2003. *Software copyrighted by Gisle Aas. (C) 1995-2003. *Software copyrighted by Michael A. Chase, (C) 1999-2000. *Software copyrighted by Neil Winton, (C) 1995-1996. *Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. *Software copyrighted by Sean M.

Burke, (C) 1999, 2000. *Software copyrighted by Martijn Koster, (C) 1995. *Software copyrighted by Brad Appleton, (C) 1996-1999. *Software copyrighted by Michael G. Schwern, (C) 2001. *Software copyrighted by Graham Barr, (C) 1998. *Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. *Software copyrighted by Frodo Looijaard, (C) 1997. *Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. *Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. *Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. *Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. *Software copyrighted by Stephen Purcell, (C) 2001. *Software developed by the Indiana University Extreme! Lab http://www.extreme.indiana.edu/). *Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. *Software developed by the University of California, Berkeley and its contributors. *Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http://www.modssl.org/). *Software copyrighted by Kevlin Henney, (C) 2000-2002. *Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. *Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/ bind.html for documentation. *Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *Software copyrighted by Boost.org, (C) 1999-2002. *Software copyrighted by Nicolai M. Josuttis, (C) 1999. *Software copyrighted by Jeremy Siek, (C) 1999-2001. *Software copyrighted by Daryle Walker, (C) 2001. *Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. *Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. *Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. *Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. *Software copyrighted by Jens Maurer, (C) 2000, 2001. *Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. *Software copyrighted by Ronald Garcia, (C) 2002. *Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. *Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. *Software copyrighted by Housemarque Oy <http:// www.housemarque.com>,(C) 2001. *Software copyrighted by Paul Moore, (C) 1999. *Software copyrighted by Dr. John Maddock, (C) 1998-2002. *Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. *Software copyrighted by Peter Dimov, (C) 2001, 2002. *Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. *Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002.

PATENT INFORMATION Protected by US Patents 6,006,035; 6,029,256; 6,035,423; 6,151,643; 6,230,288; 6,266,811; 6,269,456; 6,457,076; 6,496,875; 6,542,943; 6,594,686; 6,611,925; 6,622,150. DBN 009-EN V3.0.0