Endpoint Security 10.2.0 Migration Guide

Transcription

Migration Guide
McAfee Endpoint Security 10.2.0
For use with McAfee ePolicy Orchestrator
COPYRIGHT
© 2016 Intel Corporation
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
Migration Guide
Contents
1
Preface
5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5
5
6
Migration overview
7
Settings that migrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What happens to policies during migration . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the migration process . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the deployment process . . . . . . . . . . . . . . . . . . . . . . . . . .
Choosing a migration path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preparing to migrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the Migration Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
3
Migrating settings automatically
13
Automatic migration workflow . . . .
Migrate settings automatically . . . .
Verify automatically migrated objects .
How repeated automatic migrations are
13
15
16
17
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
handled . . . . . . . . . . . . . . . . . . . . .
Migrating settings manually
19
Manual migration workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Migrate policies manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Migrate client tasks manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Migrate the Host IPS Catalog manually . . . . . . . . . . . . . . . . . . . . . . . . .
Verify manually migrated objects . . . . . . . . . . . . . . . . . . . . . . . . . . .
How repeated manual migrations are handled . . . . . . . . . . . . . . . . . . . . . .
4
7
8
9
10
11
12
12
How migration updates product settings
25
McAfee Default policy and product default settings . . . . . . . . . . . . . . . . . . . .
Policy names and notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multiple-instance policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multiple-platform and single-platform policies . . . . . . . . . . . . . . . . . . . . . .
How policies are merged during migration . . . . . . . . . . . . . . . . . . . . . . . .
Migrating legacy settings to the Common Options policy . . . . . . . . . . . . . . .
Migrating VirusScan Enterprise policies to Threat Prevention . . . . . . . . . . . . . . . .
Migration notes for VirusScan Enterprise settings . . . . . . . . . . . . . . . . . .
Merging on-access scan settings from Windows, Mac, and Linux . . . . . . . . . . .
Migrating IPS Rules to Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . .
Migration notes for IPS Rules settings . . . . . . . . . . . . . . . . . . . . . .
Merging Access Protection and Buffer Overflow Protection settings . . . . . . . . . . .
Migrating Host IPS Firewall policies to Endpoint Security Firewall . . . . . . . . . . . . . . .
Migration notes for McAfee Host IPS Firewall settings . . . . . . . . . . . . . . . .
Migrating SiteAdvisor Enterprise policies to Web Control . . . . . . . . . . . . . . . . . .
19
20
22
23
23
24
25
25
26
27
28
30
31
32
35
36
36
37
39
40
42
Migration Guide
3
Contents
Migration notes for SiteAdvisor Enterprise settings . . . . . . . . . . . . . . . . .
Migrating legacy Mac policies to Threat Prevention . . . . . . . . . . . . . . . . . . . .
Migration notes for McAfee Endpoint Protection for Mac settings . . . . . . . . . . . .
Migrating legacy Linux policies to Threat Prevention . . . . . . . . . . . . . . . . . . . .
Migration notes for VirusScan Enterprise for Linux settings . . . . . . . . . . . . . .
A
Troubleshooting
49
Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B
IPS Rules migration
51
52
53
55
Creating Firewall rules to replace predefined Access Protection port-blocking rules
57
Create
Create
Create
Create
D
49
51
Signature-level settings in migrated IPS Rules . . . . . . . . . . . . . . . . . . . . . .
Subrule-level settings in migrated IPS Rules . . . . . . . . . . . . . . . . . . . . . . .
Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application Protection Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C
42
44
44
46
46
rule
rule
rule
rule
to
to
to
to
prevent
prevent
prevent
prevent
mass mailing worms from sending mail .
IRC communication . . . . . . . . .
FTP communication . . . . . . . . .
HTTP communication . . . . . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. .
. .
. .
. . .
Maps of migrated policies
57
59
59
61
63
Policy maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
E
Changes to migrated settings
Changes
Changes
Changes
Changes
Changes
Changes
to
to
to
to
to
to
Index
4
71
VirusScan Enterprise settings . . . . . . . . . . . . . . . . . . . . . . . .
IPS Rules settings in Host Intrusion Prevention . . . . . . . . . . . . . . . . .
Firewall settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SiteAdvisor Enterprise settings . . . . . . . . . . . . . . . . . . . . . . .
McAfee Endpoint Protection for Mac settings . . . . . . . . . . . . . . . . . .
McAfee VirusScan Enterprise for Linux settings . . . . . . . . . . . . . . . . .
71
78
81
84
88
90
93
Migration Guide
Preface
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Italic
Title of a book, chapter, or topic; a new term; emphasis
Bold
Text that is emphasized
Monospace
Commands and other text that the user types; a code sample; a displayed message
Narrow Bold
Words from the product interface like options, menus, buttons, and dialog boxes
Hypertext blue A link to a topic or to an external website
Note: Extra information to emphasize a point, remind the reader of something, or
provide an alternative method
Tip: Best practice information
Caution: Important advice to protect your computer system, software installation,
network, business, or data
Warning: Critical advice to prevent bodily harm when using a hardware product
Migration Guide
5
Preface
On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
6
1
Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2
In the Knowledge Base pane under Content Source, click Product Documentation.
3
Select a product and version, then click Search to display a list of documents.
Migration Guide
1
Migration overview
®
®
When you upgrade your legacy products to McAfee Endpoint Security, McAfee Endpoint Security for
Mac, and McAfee Endpoint Security for Linux, you can also migrate your custom settings and
assignments.
®
The Endpoint Migration Assistant walks you through the migration process. You can let the Migration
Assistant migrate all your settings and assignments automatically, based on your current settings and
new product defaults, or you can select and configure them manually.
®
®
The Migration Assistant migrates settings in environments managed with McAfee ePolicy Orchestrator
(McAfee ePO ) version 5.1.1 or later.
™
Contents
Settings that migrate
What happens to policies during migration
Overview of the migration process
Overview of the deployment process
Choosing a migration path
Preparing to migrate
Install the Migration Assistant
Endpoint Security enables you to migrate settings for the most recent versions of supported McAfee
legacy products installed on your Windows, Mac, and Linux platforms.
Migration requires a Threat Prevention License extension for the operating system platform. The
Migration Assistant checks for a Mac and Linux License extension before enabling the option to migrate
Mac and Linux settings.
•
•
Automatic migration — Migrates these settings and retains assignments:
•
Host IPS Catalog
•
Policies and client tasks for all supported Windows products
•
(Optional) Some policy settings for supported Mac products
•
(Optional) Some policy settings and client tasks for supported Linux products
Manual migration — Lets you select the Host IPS Catalog, policies, or client tasks to migrate. You
can edit policies during the migration process, if needed.
Best practice: Migrate the Host IPS Catalog immediately before the McAfee Host IPS Firewall
policies to ensure that they remain synchronized.
You can migrate these objects for the following legacy products.
Migration Guide
7
1
Migration overview
Products that migrate (all patch
levels)
McAfee VirusScan Enterprise 8.8
• Policies — Migrate workstation and server policies
separately if you have both defined.
• Client tasks
McAfee Host Intrusion Prevention
Firewall 8.0
• Host IPS Catalog — Renamed Firewall Catalog in Endpoint
Security.
• Firewall and General policies
McAfee Host Intrusion Prevention 8.0 • IPS Rules policy:
• Excluded Application Protection Rules
• IPS Exceptions
• Custom signatures
• IPS Protection policy
McAfee SiteAdvisor Enterprise 3.5
• Policies
• Client tasks
McAfee Endpoint Protection for Mac
2.3
McAfee VirusScan for Mac 9.8
McAfee VirusScan Enterprise for
Linux 2.0.2
• Anti-malware policy:
• On-access Scan
• Exclusions: On-access Scan
• On-Access Scanning policy
• On-Demand Scanning client tasks
If unsupported product versions are installed, upgrade them to supported versions before proceeding
with migration. See the legacy product documentation for upgrade instructions.
Endpoint Security optimizes and consolidates legacy products into an integrated, efficient new
platform. In addition to new and enhanced features that leverage the latest developments in security
technology, a new McAfee Endpoint Security Common module centralizes the shared protection
features so they are easily accessible by all product modules. As a result, some of the policy settings
you are familiar with in legacy products have changed.
®
The Endpoint Migration Assistant ensures that the settings in your legacy policies are moved to the
correct policies in Endpoint Security. In some cases, they are merged with other Endpoint Security
settings, and in others, new default settings are applied to support updated technologies.
8
•
New and revised categories reflect new and shared features.
•
New settings represent new functionality.
•
Some settings are removed, moved to a different category or policy, or merged with settings for
other features.
•
Some settings for multiple operating system platforms can be migrated to separate single-platform
policies or one multi-platform policy.
Migration Guide
Migration overview
•
Settings shared by multiple product modules and features are moved to the Options policy in the
Common module.
•
In some cases, settings are duplicated in multiple policies for use by functionality that is split
across modules.
1
See Appendix E, Changes to migrated settings, for details about settings that are removed, moved,
renamed, or merged.
Figure 1-1 Source and target policies
Use the Endpoint Migration Assistant to migrate product settings where a supported legacy version of
a product module is installed.
1
Check that your legacy products are supported for migration.
2
Install the Migration Assistant extension on the McAfee ePO server.
Migration Guide
9
1
Migration overview
3
Open the Migration Assistant, select an automatic or manual path, then follow the instructions on
the screen.
•
Automatic migration — Migrates all supported legacy settings for all supported Windows products
installed on your managed systems. Optionally migrates all supported settings for supported
Mac and Linux products. Retains assignments.
•
Manual migration — Lets you select the settings to migrate, then edit the policies if needed. Does
not retain assignments.
4
(Manual migration only) Repeat step 3 to select and migrate additional settings.
5
Verify that your settings were migrated successfully.
See also
Install the Migration Assistant on page 12
Settings that migrate on page 7
How repeated automatic migrations are handled on page 17
Choosing a migration path on page 11
Migration is only one task in the process of installing and deploying Endpoint Security. This
deployment overview shows where migration fits into the overall process.
See the McAfee ePolicy Orchestrator documentation for more information about installing the product
components and creating assignments.
1
10
Check that the environment and managed systems where you want to install Endpoint Security
meet the requirements described in:
•
Windows — KB82761 and the McAfee Endpoint Security Installation Guide
•
Macintosh — KB84934 and the McAfee Endpoint Security for Mac Product Guide
•
Linux — KB87073 and the McAfee Endpoint Security for Linux Product Guide
2
Check in and install the product package extension files and the McAfee Agent package files to the
McAfee ePO server.
3
Create a client task to deploy the correct version of the McAfee Agent to managed systems.
4
Migrate legacy product settings.
5
(Manual migration only) Assign the migrated policies and client tasks to managed groups
and systems.
6
Deploy Endpoint Security to managed systems.
Migration Guide
Migration overview
1
Decide which migration path to follow by considering the characteristics of your network or managed
systems and your migration goals.
1
2
Decide whether you need to migrate. Do you want to retain any current settings or assignments for
your legacy products?
•
No — Install Endpoint Security without migrating. See the product installation guide for
instructions.
•
Yes — Use the Endpoint Migration Assistant to migrate your settings before deploying the
Endpoint Security Client to systems.
If you want to migrate your settings, decide whether to migrate automatically or manually.
•
Automatic migration is a "hands-off" process. The Migration Assistant makes most migration
decisions "behind the scenes."
Recommended if you:
•
•
Have a network with fewer than 250 managed systems
•
Use default policy settings or a minimum number of custom policies
Manual migration is a "hands-on" process. You make most of the migration decisions by
selecting the objects to migrate and editing their settings, if needed.
Recommended if you:
•
Have a network with more than 250 managed systems
•
Use multiple custom policies
•
Want to fine-tune existing policy settings during the migration process
•
Want to fine-tune assignments
•
Want to migrate settings to single-platform policies
•
Want to personally supervise and approve each step of the migration process
Table 1-1 Choosing a migration path
Automatic
migration
Pros
Cons
• Requires minimal input from you.
• You can't select specific objects to
migrate.
• Migrates all policies, client tasks, and the
Host IPS Catalog for Windows products.
• You can't edit target policies.
• Optionally migrates policies for Mac and
Linux products.
• You can't create single-platform
target policies.
• Optionally migrates Linux on-demand scan
client tasks.
• Does not migrate unassigned
policies.
• Creates multi-platform target policies
combining Windows, Mac, and Linux settings.
• Retains policy and client task assignments.
Manual
migration
• Lets you select objects to migrate.
• Requires input from you.
• Lets you edit policies before migrating.
• Does not retain assignments. You
need to assign policies and client
tasks to managed systems.
• Lets you create both single-platform and
multi-platform target policies.
Migration Guide
11
1
Migration overview
To streamline the migration process and minimize conflicts or duplication in migrated settings, follow
these best practices before migrating.
•
Install the Endpoint Migration Assistant — The Migration Assistant is a self-contained McAfee
ePO extension that you need to install on the McAfee ePO server.
•
Review and revise objects you plan to migrate — Review legacy settings and assignments.
Consolidate them where possible. Remove duplicates and unused objects.
•
Notify others not to make changes to the Policy Catalog, Client Task Catalog, and Host
IPS Catalog during migration — If objects change while you're migrating them, the migrated
objects don't reflect those changes.
•
Locate unassigned policies and client tasks for migration — (Automatic migration only)
During automatic migration, only policies and client tasks that are assigned to at least one group or
managed system are migrated. Use manual migration to migrate unassigned policies or client
tasks.
What to do next
Once you install the Migration Assistant and review the settings you want to migrate, you are ready to
begin migration.
See Appendix D, Maps of migrated policies, for illustrations of how legacy policies are migrated to
Endpoint Security policies. These illustrations are also available for reference from the Endpoint
Migration Assistant by clicking View Endpoint Security policy mapping at the top of the manual policy selection
pane.
renamed, or merged.
See also
Policy maps on page 63
Install the Migration Assistant
The Migration Assistant extension is required only for migrating legacy settings to Endpoint Security. It
is not part of the Endpoint Security product extension package. You must install it on your McAfee ePO
server as a separate extension if you plan to migrate.
Task
For details about product features, usage, and best practices, click ? or Help.
12
1
In McAfee ePO, select Menu | Software Manager | Software Not Checked In.
2
On the left side of the Software Manager screen, under Product Categories, select Licensed, then:
a
In the Software Not Checked In table, select McAfee Endpoint Security Migration Assistant. The description and
the extension for the Migration Assistant are displayed in the table at the bottom of the screen.
b
Click Check In to check in the Migration Assistant extension to your McAfee ePO. When installation
is complete, the Migration Assistant is listed on the Extensions screen.
Migration Guide
2
Automatic migration migrates all the supported settings for all the supported products you have
installed on your Windows, Mac, and Linux systems. This migration path requires minimal input from
you.
Use automatic migration to migrate all the policies and client tasks for the legacy products on your
Windows systems. It also migrates the entries in your legacy Host IPS Catalog to the new Endpoint
Security Firewall Catalog. Optionally, you can migrate Linux on-demand scan client tasks and Mac and
Linux on-access scan policy settings.
The Endpoint Migration Assistant creates and assigns the new Endpoint Security policies and client
tasks automatically, based on your current product settings.
Contents
Automatic migration workflow
Migrate settings automatically
Verify automatically migrated objects
How repeated automatic migrations are handled
Here's a high-level overview of the automatic migration process.
1
Run the Endpoint Migration Assistant and select Automatic migration.
2
If Mac or Linux products are installed, specify whether to migrate them.
3
If there are VirusScan Enterprise policies to migrate, specify whether to migrate workstation or
server policies.
4
Preview and save the proposed policies.
A server task runs and completes the policy migration. It also migrates client tasks and the Host
IPS Catalog.
Migration Guide
13
2
Automatic migration retains assignments for migrated policies and client tasks. After automatic
migration completes, you can deploy Endpoint Security 10.2 to managed systems.
Figure 2-1 Migrating automatically
14
Migration Guide
For these
objects...
The Migration Assistant...
Policies
Creates the new policies, adds them to the Endpoint Security Policy Catalog, and
assigns them to the same managed systems. You can preview the new policies
before they are created.
2
• Policies for Windows products are migrated automatically.
• If Mac or Linux products are installed, you can specify whether to migrate their
supported policies. When similar settings for Windows and non-Windows products
are migrated, Windows settings take precedence. On-access scan exclusions are
merged.
If you don't like the previewed policies, you can cancel the migration and begin a
manual migration instead.
Client Tasks
(Windows and
Linux)
Creates new tasks, adds them to the Endpoint Security Client Task Catalog, and
assigns them to the same managed systems.
• Client tasks for Windows products are migrated automatically.
• If VirusScan Enterprise for Linux is installed, you can specify whether to migrate
its on-demand scan client tasks.
Host IPS
Catalog
Migrates legacy catalog entries to the Endpoint Security Firewall Catalog.
Use automatic migration to migrate your currently assigned policies and client tasks and the Host IPS
Catalog with minimal interaction.
Before you begin
•
Verify that the products to migrate are supported.
•
Install the Endpoint Migration Assistant extension on the McAfee ePO server.
•
Do not allow others to make changes to the objects you are migrating until migration is
complete.
Task
1
In McAfee ePO, select Menu | Policy | Endpoint Migration Assistant.
2
For Mode, select Automatic migration.
3
If VirusScan Enterprise is installed, select either Workstation or Server.
Select one to migrate now, then use manual migration to migrate the other at a later time.
Threat Prevention does not support separate policies for workstation and server settings.
4
If supported non-Windows products are installed, select whether to migrate them.
•
Mac — Migrates on-access scan policy settings from McAfee Endpoint Protection for Mac.
•
Linux — Migrates on-access scan policy settings and on-demand scan client tasks from VirusScan
Enterprise for Linux.
Migration Guide
15
2
Automatic migration creates multi-platform policies shared by all operating system platforms. If
you want to migrate at a later time, or create single-platform policies, use manual migration to
migrate these products.
5
Click Next to generate a preview of the new Endpoint Security policies.
A progress bar appears and lets you know how many policies are being included in the preview.
6
7
Review the new policies.
a
Under New Categories in the left pane, select a category, then preview the new policies for that
category in the right pane.
b
(Optional) For every new policy that is created under Endpoint Security, click Rename and Edit Notes
to rename the policy or edit the policy notes, if needed.
Click Save to run a server task to complete the migration.
The Migration Assistant runs a server task in the background to migrate your policies. Client tasks and
the Host IPS Catalog are also migrated. You can check its status in the Server Task Log. You must wait
for the server task to complete before starting another migration session.
See also
Policy names and notes on page 25
Multiple-platform and single-platform policies on page 27
Check that objects were migrated successfully before deploying Endpoint Security to managed
systems.
Before you begin
You have used the Endpoint Migration Assistant to manually migrate legacy product
settings to Endpoint Security.
Task
1
2
16
Verify migrated policies.
a
In McAfee ePO, select Menu | Policy | Policy Catalog.
b
Select each product module, then check that the migrated policies were created.
Verify migrated policy assignments.
a
In McAfee ePO, select Menu | Systems Section | System Tree.
b
View the Assigned Policies for the groups and systems where the source policies were assigned.
c
Verify that the new Endpoint Security policies are assigned to those groups and systems.
Migration Guide
2
3
4
5
Verify migrated client tasks.
a
In McAfee ePO, select Menu | Policy | Client Task Catalog.
b
Select each product module where you migrated client tasks, then select the category for each
task you migrated, and verify that the migrated client task was created.
Verify migrated client task assignments.
a
In McAfee ePO, select Menu | Systems Section | System Tree.
b
Review the Client Task Assignments for the groups and systems where the source client tasks were
assigned.
c
Verify that the migrated client tasks have the same schedule and settings as the source client
tasks.
Verify the migrated Firewall Catalog.
a
In McAfee ePO, select Menu | Policy | Firewall Catalog.
b
Verify that the migrated entries appear in the migrated Firewall Catalog.
Running automatic migration after you have already migrated some or all of your settings affects the
new objects created during the previous migration session.
When you run automatic migration after migrating previously, the Migration Assistant:
•
Deletes objects created during a previous automatic migration session.
For example, if you migrate your policies automatically, then run automatic migration again, only
the new policies created in the most recent migration session are listed in the Policy Catalog when
you complete the second migration.
•
Retains objects created during a previous manual migration, but does not retain their assignments.
•
Assigns the new policies to managed systems.
For example, if you have assigned policies that you migrated manually to managed systems, the
new policies are assigned instead.
These actions also apply to the Common Options policies created during previous migrations.
Migration Guide
17
2
18
Migration Guide
3
Manual migration migrates selected settings for the supported products you have installed on your
Windows, Mac, and Linux systems. This is an interactive migration path that requires your input.
Use manual migration to migrate selected policies, client tasks, or the Host IPS Catalog for your legacy
products. The Endpoint Migration Assistant lets you select specific objects to migrate and edit the
policies if needed. Manual migration does not retain assignments for migrated objects.
Contents
Manual migration workflow
Migrate policies manually
Migrate client tasks manually
Migrate the Host IPS Catalog manually
Verify manually migrated objects
How repeated manual migrations are handled
Manual migration workflow
Here's a high-level overview of the manual migration process.
1
Run the Endpoint Migration Assistant and select Manual migration.
2
Select the type of objects to migrate.
•
If you select the Host IPS Catalog, a server task runs and completes the Catalog migration.
•
If you select Policies or Client Tasks, select what you want to migrate from the categories, then
save your selections.
You can edit policies, if needed. You can also edit notes for policies and client tasks. Your
selections are migrated in the background.
3
Run the Migration Assistant again to migrate additional objects.
Migration Guide
19
3
After manual migration, you must assign the new policies and client tasks to managed systems as part
of product deployment. See the McAfee ePolicy Orchestrator Installation Guide for more information.
Figure 3-1 Migrating settings manually
Use manual migration to select the policies to migrate, then edit them if needed. Once the new
policies are created, you need to assign them to managed systems.
Before you begin
20
•
•
•
complete.
Migration Guide
3
Task
1
2
For Mode, select Manual migration.
3
For Objects to Migrate, select Policies, then click Next.
Only the objects that you have permission to view are listed.
4
Under Available Policies in the left pane, select policy categories for your products.
The legacy policies within those categories are listed on the right side of the screen.
Best practice: Click View Endpoint Security policy mapping, located at the top of the page, to view policy
maps that show where legacy policies migrate in Endpoint Security.
a
If you select VirusScan Enterprise policies, the Workstation settings are listed by default. To
display Server policy settings instead, click Edit, then select Server.
b
If a category contains multiple policies, select the name of the policy to migrate from the
drop-down list that appears next to the category name.
c
If settings in a selected policy are merging with policies from other categories, the Migration
Assistant displays the other categories. For each of these categories:
d
5
•
Select the name of the policy to migrate.
•
If you don't want to migrate settings in that category now, select None. If you select None for
all the merging categories, no new policy is created for these categories.
If you're migrating similar products from multiple operating system platforms, select or deselect
Create Multi-Platform Policy. This checkbox appears only when migrating two or more of these
products: VirusScan Enterprise, McAfee Endpoint Protection for Mac or McAfee VirusScan for
Mac, and VirusScan Enterprise for Linux.
•
Selected — The Migration Assistant creates one On-Access Scan policy that can be shared
by Windows, Mac, and Linux systems. If product settings conflict, Windows settings take
precedence over all others, and Mac settings take precedence over Linux. On-Access Scan
exclusions are merged. This is the default setting.
•
Deselected — The Migration Assistant creates up to three On-Access Scan policies:
migrated VirusScan Enterprise settings for the Windows platform, migrated McAfee Endpoint
Protection for Mac or McAfee VirusScan for Mac settings, and migrated VirusScan Enterprise
for Linux settings.
Click Next.
The Migration Assistant displays the source policies on the left side of the screen. At the top of the
screen, you see tabs for each Endpoint Security policy to be created. Each tab gives a preview of
the new policies created when the selected source policies are migrated. The left pane shows the
selected source policies.
6
Click Next to start the manual migration wizard.
7
On the open tab, type a name for the policy, type notes to describe it, and configure its options,
then click Next to proceed to the next tab. Repeat this step until you have configured all the selected
policies, then click Next.
8
Review the summary of changes, then click Save to create the new policies and add them to the
Policy Catalog.
Migration Guide
21
3
9
Select whether to migrate more objects.
•
Yes — Displays the screen where you can select additional objects to migrate.
•
No — Displays the first screen with default settings.
See also
Use manual migration to select the client tasks to migrate. Once the new client tasks are created,
assign them to managed systems. Only client tasks for Windows and Linux products are migrated.
Before you begin
•
•
•
complete.
Task
1
2
3
For Objects to Migrate, select Client Tasks, then click Next.
Only the objects that you have permission to view are listed.
4
Under Available Tasks in the left pane, select the task types to migrate. The legacy tasks of that type
are listed on the right side of the screen.
You can type a name or partial name in the Filter list box at the top of the left pane to filter the
listing.
5
a
If you have created multiple tasks of the same type, a drop-down list appears next to the task
type name. Select the name of the task to migrate.
b
(Optional) To migrate another task of the same type, click + and select the task from the new
drop-down list, then repeat for all the tasks to migrate. This option is available only when
another task of the same type exists.
Click Next to start the manual migration wizard.
At the top of the screen, you see tabs for each Endpoint Security client task to be created. Each tab
gives a preview of the new tasks when the selected source tasks are migrated. The left pane shows
the selected source task.
6
22
(Optional) For each new task to create, type a new name and edit settings, if needed.
Migration Guide
7
Click Next, review the summary of changes, then click Save to create the new client tasks and add
them to the Client Task Catalog.
8
Select whether to migrate more objects.
•
Yes — Displays the screen where you can select additional objects to migrate.
•
No — Displays the first screen with default settings.
3
See also
Use manual migration to select and migrate the Host IPS Catalog. Migrate the Catalog immediately
before migrating the associated policies, to ensure that they remain synchronized.
Before you begin
•
•
•
complete.
Task
1
2
3
For Objects to Migrate, select Catalog, then click Next.
All the items in the Catalog will be migrated.
4
Click Next to start the migration.
The Migration Assistant displays a message that a server task is migrating the Catalog. When the
migration is complete, the selection screen appears for you to select additional objects to migrate.
Verify manually migrated objects
Check that objects were migrated successfully before deploying Endpoint Security to managed
systems.
Before you begin
You have used the Endpoint Migration Assistant to manually migrate legacy product
settings to Endpoint Security.
Migration Guide
23
3
Task
1
2
3
Verify migrated policies.
a
In McAfee ePO, select Menu | Policy | Policy Catalog.
b
Select each product module where you migrated policies, then check that the migrated policies
were created.
Verify migrated client tasks.
a
In McAfee ePO, select Menu | Policy | Client Task Catalog.
b
Select each product module where you migrated client tasks.
c
Select the category for each task you migrated, and verify that the migrated client task was
created.
Verify the migrated Firewall Catalog.
a
In McAfee ePO, select Menu | Policy | Firewall Catalog.
b
Verify that the migrated entries appear in the migrated Firewall Catalog.
Manual migration has no effect on objects migrated during a previous migration session.
For example, if you migrate some policies for a product module, then migrate the same policies again:
•
The new policies are created in the Policy Catalog. If the target policy name already exists, the
Migration Assistant appends a digit to the newer policy name (for example, My Policy, My Policy-1,
My Policy-2).
•
The previously migrated policies still appear in the Policy Catalog.
•
If you migrate McAfee Host IPS Firewall policies again, you need to migrate the Host IPS Catalog
again. (The Migration Assistant shows the date and time when the Catalog was last migrated, if
applicable.)
Manual migration does not retain assignments for migrated objects. You must assign the migrated
objects manually. You also must manually delete the objects created during the previous migration
session that you no longer want.
If you have assigned objects that you created during a previous manual migration session, these
assignments are not affected if you migrate the same objects again.
24
Migration Guide
4
Changes to Endpoint Security policies include new policies, categories, options, and default settings
that are designed to leverage the latest protection technologies and optimize product performance.
During the migration process, legacy settings for policies, options, rules, and tasks might be renamed,
removed, or reset to default values, depending on how the features work in Endpoint Security. Some
settings are moved to new categories or policies, or merged with other settings. Similar settings from
products running on multiple operating system platforms can be migrated to separate, single-platform
policies or shared multi-platform policies.
Contents
McAfee Default policy and product default settings
Policy names and notes
Multiple-instance policies
Multiple-platform and single-platform policies
How policies are merged during migration
Migrating VirusScan Enterprise policies to Threat Prevention
Migrating IPS Rules to Threat Prevention
Migrating Host IPS Firewall policies to Endpoint Security Firewall
Migrating SiteAdvisor Enterprise policies to Web Control
Migrating legacy Mac policies to Threat Prevention
Migrating legacy Linux policies to Threat Prevention
McAfee Default policy and product default settings
The McAfee Default policy does not migrate. If you currently use the McAfee Default policy for legacy
products, the Migration Assistant assigns the new Endpoint Security McAfee Default policy.
If a source policy with default settings (McAfee Default, My Default (unedited), or Typical Corporate
Environment) is assigned to any group or managed system, the Migration Assistant assigns the new
Endpoint Security McAfee Default policy during automatic migration.
Policy names and notes
The Endpoint Migration Assistant uses these general conventions for naming migrated Endpoint
Security policies and creating policy notes.
You can edit the policy names and notes before saving the new policies or after they are created.
Policy names
•
Automatic migration
Migration Guide
25
4
Migrated policy type
Target policy name
Examples
• Single product migration
Migrated [legacy product abbreviation]
Policy-[n]
• Migrated VSE Policy
• One-to-one policy
migration
where:
• One-to-multiple policy
migration
• Migrated VSE Policy-1
• Legacy product abbreviation is VSE,
HIPS, SAE, EPM, or VSELinux.
• Migrated VSE Policy-2
• n is incremented each time a new
policy is migrated for the same
module.
• Migrated HIPS Policy-1
• Migrated HIPS Policy
• Migrated SAE Policy
• Migrated EPM Policy
• Migrated VSELinux Policy
• Multiple product migration Merged Policy-[n]
(includes multi-platform
where n is incremented each time a
new policy of the same type is
policies)
migrated.
• Multiple-to-one policy
migration
• Merged Policy
Common Options
Merged Policy-[n]
• Merged Policy
where n is incremented each time a
new Common Options policy is created.
• Merged Policy-1
• Merged Policy-1
• Merged Policy-2
• Merged Policy-2
•
Manual migration
Migrated policy type
Target policy name
Examples
One-to-one or
one-to-multiple policy
migration
Same as the source name.
• My Policy
If the target policy name already exists, the Migration
Assistant appends a digit that is incremented each time
a new policy is created using that name. You can type a
different policy name before saving the new policy.
Multiple-to-one policy
migration
You must specify a name for the target policy.
Multi-platform policy
You must specify a name for the target policy.
• My Policy-1
• My Policy-2
Policy notes
During migration, the Migration Assistant creates policy notes that include the name (and type, if
applicable) of the source policy or policies, the migration date and time, and the name of the user who
migrated the policy.
For example: Source: VirusScan Enterprise 8.8.0 - Access Protection Policies > My Default; Type: Server; 6/20/16
3.34 PM - Automatic Migration; User: admin
Multiple-instance policies, also known as multi-slot policies, allow you to assign more than one policy
instance to a client, resulting in one combined, effective policy.
When migrating legacy policies to Endpoint Security, multiple-instance policies from one or more
source policies are merged into one target policy for the respective policy type.
26
Migration Guide
4
Table 4-1 How multiple-instance policies are migrated
Source product
Source policies
Target product
module
Target policy
McAfee Host IPS
IPS Rules
Threat Prevention
Access Protection and
Exploit Prevention
McAfee Host IPS
General (Trusted
Applications)
Firewall
Options (Trusted
Applications)
Web Control
Block and Allow List
SiteAdvisor Enterprise Prohibit List and
Authorize List
Content Actions
Content Actions
During manual migration, you can select whether to migrate settings from different operating system
platforms to separate policies or merge them into one policy for multiple platforms.
Table 4-2 Migration for settings from multiple operating system platforms
When you select
these products to
migrate...
The Migration Assistant creates these Threat Prevention policies...
Create Multi-Platform Policy
selected
deselected
• VirusScan
Enterprise
• One On-Access Scan policy for
Windows and Mac systems
• Two On-Access Scan policies:
• McAfee Endpoint
Protection for Mac
• Merged on-access scan exclusions
• VirusScan
Enterprise
Windows and Linux systems
• One for Mac systems
For duplicate or conflicting settings,
Windows settings take precedence over • Separate on-access scan
exclusions
Mac settings.
• VirusScan
• One Options policy for Windows and
Enterprise for Linux
Linux systems
Windows settings take precedence over
Linux settings.
• One for Windows systems
• One for Linux systems
• Two Options policies:
• Separate on-access scan
exclusions
Migration Guide
27
4
Table 4-2 Migration for settings from multiple operating system platforms (continued)
When you select
these products to
migrate...
The Migration Assistant creates these Threat Prevention policies...
selected
deselected
• VirusScan
Enterprise
Windows, Mac, and Linux systems
• Three On-Access Scan policies:
• McAfee Endpoint
Protection for Mac
• One Options policy for Windows and
Linux systems
• VirusScan
• Two Options policies:
Windows settings take precedence over
other settings.
exclusions
• McAfee Endpoint
Protection for Mac
• One On-Access Scan policy for Mac
and Linux systems
• VirusScan
• One Options policy for Linux systems
Mac settings take precedence over
Linux settings.
• One Options policy for Linux
systems
exclusions
Automatic migration creates multi-platform target policies. You must use manual migration to create
single-platform policies.
Sometimes, source policies from one or more legacy products are merged into a single target policy.
Table 4-3 Policies merged during migration to Threat Prevention
Source product module
Source policies
Threat Prevention policy
VirusScan Enterprise
• Quarantine Manager
Options
• Unwanted Programs
VirusScan Enterprise for Linux • On-Access Scanning
• High-Risk Processes
On-Access Scan
• Low-Risk Processes
• On-Access Default Processes
• On-Access General
McAfee Endpoint Protection
for Mac
• Anti-malware (on-access scan settings)
VirusScan Enterprise for Linux • On-Access Scanning
28
Migration Guide
4
Table 4-3 Policies merged during migration to Threat Prevention (continued)
Source product module
Source policies
Threat Prevention policy
• Access Protection
Access Protection
• Buffer Overflow Protection
McAfee Host IPS
• IPS Rules
• IPS Protection
• Buffer Overflow Protection
McAfee Host IPS
• IPS Rules
Exploit Prevention
• IPS Protection
Table 4-4 Policies merged during migration to Firewall
Source product module Source policies
Firewall policy
McAfee Host IPS
Options
• Firewall (Options and DNS Blocking)
• General (Trusted Applications, Trusted Networks, and
Client UI)
Table 4-5 Policies merged during migration to Web Control
Source product module Source policies
Web Control policy
SiteAdvisor Enterprise
Content Actions
• Content Actions
• Rating Actions
• Authorize List
• Enable or Disable
• Hardening
• Event Tracking
• Content Actions
• General (some
settings)
Options
• Rating Actions
• Authorize List
• Prohibit List
Migration Guide
29
4
Migrating legacy settings to the Common Options policy
Features shared by multiple product modules reside in the Common module, which is installed with
other Endpoint Security product modules. Settings for these shared features are defined in the Options
policy for the Common module.
Figure 4-1 Legacy settings migrated to the Common Options policy
The Migration Assistant migrates legacy settings for these policy categories to the Common Options
policy.
Table 4-6 Legacy settings migrated to the Common Options policy
Source settings
Migrated Common Options policy categories
VirusScan Enterprise Alert policy
Client Logging
VirusScan Enterprise Access Protection policy,
Common Standard Protection category
Self Protection
VirusScan Enterprise General Options policy,
Display Options category
• Client Interface Language (Windows only)
Host Intrusion Prevention General policy, Client UI
category:
• Client Interface Language (Windows only)
• Client UI language setting
• Managed Tasks (Windows only)
• Client Logging
• Firewall logging
SiteAdvisor Enterprise General policy, Proxy Server • Proxy Server for McAfee GTI (Windows only)
tab
• Enable HTTP proxy authentication
30
Migration Guide
4
This overview shows where migrated policy settings for McAfee VirusScan Enterprise appear in
Endpoint Security policies.
Figure 4-2 Where VirusScan Enterprise settings migrate
Migration Guide
31
4
Migration notes for VirusScan Enterprise settings
During the migration process to Endpoint Security 10.2, the Endpoint Migration Assistant adjusts the
migrated settings in your target policies to address differences between the legacy product and the
new product. Therefore, some of the target policy settings don't match your legacy settings.
Workstation and server settings
In VirusScan Enterprise, policies include settings for servers and workstations. This is not the case for
Threat Prevention policies. Therefore, you must specify to migrate either the workstation settings or
the server settings. The default is Workstation.
If you use automatic migration, you must select one type of settings for automatic migration, then
migrate the other type of settings manually.
Quarantine folder
The path for the quarantine folder is limited to 190 characters, but VirusScan Enterprise allowed 256
characters. During client migration, if the migrated quarantine folder path contains more than 190
characters, the path automatically reverts to the default location, <SYSTEM_DRIVE>\Quarantine.
Access Protection port-blocking rules
Endpoint Security Firewall provides more advanced port-blocking capabilities than the predefined
Access Protection rules for VirusScan Enterprise 8.8.
Access Protection port-blocking rules, either predefined or user-defined, are not migrated. User-added
inclusions and exclusions for predefined rules are also not migrated.
If you want to continue using legacy rules that don't migrate from VirusScan Enterprise, you can
create firewall rules in Endpoint Security Firewall to replicate their behavior. You can create firewall
rules to:
•
Define the same behavior as one or more of the predefined Access Protection port-blocking rules.
•
Block the same ports as one or more custom Access Protection port-blocking rules.
See Appendix C, Creating Firewall rules to replace Access Protection port-blocking rules, for more
information.
Self Protection settings
When you migrate Access Protection rules (except port-blocking rules):
32
•
Self Protection settings move from the Access Protection policies to the Common Options policy.
•
Self Protection is enabled by default, regardless of the legacy setting.
Migration Guide
4
•
User-defined exclusions configured for each legacy product module are migrated as global
exclusions for Endpoint Security.
•
User-defined exclusions for three predefined rules in the Common Standard Protection category are
migrated as global Self Protection exclusions in the Common Options policy:
User-defined exclusions for this legacy rule Migrate to the Self Protection exclusions
for
Prevent modification of McAfee files and settings
Processes
Prevent termination of McAfee processes
Processes
Prevent hooking of McAfee processes
Processes
Best practice: Review your exclusions after migration, then revise or remove them as needed. Also
review exclusions configured for any third-party applications to access VirusScan Enterprise registry
or file locations, because these locations have changed in Endpoint Security.
Exploit Prevention (Buffer Overflow Protection)
In Endpoint Security, Buffer Overflow Protection settings are renamed Exploit Prevention.
After migration, the protection level for Exploit Prevention is set to the default Standard Protection, which
detects and blocks only high-severity buffer overflow exploits identified in the Exploit Prevention
content file and stops the detected threat.
Best practice: Use this setting for a limited time only, then review the log file during that time to
determine whether to change to Maximum Protection.
Scan exclusions for root-level folders
VirusScan Enterprise supports the exclusion of root-level folders from scans if the path starts with
wildcard characters such as "?" or '"/". No drive identifier is required.
However, Threat Prevention does not support the same syntax for leading wildcard characters in
on-access scan and on-demand scan exclusions. The Migration Assistant converts unsupported syntax
by changing the leading characters to "**\".
Best practice: If you plan to migrate root-level scan exclusions that include wildcard characters, revise
the legacy exclusions in VirusScan Enterprise to supported syntax before migration, if needed.
•
Supported exclusion patterns — Threat Prevention supports the following exclusion patterns,
and the Migration Assistant does not change them during migration:
•
Environmental variables — Patterns that begin with % (for example, %systemroot%\Test\ )
•
UNC paths — Patterns that begin with \\ (for example, \\Test )
•
Full paths — Patterns that include an absolute drive designator (for example, C:\Test\ )
•
Patterns that begin with **\
Migration Guide
33
4
•
Unsupported exclusion patterns — For all other VirusScan Enterprise exclusion patterns, the
Migration Assistant:
•
Converts leading characters to **\
For example, converts \
•
?:
?:\
*\
*:
*:\
Inserts **\ when there are no leading characters.
For example, converts Test to **\Test
•
Appends a backslash character to the exclusion pattern, if the Also Exclude Subfolders option is
selected for an exclusion and the exclusion pattern doesn't end with a backslash ( \ ) character.
With the **\ syntax, Threat Prevention excludes folders at more levels in the folder structure than
VirusScan Enterprise does. Best practice is to review the migrated exclusions and revise them, if
needed, to duplicate the behavior of the legacy exclusions. See KB85746 for more information.
The following table shows an example of how migrated exclusions are handled differently than
exclusions in legacy products.
Table 4-7 How non-absolute root-level exclusions are handled
Legacy exclusion \test\ or ?:\test\
Migrated exclusion **\test\
Excludes:
Excludes:
• \test\ folder at the root level on any drive.
For example:
• \test\ folder at the root or any other level on any
drive. For example:
• c:\test\
• c:\test\
• c:\lab\test\
• d:\test\
• d:\test\
• d:\lab\project
\test\
• z:\test
Does not exclude:
\test folder at levels other than the root level
on any drive, such as:
• z:\test
• c:\lab\test\
To exclude only the \test folder at the root level,
revise the migrated exclusion to specify an absolute
path. For example:
• d:\lab\project\test\
• c:\test\
• d:\test\
• z:\test
See also
Changes to VirusScan Enterprise settings on page 71
34
Migration Guide
4
Merging on-access scan settings from Windows, Mac, and Linux
On-access scan settings from supported Mac and Linux products also migrate to the On-Access Scan
and Options policies in Threat Prevention.
These migrated policies can be multi-platform or single-platform.
Figure 4-3 Migrating on-access scan settings from Windows, Mac, and Linux
See also
Migrating legacy Mac policies to Threat Prevention on page 44
Migrating legacy Linux policies to Threat Prevention on page 46
Migration Guide
35
4
This overview shows where migrated settings for the IPS Rules and IPS Protection policies from
McAfee Host IPS appear in Endpoint Security policies.
Figure 4-4 Where IPS Rules settings migrate
Migration notes for IPS Rules settings
During the migration process to Endpoint Security, the Endpoint Migration Assistant moves your
migrated IPS Rules and IPS Protection policy settings into Threat Prevention policies.
See Appendix B, IPS Rules migration, for more information about how IPS Rules are migrated to
Policy settings that are migrated
These settings are migrated:
•
IPS custom signature subrules for files, registry, and programs
•
IPS Application Protection Rules
•
IPS Exceptions
Signatures
Only custom signatures migrate. McAfee-defined (canned) signatures do not migrate, even if you have
modified them.
Signatures with IDs in the 4001–6000 range migrate to Access Protection custom rules.
36
•
Each subrule of a signature migrates as an individual Access Protection custom rule in Threat
Prevention.
•
The same signature settings (name, severity, notes, and description) migrate to all rules created in
Threat Prevention for all IPS subrules of the signature.
•
A signature name is required. If a signature doesn't have name, the rules using the signature don't
migrate.
•
The Severity level and Log status settings from the IPS Rules policy merge with the Reaction
setting from the IPS Protection policy to determine the Block/Report settings for migrated Rules in
Threat Prevention.
Migration Guide
4
Application Protection Rules
Excluded applications from Application Protection rules migrate to the Exploit Prevention policy as
Exclusions.
Exception Rules
Exception Rules from the IPS Rules policy migrate to the Access Protection and Exploit Prevention
policies as executables under Exclusions.
Source Exception
Signature type
Target Endpoint
Security policy
Target setting
Executables, Caller
module, and API
Kevlar signatures (IDs
6052, 428, 6012, 6013,
6014, and 6015)
Exploit Protection
Exclusions
Executables and
Parameters
FILE/REGISTRY/PROGRAM
signatures
Access Protection
Executables and
subrule Parameters
Executables
No signature
Access Protection
Global Exclusions
Exploit Protection
GPEP (General Privilege
Escalation Prevention)
signature
Severity/reaction signature
(ID 6052)
Exploit Protection
Enable General
Privilege Escalation
Prevention
Exception Rules with signatures
IPS Exceptions can include custom signatures. The executables and parameters from exceptions are
appended to the Endpoint Security Access Protection Rule created during signature migration.
If all McAfee-defined signatures are added to a subrule exception, the exception migrates as a global
exclusion in the Access Protection and Exploit Prevention policies.
See also
Changes to IPS Rules settings in Host Intrusion Prevention on page 78
Merging Access Protection and Buffer Overflow Protection
settings
Access Protection, Buffer Overflow Protection, and IPS Rules policy settings from VirusScan Enterprise
and McAfee Host IPS migrate to two Threat Prevention policies and the Endpoint Security Common
policy.
These policy types are migrated to the Access Protection policy in Threat Prevention:
•
McAfee Host IPS — IPS Rules
•
VirusScan Enterprise — Access Protection
These policy types are migrated to the Exploit Prevention policy in Threat Prevention:
•
McAfee Host IPS — IPS Rules
•
VirusScan Enterprise — Buffer Overflow Protection
Migration Guide
37
4
For more information, see Appendix B, IPS Rules migration, and Appendix E, Changes to migrated
settings.
Figure 4-5 Migrating Access Protection and Buffer Overflow Protection settings from legacy products
See also
Changes to VirusScan Enterprise settings on page 71
Changes to IPS Rules settings in Host Intrusion Prevention on page 78
38
Migration Guide
4
Migrating Host IPS Firewall policies to Endpoint Security
Firewall
This overview shows where migrated policy settings for the Firewall and General policy options from
McAfee Host IPS appear in Endpoint Security policies.
Only settings for the Firewall and General policies migrate to Endpoint Security Firewall. You can
continue to manage McAfee Host Intrusion Prevention as a separate extension, with its remaining policy
settings in effect, or you can migrate its policy settings to Threat Prevention policies.
Figure 4-6 Where Host IPS Firewall settings migrate
Migration Guide
39
4
Migration notes for McAfee Host IPS Firewall settings
Only policy types from the Firewall and General policies that apply to the Endpoint Security Firewall
are migrated:
•
Client UI
•
DNS Rules
•
Trusted Applications
•
Firewall Rules
•
Trusted Networks
•
Firewall Options
Trusted Applications policies are multiple-instance policies. When you migrate them, they are merged
into one target policy for the policy type. These changes occur when you migrate Trusted Applications
policies:
•
For all the source instances that have the McAfee Host IPS Firewall enabled, trusted executables
are appended to the Trusted Executables list in the target Firewall Options policy.
•
If there is a default policy (McAfee Default, My Default (unedited), or Typical Corporate
Environment) in any instance of the source policies, the Migration Assistant adds Endpoint Security
McAfee Default values to the Endpoint Security target policy.
Host IPS Catalog migration
When migrating manually, the best practice is to migrate the Host IPS Catalog immediately before the
Host Intrusion Prevention Firewall policies. This ensures that they remain synchronized. If Firewall
policy settings change after migrating the Catalog, migrate the Catalog again, then migrate the
policies.
The Migration Assistant displays the date and time when the catalog was last migrated, if applicable,
next to the option to migrate the catalog.
Firewall Rules and Trusted Networks
The Trusted Networks | Trust for IPS setting in McAfee Host IPS does not correspond directly to a setting in
Endpoint Security Firewall policies.
40
Migration Guide
4
Table 4-8 How trusted networks are migrated
Product
What you need to know
McAfee Host IPS
Firewall
How legacy feature works:
IP addresses become "trusted" only after they are applied to firewall rules that
"allow" them.
How policy setting is migrated:
IP addresses that were formerly listed under Trusted Networks | Trust for IPS migrate as
Defined Networks | Not trusted in the target Firewall Options policy. You can set them to
trusted there.
Endpoint
Security Firewall
How new Defined Networks feature works:
All traffic is allowed to Defined Networks that are labeled Trusted in the target Firewall
Options policy. Add IP addresses that you want to treat as trusted networks.
How to configure migrated policy setting:
Configure traffic to the IP addresses that were migrated as Not trusted by associating
them with firewall rules in the Firewall Rules policy. See the Endpoint Security
Firewall Help for more information.
See also
Changes to Firewall settings on page 81
Migration Guide
41
4
This overview shows where migrated policy settings for McAfee SiteAdvisor Enterprise appear in
Figure 4-7 Where SiteAdvisor Enterprise settings migrate
Migration notes for SiteAdvisor Enterprise settings
The Authorize List, Prohibit List, and Content Actions policies are multiple-instance policies. When you
migrate them, multiple instances are merged into one target policy for each policy type. If any
instance of a source policy is a default policy (My Default (unedited) or McAfee Default), the Endpoint
Security McAfee Default instance is used for the target policy instead of merging.
•
All instances of SiteAdvisor Enterprise Authorize List and Prohibit List source policies are merged
into one Endpoint Security Block and Allow List target policy.
42
Migration Guide
4
Each source policy instance has these settings:
•
Track events and request information from the McAfee SiteAdvisor server.
•
Configure access to individual file downloads based on their rating.
•
Give this Authorize List precedence over the Prohibit List.
For each of these settings, if the value of the setting is the same for all instances of the source
policies, the value is migrated. Otherwise, the target policy uses the Endpoint Security McAfee
Default settings.
Site entries from the Authorize List and Prohibit List migrate to a target Block and Allow List.
•
Content Actions
All instances of source policies that have the Enable Categorization option selected are evaluated during
migration. When merging policies that have different actions defined for categories, the most
stringent action from the Action for green column is applied to each category in the target policy.
Actions specified for yellow, red, and unrated content are ignored when creating the target policy.
For the following special categories, both Action for green and Action for unrated columns are considered:
•
Anonymizers
•
Phishing
•
Anonymizing Utilities
•
Personal Network Storage
•
Potential Hacking/Computer Crime
•
Spam URLs
•
Malicious Sites
•
Interactive Web Applications
•
P2P/File Sharing
•
Parked Domain
•
Remote Access
•
Residential IP Addresses
•
Resource Sharing
•
Browser Exploits
•
Shareware/Freeware
•
Malicious Downloads
•
Spyware/Adware/Keyloggers
•
PUPs
For all instances of source policies where the Enable Categorization option is not selected, the option is
deselected in the target policy. The Endpoint Security McAfee Default settings are added for all
categories.
See also
Changes to SiteAdvisor Enterprise settings on page 84
Migration Guide
43
4
This overview shows where migrated policy settings for McAfee Endpoint Protection for Mac appear in
The On-access Scan settings and exclusions configured in the Anti-malware policy migrate to the
Threat Prevention On-AccessScan policy. You can migrate the settings to a single-platform Mac policy
or a multi-platform policy shared by Windows, Mac, and Linux systems.
Figure 4-8 Where McAfee Endpoint Protection for Mac settings migrate
See also
Merging on-access scan settings from Windows, Mac, and Linux on page 35
Migration notes for McAfee Endpoint Protection for Mac
settings
During the migration process to Endpoint Security for Mac, the Endpoint Migration Assistant moves
your migrated settings into a Threat Prevention policy.
Only On-access Scan settings and exclusions from the Anti-malware policy are migrated. They are
migrated to the On-Access Scan policy in Threat Prevention.
44
•
On-Access Scan exclusions are always migrated.
•
If you are migrating VirusScan Enterprise settings, they take precedence over McAfee Endpoint
Protection for Mac settings. Duplicate Mac settings are not migrated.
•
If you are not migrating VirusScan Enterprise settings, additional settings are migrated from
McAfee Endpoint Protection for Mac.
Migration Guide
4
License check
The Migration Assistant checks for a Threat Prevention Mac License extension. If the license is absent,
Mac migration options are not available for automatic or manual migration.
Multiple-platform or single-platform policies
When you migrate McAfee Endpoint Protection for Mac along with Windows or Linux products, the
target Threat Prevention On-Access Scan policy can define settings for one or more operating system
platforms.
•
During automatic migration — One merged (multi-platform) policy is created for all the
platforms being migrated.
•
During manual migration — Specify whether to create one merged (multi-platform) policy or
separate (single-platform) policies.
•
Select Create Multi-Platform Policy to create one policy that contains settings for all the platforms
being migrated (for example, Mac, Windows, and Linux).
•
Deselect Create Multi-Platform Policy to create separate On-Access Scan policies: one with migrated
McAfee Endpoint Protection for Mac settings for the Mac platform, and others with settings for
Windows or Linux.
Responses to detections
In response to threat and unwanted program detections, McAfee EPM lets you specify these actions:
Clean, Quarantine, and Delete. You can specify a primary action and a secondary action (to perform only if
the primary action fails). However, the Quarantine option isn't available in Threat Prevention. Therefore,
these changes occur to the response settings during migration to the On-Access Scan policy in Threat
Prevention.
•
The Quarantine option migrates to Delete.
•
Exception: If Quarantine and Delete are selected as the primary and secondary actions in McAfee EPM,
the secondary response migrates to Deny.
See also
Changes to McAfee Endpoint Protection for Mac settings on page 88
Migration Guide
45
4
This overview shows where migrated policy settings for McAfee VirusScan Enterprise for Linux appear
in Endpoint Security policies.
The on-access scan exclusions and other settings configured in the On-Access Scanning policy migrate
to the Threat Prevention On-Access Scan and Options policies. You can migrate the settings to a
single-platform Linux policy or a multi-platform policy shared by Windows, Mac, and Linux systems.
Figure 4-9 Where McAfee VirusScan Enterprise for Linux settings migrate
See also
Merging on-access scan settings from Windows, Mac, and Linux on page 35
Migration notes for VirusScan Enterprise for Linux settings
During the migration process to Endpoint Security for Linux, the Endpoint Migration Assistant moves
your migrated settings into a Threat Prevention policy.
You can manage systems running Endpoint Security for Linux with the Endpoint Security Threat
Prevention extension in McAfee ePO.
Endpoint Security Firewall and Web Control are not supported for Linux.
46
Migration Guide
4
Only settings from the On-Access Scanning policy are migrated.
•
•
If you are migrating VirusScan Enterprise or McAfee Endpoint Protection for Mac settings, they take
precedence over VirusScan Enterprise for Linux settings. Duplicate Linux settings are not migrated.
•
If you are not migrating VirusScan Enterprise or McAfee Endpoint Protection for Mac settings,
additional settings are migrated from VirusScan Enterprise for Linux.
Client tasks that are migrated
Custom scheduled on-demand scan client tasks are migrated to the Client Task Catalog.
License check
The Migration Assistant checks for a Threat Prevention Linux License extension. If the license is
absent, Linux migration options are not available for automatic or manual migration.
Multiple-platform or single-platform policies
When you migrate VirusScan Enterprise for Linux with Windows or Mac products, the target Threat
Prevention policies can define settings for one or more operating system platforms.
•
•
During automatic migration — Two merged (multi-platform) policies are created for all
platforms being migrated.
•
One On-Access Scan for Windows, Mac, and Linux systems.
•
One Options policy for Windows and Linux systems.
During manual migration — Specify whether to create merged (multi-platform) policies or
separate (single-platform) policies.
•
Select Create Multi-Platform Policy to create one On-Access Scan policy and one Options policy that
contain settings for all platforms being migrated (for example, Windows and Linux).
•
Deselect Create Multi-Platform Policy to create an On-Access Scan policy and an Options policy with
only migrated VirusScan Enterprise for Linux settings, then create separate policies with
settings for Windows or Mac.
Scan exclusions
Endpoint Security for Linux does not support regular expressions as scan exclusions. If regular
expressions do migrate successfully from VirusScan Enterprise for Linux, Endpoint Security for Linux
ignores them.
See also
Changes to McAfee VirusScan Enterprise for Linux settings on page 90
Migration Guide
47
4
48
Migration Guide
A
Troubleshooting
Use this information to resolve problems during the migration process.
Error messages
Error messages are displayed by programs when an unexpected condition occurs that can't be fixed by
the program itself. Use this list to find an error message, an explanation of the condition, and any
action you can take to correct it.
Table A-1
Migration Assistant error messages
Message
Description
Solution
There are no products installed that
can be migrated.
You can migrate only the settings
that you have permission to view.
Check your permissions and
update them if needed.
An Endpoint Security Migration
server task is running and must be
completed before continuing.
You can't begin another migration
until the server task is complete.
Wait until the server task is
complete, then begin another
migration.
Migration Guide
49
A
Troubleshooting
Error messages
50
Migration Guide
B
IPS Rules migration
Endpoint Security uses the logic described in this appendix to configure migrated settings from the IPS
Rules and IPS Protection policies in McAfee Host IPS.
Settings migrate to the Access Protection and Exploit Prevention policies in Threat Prevention.
Contents
Signature-level settings in migrated IPS Rules
Subrule-level settings in migrated IPS Rules
Exceptions
Signature-level settings in migrated IPS Rules
Signature-level settings migrate to Access Protection Rules according to these guidelines.
Signature-level settings include Block and Report, Notes, and Rule Name.
Migrated Block and Report settings
Endpoint Security uses these legacy settings in McAfee Host IPS to determine the Block and Report
settings under Rules in the target Access Protection policies:
•
IPS Rules: Signature tab — Severity and Log status
•
IPS Protection — Reaction
To determine the Block setting for the migrated target policy, the Migration Assistant:
1
Reads the source signature Severity setting from the IPS Rules policy. The possible values are High,
Medium, Low, Informational, and Disabled.
2
From the IPS Protection policy, reads the Reaction setting for the corresponding severity. For
example, if Severity is set to Medium, it reads the Reaction setting value for Medium.
3
If the Reaction value is Prevent, the Block setting is Enabled. Otherwise, it is Disabled.
4
If Severity is Disabled, both Report and Block settings are Disabled.
Endpoint Security determines the migrated Report setting as follows:
Source IPS Rules policy:
Log status setting
Source IPS Protection policy:
Reaction setting
Target Access Protection
policy: Report setting
Enabled
Prevent or Log
Enabled
Enabled
Ignore
Disabled
Disabled
N/A
Disabled
Migration Guide
51
B
IPS Rules migration
Notes
Source Notes and Description data merges and migrates to the Notes section of the Endpoint Security
Rule, using this format:
Notes: <IPS Notes section>; Description: <IPS Description section>
Rule Name
The source signature name and subrule name merge and migrate to the Endpoint Security Rule name,
using this format:
<IPS Signature name>_<IPS Subrule name>
Settings that don't migrate
Settings for Signature ID, Type, and Client rules don't migrate.
Subrules migrate to Access Protection policies according to these guidelines.
General migration guidelines
•
Only Standard subrules migrate. Expert subrules don't migrate.
•
The signature subrule name is required. It migrates to the subrule name.
•
Subrules with these Rule types migrate: Files, Registry, and Programs.
•
Subrules with a Rule type of Registry can have a parameter for Registry (Key) and Registry (Value).
Its value determines where these subrules migrate in the Access Protection policy.
•
•
Rules with a Registry (Key) parameter migrate to a Registry Key type rule.
•
Rules with a Registry (Value) parameter migrate to a Registry Value type rule.
•
Rules with both parameters do not migrate.
Most operations migrate directly to the corresponding equivalent for their type. Special cases are
described in the following sections. If source data is null or missing, it doesn't migrate.
Files subrules
52
•
File parameter data is required. Subrules must have at least one parameter to migrate.
•
The Destination file parameter migrates only when Rename Operation is enabled.
•
The User name parameter from the IPS subrule migrates to the User Names section in the target
Rule.
•
The Drive type parameter migrates to the target subrule parameters list Drive Type as follows:
•
CD or DVD migrates to CD/DVD.
•
Floppy migrates to Floppy.
•
OtherRemovable or USB migrates to Removable.
•
HardDrive migrates to Fixed.
•
Network migrates to Network.
Migration Guide
IPS Rules migration
Exceptions
B
Registry subrules
•
Registry parameter data is required. Subrules must have a least one parameter to migrate.
•
If one subrule has parameters for both Registry (Key) and Registry (Value), the subrule doesn't
migrate.
•
The User name parameter from the IPS subrule migrates to the User Names section in the target
Rule.
•
Endpoint Security doesn't support the Registry Value Operation setting for Enumerate. If only this
operation is defined for a registry subrule, the subrule doesn't migrate.
Programs subrules
•
Program parameter data is required. Subrules must have a least one parameter to migrate.
•
User name moves up to the rule level in Endpoint Security.
•
Caller module doesn't migrate.
•
Target Executable migrates to Process. If the source subrule doesn't specify a value for Target
Executable, it doesn't migrate.
•
Endpoint Security doesn't support the Operation setting for Open with Access to wait. If only this
operation is defined for a program subrule, the subrule doesn't migrate.
Executables
Executables in Files, Registry, and Programs subrules migrate to Rule-level executables.
•
Fingerprint migrates to MD5 hash.
•
Signer migrates.
•
File Description doesn't migrate.
•
Target Executable migrates to Process. If the source subrule doesn't specify a value for Target
Executable, it doesn't migrate.
Exceptions
IPS Exception Rules migrate to Access Protection and Exploit Prevention policies according to these
guidelines.
Exceptions can have custom signatures, McAfee-defined (canned) signatures, a mixture of both types,
or no signature.
•
Custom signature exceptions migrate to the Access Protection policy.
•
McAfee-defined exceptions migrate to the Exploit Prevention policy.
•
Global exceptions migrate to both policies.
Custom signature exceptions (Files/Registry/Programs)
•
Exceptions with custom signatures migrate to the Access Protection Rules that were created during
IPS Signature migration.
•
Executables from IPS Exceptions that have custom Files/Registry/Programs signatures migrate to
Executables in the Files/Registry/Programs Rules. If an Exception has more than one executable for
a Files/Registry/Programs Rules custom signature, all executables migrate as Executables.
Migration Guide
53
B
IPS Rules migration
Exceptions
•
Exceptions: Executables migrate to Files/Registry/Programs rules from only custom signatures.
•
Exceptions: Programs signature: Target executables migrate to the Target executable for the
Process subrule.
•
For exceptions with Handler Module or Caller Module parameters, only the executables migrate.
Handler Module or Caller Module parameters don't migrate.
•
Domain Group parameters don't migrate.
•
Exceptions with two or more of these parameters defined do not migrate:
•
•
Target Executable
•
Files parameter (Files, dest_file, and/or drive type)
•
Registry (Key)
•
Registry (Value)
Exceptions migrate to Process Rules when they:
•
Do have Target Executable.
•
Don't have Files parameter (Files, dest_file, and/or drive type).
•
Don't have Registry (Key).
•
Don't have Registry (Value).
If the exceptions have executables, the executables migrate to Process Rule level, and target
executables migrate to Process Rule: Subrule parameters.
•
Exceptions migrate to File Rules when they:
•
Do have the Executable OR Files parameter (Files, dest_file, and/or drive type).
•
Don't have Target Executable.
•
•
If the exceptions have executables, the executables migrate to the File Rule level. If the exceptions
have the Files parameter (Files, dest_file, and/or drive type), they migrate to File Rule: Subrule
parameters.
•
Exceptions migrate to Registry Key Rules when they:
•
Do have the Executable OR Registry (Key) parameter.
•
•
•
If the exceptions have executables, the executables migrate to the Key Rule level. If the exceptions
have the Key parameter, they migrate to Key Rule: Subrule parameters.
•
54
Exceptions migrate to Registry Value Rules when they:
•
Do have the Executable OR Registry (Value) parameter.
•
Migration Guide
IPS Rules migration
•
•
B
If the exceptions have executables, the executables migrate to the Value Rule level. If the
exceptions have Value parameter, they migrate to Value Rule: Subrule parameters.
•
User name applies to all three categories, in a similar way to the executables previously described.
If User name migrates with the executables to Access Protection Rules, the migrated Access
Protection Rules have both the executable and user name.
McAfee-defined signature exceptions
•
Executables from IPS Exceptions that have signature IDs 6052, 428, 6012, 6013, 6014, or 6015
migrate to Exploit Prevention exclusions in Endpoint Security.
•
If an exception has more than one executable, handler, or caller module, only the first executable,
handler, or caller module migrates.
•
Exploit Prevention doesn't support exclusion name, so Executable name doesn't migrate to Exploit
Prevention.
•
Domain Group parameters don't migrate.
Global exceptions
Global exceptions migrate to both the Access Protection and Exploit Prevention policies as global
exclusions in a similar way to the exceptions previously described. An exception is considered global if
it has no signatures added or has all the McAfee-defined signatures added but no custom signatures.
•
Exceptions with two or more of these parameters defined don't migrate:
•
Target Executable
•
Files parameter (Files, dest_file, and/or drive type)
•
Registry (Key)
•
Registry (Value)
Application Protection Rules migrate to Endpoint Security Exploit Prevention policies according to these
guidelines.
Excluded applications from Application Protection Rules migrate to Exploit Prevention exclusions.
Migration Guide
55
B
IPS Rules migration
56
Migration Guide
C
Creating Firewall rules to replace
predefined Access Protection portblocking rules
The Migration Assistant does not migrate predefined or user-defined Access Protection port-blocking
rules from VirusScan Enterprise 8.8. However, you can create firewall rules in Endpoint Security
Firewall that define behavior equivalent to the predefined VirusScan Enterprise port-blocking rules.
VirusScan Enterprise 8.8 includes these four predefined port-blocking rules that are not migrated:
•
AVO10: Prevent mass mailing worms from sending mail
•
AVO11: Prevent IRC communication
•
CW05: Prevent FTP communication
•
CS06: Prevent HTTP communication
Contents
Create
Create
Create
Create
rule
rule
rule
rule
to
to
to
to
prevent
prevent
prevent
prevent
mass mailing worms from sending mail
IRC communication
FTP communication
HTTP communication
Create rule to prevent mass mailing worms from sending mail
Use this task to create Endpoint Security 10.2 firewall rules that are equivalent to the predefined
Access Protection rule AVO10 in VirusScan Enterprise 8.8.
See the Endpoint Security Firewall Help for more information about creating firewall rules.
Rule AVO10: Prevent mass mailing worms from sending mail
Rule AVO10 G_030_AntiVirusOn {
Description "Prevent mass mailing worms from sending mail"
Process { Include *
Exclude ${DefaultEmailClient} ${DefaultBrowser} eudora.exe msimn.exe msn6.exe
msnmsgr.exe neo20.exe nlnotes.exe outlook.exe pine.exe poco.exe thebat.exe thunde*.exe
winpm-32.exe MAPISP32.exe VMIMB.EXE RESRCMON.EXE Owstimer.exe SPSNotific* WinMail.exe
explorer.exe iexplore.exe firefox.exe mozilla.exe netscp.exe opera.exe msn6.exe $
{epotomcatdir}\\bin\\tomcat.exe ${epotomcatdir}\\bin\\tomcat5.exe ${epotomcatdir}\\bin\
\tomcat5w.exe ${epotomcatdir}\\bin\\tomcat7.exe inetinfo.exe amgrsrvc.exe ${epoapachedir}\
\bin\\apache.exe webproxy.exe msexcimc.exe
Exclude ntaskldr.exe nsmtp.exe nrouter.exe agent.exe
Exclude ebs.exe firesvc.exe modulewrapper* msksrvr.exe mskdetct.exe mailscan.exe
rpcserv.exe
Exclude mdaemon.exe worldclient.exe wspsrv.exe }
Port OTU { Include 25
Include 587 }
Migration Guide
57
C
Create rule to prevent mass mailing worms from sending mail
}
You need to create two firewall rules to provide equivalent functionality to the VirusScan Enterprise 8.8
rule.
Task
1
In McAfee ePO, select Menu | Policy | Policy Catalog, then select Endpoint Security Firewall from the Product
list.
2
From the Category list, select Rules.
3
Click the name of the assigned Firewall Rules policy.
4
Click Add Rule, then configure a rule with the following settings.
To be effective, this rule must be positioned above any other rules that block or allow outgoing TCP
traffic to remote ports 25 or 587.
•
Action: Block
•
Direction: Out
•
Network protocol: Any protocol
•
Transport protocol: TCP
•
Remote ports: 25 and 587
•
Applications: Add executables with the file name or path* set to the Exclude section in the AVO10
rule.**
* Variable names ${DefaultEmailClient}, ${DefaultBrowser}, ${epotomcatdir}, $
{epoapachedir} are not supported by Endpoint Security 10.2, so in order to add these
executables, you need to add the executable file names associated with the desired default
email client, default browser, McAfee ePO Tomcat Install directory before \bin\, and McAfee ePO
Apache Install directory before \bin\.
** Use single backslashes instead of double backslashes.
5
Click Save.
6
Click Add Rule, then configure a second rule directly below the rule you created in step 4:
7
•
Action: Block
•
•
Direction: Out
•
•
Click Save.
This rule is created and enabled in Endpoint Security 10.2 for all managed systems where it is
assigned.
The AVO10 rule was disabled by default in VirusScan Enterprise 8.8, so the traffic was allowed. To
achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action
to Allow.
58
Migration Guide
Create rule to prevent IRC communication
C
Create rule to prevent IRC communication
Use this task to create an Endpoint Security 10.2 firewall rule that is equivalent to the predefined
Access Protection rule AVO11 in VirusScan Enterprise 8.8.
Rule AVO10: Prevent mass mailing worms from sending mail
Rule AVO11 G_030_AntiVirusOn {
Description "Prevent IRC communication"
Process { Include * }
Port IOTU { Include 6666 6669 }
}
Task
1
list.
2
3
4
Click New Rule, then configure the following settings.
5
•
Action: Block
•
•
Direction: Either
•
Local ports: 6666-6669
•
•
Remote ports: 6666-6669
Click Save.
assigned.
The AVO11 rule was disabled by default in VirusScan Enterprise 8.8, so IRC traffic was allowed. To
to Allow.
Create rule to prevent FTP communication
Use this task to create Endpoint Security Firewall 10.2 firewall rules that are equivalent to the
predefined Access Protection rule CW05 in VirusScan Enterprise 8.8.
Rule CW05: Prevent FTP communication
Rule CW05 G_070_CommonOff {
Description "Prevent FTP communication"
Enforce 0
Report 0
Process { Include *
Exclude ${DefaultBrowser} explorer.exe iexplore.exe firefox.exe mozilla.exe
netscp.exe opera.exe msn6.exe ${epotomcatdir}\\bin\\tomcat.exe ${epotomcatdir}\\bin\
\tomcat5.exe ${epotomcatdir}\\bin\\tomcat5w.exe ${epotomcatdir}\\bin\\tomcat7.exe
inetinfo.exe amgrsrvc.exe ${epoapachedir}\\bin\\apache.exe webproxy.exe msexcimc.exe
Migration Guide
59
C
Create rule to prevent FTP communication
mcscript* frameworks* naprdmgr.exe naprdmgr64.exe frminst.exe naimserv.exe framepkg.exe
narepl32.exe updaterui.exe cmdagent.exe cleanup.exe mctray.exe udaterui.exe framepkg_upd.exe
mue_inuse.exe setlicense.exe mcscancheck.exe lucoms* luupdate.exe lsetup.exe idsinst.exe
sevinst.exe nv11esd.exe tsc.exe v3cfgu.exe ofcservice.exe earthagent.exe tmlisten.exe
inodist.exe ilaunchr.exe ii_nt86.exe iv_nt86.exe cfgeng.exe f-secu* fspex.exe getdbhtp.exe
fnrb32.exe "f-secure automa*" sucer.exe ahnun000.tmp supdate.exe autoup.exe pskmssvc.exe
pavagent.exe dstest.exe paddsupd.exe pavsrv50.exe avtask.exe giantantispywa* boxinfo.exe
Exclude pasys* google*
Exclude alg.exe ftp.exe agentnt.exe
}
Port OTU { Include 20 21 }
}
You need to create two firewall rules to provide equivalent functionality to the VirusScan Enterprise 8.8
rule.
Task
1
list.
2
3
4
•
Action: Allow
•
Direction: Out
•
•
•
•
Applications: Add executables with the file name or path* set to the Exclude section in the
VirusScan Enterprise rule above.**
* Variable names ${DefaultEmailClient}, ${DefaultBrowser}, ${epotomcatdir}, and$
{epoapachedir} are not supported by Endpoint Security Firewall 10.2. To add these executables,
you need to add the executable file names associated with the desired default email client,
default browser, McAfee ePO Tomcat Install directory before \bin\, and McAfee ePO Apache
Install directory before \bin\.
5
Click Save.
6
7
60
•
Action: Block
•
•
Direction: Out
•
•
Click Save.
Migration Guide
Create rule to prevent HTTP communication
C
assigned.
The CW05 rule was disabled by default in VirusScan Enterprise 8.8, so FTP traffic was allowed. To
to Allow.
Create Endpoint Security 10.2 firewall rules that are equivalent to the predefined Access Protection
rule CW06 in VirusScan Enterprise 8.8.
Rule CW06: Prevent HTTP communication
Rule CW06 G_070_CommonOff {
Description "Prevent HTTP communication"
Enforce 0
Report 0
Process { Include *
Exclude ${DefaultBrowser} ${DefaultEmailClient} explorer.exe iexplore.exe
firefox.exe mozilla.exe netscp.exe opera.exe msn6.exe ${epotomcatdir}\\bin\\tomcat.exe $
{epotomcatdir}\\bin\\tomcat5.exe ${epotomcatdir}\\bin\\tomcat5w.exe ${epotomcatdir}\\bin\
\tomcat7.exe inetinfo.exe amgrsrvc.exe ${epoapachedir}\\bin\\apache.exe webproxy.exe
msexcimc.exe mcscript* frameworks* naprdmgr.exe naprdmgr64.exe frminst.exe naimserv.exe
framepkg.exe narepl32.exe updaterui.exe cmdagent.exe cleanup.exe mctray.exe udaterui.exe
framepkg_upd.exe mue_inuse.exe setlicense.exe mcscancheck.exe eudora.exe msimn.exe msn6.exe
msnmsgr.exe neo20.exe nlnotes.exe outlook.exe pine.exe poco.exe thebat.exe thunde*.exe
winpm-32.exe MAPISP32.exe VMIMB.EXE RESRCMON.EXE Owstimer.exe SPSNotific* WinMail.exe
msiexec.exe msi*.tmp setup.exe ikernel.exe setup*.exe ?setup.exe ??setup.exe ???setup.exe
_ins*._mp McAfeeHIP_Clie* InsFireTdi.exe update.exe uninstall.exe SAEuninstall.exe
SAEDisable.exe Setup_SAE.exe
Exclude lucoms* luupdate.exe lsetup.exe idsinst.exe sevinst.exe nv11esd.exe tsc.exe
v3cfgu.exe ofcservice.exe earthagent.exe tmlisten.exe inodist.exe ilaunchr.exe ii_nt86.exe
iv_nt86.exe cfgeng.exe f-secu* fspex.exe getdbhtp.exe fnrb32.exe "f-secure automa*"
sucer.exe ahnun000.tmp supdate.exe autoup.exe pskmssvc.exe pavagent.exe dstest.exe
paddsupd.exe pavsrv50.exe avtask.exe giantantispywa* boxinfo.exe
Exclude alg.exe mobsync.exe waol.exe agentnt.exe svchost.exe runscheduled.exe pasys*
google* backweb-*
Exclude vmnat.exe devenv.exe windbg.exe jucheck.exe realplay.exe acrord32.exe
acrobat.exe
Exclude wfica32.exe mmc.exe mshta.exe dwwin.exe wmplayer.exe console.exe wuauclt.exe
Exclude javaw.exe ccmexec.exe ntaskldr.exe winamp.exe realplay.exe quicktimeplaye*
SiteAdv.exe McSACore.exe
}
Port OTU { Include 80
Include 443 }
}
Task
1
list.
2
3
Migration Guide
61
C
4
•
Action: Allow
•
Direction: Out
•
•
•
•
Applications: Add executables with the file name or path* set to the Exclude section in the CW06
rule.**
* Variable names ${DefaultEmailClient}, ${DefaultBrowser}, ${epotomcatdir}, $
{epoapachedir} are not supported by Endpoint Security 10.2. To add these executables, you
need to add the executable file names associated with the desired default email client, default
browser, McAfee ePO Tomcat Install directory before \bin\, and McAfee ePO Apache Install
directory before \bin\.
5
Click Save.
6
7
•
Action: Block
•
•
Direction: Out
•
•
Click Save.
assigned.
The CW06 rule was disabled by default in VirusScan Enterprise 8.8, so HTTP traffic was allowed. To
to Allow.
62
Migration Guide
D
These policy overview diagrams show where legacy policy settings appear in McAfee Endpoint Security
policies.
Policy maps
Use these maps to see where legacy settings are moved or merged during migration to Endpoint
Security policies.
renamed, or merged.
Migrating VirusScan Enterprise settings (Windows)
Settings from VirusScan Enterprise migrate to multiple Threat Prevention policies and the Endpoint
Security Common policy.
Migration Guide
63
D
Policy maps
Migrating on-access scan settings to Threat Prevention policies (Windows, Mac,
and Linux)
On-access scan settings from VirusScan Enterprise, McAfee Endpoint Protection for Mac, and
VirusScan Enterprise for Linux migrate to two Threat Prevention policies.
64
•
•
If you are migrating products for multiple operating system platforms:
•
VirusScan Enterprise settings take precedence over McAfee Endpoint Protection for Mac settings
and VirusScan Enterprise for Linux settings.
•
McAfee Endpoint Protection for Mac settings take precedence over VirusScan Enterprise for
Linux settings.
Migration Guide
Policy maps
•
Duplicate settings are not migrated.
•
If you are not migrating VirusScan Enterprise settings, additional settings are migrated from
McAfee Endpoint Protection for Mac and VirusScan Enterprise for Linux.
D
Migrating Access Protection and Buffer Overflow protection to Threat Prevention
policies (Windows)
Settings for Access Protection and Buffer Overflow Protection migrate from VirusScan Enterprise and
McAfee Host IPS to two Threat Prevention policies and the Endpoint Security Common Options policy.
Migration Guide
65
D
Policy maps
Migrating Host IPS Firewall and General settings to Endpoint Security Firewall
Settings from the Host IPS Firewall and General policies migrate to two Endpoint Security Firewall
policies and the Endpoint Security Common Options policy.
66
Migration Guide
Policy maps
D
Migrating SiteAdvisor Enterprise settings to Web Control
Settings from SiteAdvisor Enterprise policies migrate to five Web Control policies and the Endpoint
Security Common Options policy.
Migration Guide
67
D
Policy maps
Migrating legacy settings to the Common Options policy
Settings from VirusScan Enterprise, McAfee Host IPS, and SiteAdvisor Enterprise policies migrate to
the Options policy in the Common module for use by all the Endpoint Security product modules.
68
Migration Guide
Policy maps
D
See also
Changes to migrated settings on page 4
Migration Guide
69
D
Policy maps
70
Migration Guide
E
Use this information to locate legacy policy settings after migrating to Endpoint Security 10.2.
Contents
Changes
Changes
Changes
Changes
Changes
Changes
to
to
to
to
to
to
VirusScan Enterprise settings
IPS Rules settings in Host Intrusion Prevention
Firewall settings
SiteAdvisor Enterprise settings
McAfee Endpoint Protection for Mac settings
McAfee VirusScan Enterprise for Linux settings
Changes to VirusScan Enterprise settings
As part of the migration process from VirusScan Enterprise 8.8 to Threat Prevention, some policies are
removed, moved, renamed, or merged with other settings.
Removed settings
These VirusScan Enterprise settings are not migrated.
Access Protection Policies — Rules
•
Access Protection process inclusions or exclusions that the customer removed from McAfee-defined
Access Protection rules
•
Default include and exclude processes in default rules
•
User-defined port-blocking rules, including user-defined inclusions and exclusions for predefined
rules
•
Rules that are added via content updates
•
Prevent McAfee services from being stopped
•
Anti-spyware Standard Protection: Protect Internet Explorer favorites and settings
•
Anti-virus Standard Protection: Prevent mass mailing worms from sending mail
•
Anti-virus Standard Protection: Prevent IRC communication
•
Anti-virus Standard Protection: Prevent use of tftp.exe
•
Anti-virus Maximum Protection: Protect cached files from password and email address stealers
•
Anti-virus Maximum Protection: Prevent svchost executing non-Windows executables
•
Anti-virus Maximum Protection: Protect phonebook files from password and email address stealers
Migration Guide
71
E
•
Common Standard Protection: Prevent modification of McAfee Common Management Agent files
and settings
•
Common Standard Protection: Prevent modification of McAfee Scan Engine files and settings
•
Common Standard Protection: Protect Mozilla & Firefox files and settings
•
Common Standard Protection: Disable HCP URLs in Internet Explorer
•
Common Maximum Protection: Prevent FTP communication
•
Common Maximum Protection: Prevent HTTP communication
•
Common Maximum Protection: Prevent programs registering as a service
•
Virtual Machine Protection: Prevent modification of VMWare Server files and settings
•
Virtual Machine Protection: Prevent modification of VMWare virtual machine files
•
Virtual Machine Protection: Prevent modification of VMWare Workstation files and settings
•
Virtual Machine Protection: Prevent Termination of VMWare Processes
Alert Policies
•
Alert Manager Alerts: Email Scan
•
Alert Manager Alerts: AutoUpdate
•
Alert Manager Alerts: Disable alerting
•
Alert Manager Alerts: Enable centralized alerting
•
Alert Manager Alerts: Enable Alert Manager alerting
•
Additional Alerting Options: Send SNMP trap using SNMP service
Buffer Overflow Protection Policies
•
Buffer Overflow Protection: Show the messages dialog box when a buffer overflow is detected
•
Buffer Overflow Protection: Module in Buffer overflow exclusions
•
Reports: all settings
General Options Policies
•
Display Options: Show the system tray icon with all menu options
•
Display Options: Show the system tray icon with minimal menu options
•
Display Options: Do not show the system tray icon
•
Display Options: Allow this system to make remote console connections to other systems
•
Display Options: Disable default AutoUpdate task schedule
•
Display Options: Enable splash screen
•
Password Options: all settings
•
Global Scan Settings: Enable saving scan data across reboots
•
Global Scan Settings: Enable Artemis background queries
On-Access Default Processes Policies
•
72
Scan Items: Include files with no extension under Default + additional file types
Migration Guide
E
On-Access General Policies
•
General: Floppy during shutdown
•
ScriptScan: Process in ScriptScan exclusions
•
Blocking: Send the specified message to the network user when a threat is detected
•
Blocking: Message text settings
•
Blocking: Block the connection settings
•
Messages: Remove messages from the list
•
Messages: Clean files
•
Messages: Delete files
•
On-Access High-Risk Processes Policies
•
On-Access Low-Risk Policies
•
On Delivery Email Scan Policies
•
All settings
Unwanted Programs Policies
•
Scan Items: Select categories of unwanted programs to detect
On-Demand Scan client tasks
•
Scan Locations: Registry
•
•
•
Task: Run this task on servers (migrated as part of task assignment)
•
Task: Run this task on workstations (migrated as part of task assignment)
Moved, renamed, and merged settings
These VirusScan Enterprise settings are moved, renamed, or merged with other settings during
migration.
Table E-1
Access Protection Rules
Endpoint Security settings
Anti-spyware Maximum Protection: Prevent
execution of scripts from the Temp folder
Executing scripts by Windows script host
(CScript.exe or Wscript.exe) from common user
folders*
Anti-spyware Maximum Protection: Prevent
installation of new CLSIDs, APPIDs and TYPELIBs
Installing new CLSIDs, APPIDs, and TYPELIBs*
Anti-spyware Maximum Protection: Prevent all
programs from running files from the Temp folder
Running files from common user folders*
Migration Guide
73
E
Table E-1
Access Protection Rules (continued)
Anti-virus Maximum Protection: Prevent alteration
of all file extension registrations
Altering any file extension registrations*
Anti-virus Outbreak Control: Block read and write
access to all shares
Remotely accessing local files or folders*
Anti-virus Outbreak Control: Make all shares
read-only
Remotely creating or modifying files or folders*
Anti-virus Standard Protection: Prevent user rights Altering user rights policies*
policies from being altered
Anti-virus Standard Protection: Prevent registry
editor and Task Manager from being disabled
Disabling Registry Editor and Task Manager *
Anti-virus Standard Protection: Prevent remote
creation of autorun files
Remotely creating autorun files*
Anti-virus Standard Protection: Prevent remote
creation/modification of executable and
configuration files
Remotely creating or modifying Portable
Executable, .INI, .PIF file types, and core system
locations*
Anti-virus Standard Protection: Prevent hijacking
of .EXE and other executable extensions
Hijacking .EXE and other executable extensions*
Anti-virus Standard Protection: Prevent Windows
Process spoofing
Modifying core Windows Processes*
Common Maximum Protection: Prevent creation of Creating new executable files in the Program
new executable files in the Program Files folder
Files folder*
Common Maximum Protection: Prevent creation of Creating new executable files in the Windows
new executable files in the Windows folder
folder*
Common Maximum Protection: Prevent launching
of files from the Downloaded Program Files folder
Internet Explorer launching files from the
Downloaded Program Files folder*
Common Maximum Protection: Prevent programs
registering to autorun
Registering of programs to autorun*
Common Standard Protection: Prevent installation
of Browser Helper Objects and Shell Extensions
Installing Browser Helper Objects or Shell
Extensions*
Common Standard Protection: Protect Internet
Explorer settings
Modifying Internet Explorer settings*
Common Standard Protection: Protect network
settings
Modifying network settings*
Common Standard Protection: Prevent common
programs from running files from the Temp folder
Running files from common user folders by
common programs*
Common Standard Protection: Prevent
modification of McAfee files and settings
Common Options policy:
• Self Protection: Exclude these processes**
Common Standard Protection: Prevent termination Common Options policy:
of McAfee processes
Common Standard Protection: Prevent hooking of
McAfee processes
* Report, block, and user-defined included and excluded processes are migrated.
** Only user-defined excluded processes are migrated.
74
Migration Guide
E
Table E-2 Alert Policies
Alert Manager Alerts: On-Access Scan and
Additional Alerting Options:Severity Filter
Common module, Options policy:
Alert Manager Alerts: On-Demand Scan and
scheduled scans and Additional Alerting Options:
Severity Filter
Alert Manager Alerts: Access Protection and
Additional Alerting Options: Severity Filter
Additional Alerting Options: Log to local
application event log
• Threat Prevention events to log: On-Access
Scan
• Threat Prevention events to log: On-Demand
Scan
• Threat Prevention events to log: Access
Protection
• Log events to Windows Application log
Table E-3 Buffer Overflow Protection Policies
Threat Prevention settings
Warning mode
Exploit Prevention policy:
• Action: Report
Protection mode
• Action: Block
• Action: Report
Table E-4 General Options Policies
Endpoint Security and Threat Prevention settings
Display Options: Console language settings
• Client Interface Language
Display Options: Display managed tasks in
the client console
Global Scan Settings: Allow On-Demand
Scans to utilize the scan cache
On-Demand Scan policy:
• Display managed custom tasks
• Full Scan: Use the scan cache
• Quick Scan: Use the scan cache
• Right-Click Scan: Use the scan cache
Table E-5 On-Access General Policies
General: Processes on enable
On-Access Scan policy:
• Scan processes on service startup and content
update
General: Enable on-access scanning when
the policy is enforced
• Enable On-Access Scan
Migration Guide
75
E
Table E-6 On-Access Default Processes Policies
Scan Items: Find unknown unwanted
programs and Trojans
Scan Items: Find unknown macro threats
• Additional scan options: Detect unknown program
threats
• Additional scan options: Detect unknown macro threats
Scan Items: Default + additional file
types
• What to scan: Default and specified file types
Table E-7 On-Access High-Risk Processes Policies
High Risk Processes: Processes
• Configure different settings for High Risk and Low Risk
processes: Process type
Scan Items: Find unknown macro
threats
types
• Additional scan options: Detect unknown program threats
Table E-8 On-Access Low-Risk Processes Policies
Low-Risk Processes
• Configure different settings for High Risk and Low Risk
processes: Process type
threats
types
Table E-9 Quarantine Manager Policies
Quarantine Directory
Options policy:
• Quarantine folder
Automatically delete quarantined data after the
specified number of days and
Number of days to keep backed-up data in the
quarantine directory
76
Options policy:
• Specify the maximum number of days to
keep quarantine data
Migration Guide
Table E-10
E
Unwanted Programs Policies
Scan Items: Specify exclusions by detection name
Options policy:
• Detection Name
User-Defined Items
Options policy:
• Potentially Unwanted Program Detections
Table E-11 On-Demand Scan client tasks
Scan Locations: Include subfolders
Custom On-Demand Scan client task:
• Scan subfolders
Scan Items: Find unknown program Custom On-Demand Scan client task:
threats
• Detect unknown program threats
threats
Performance: Defer scan when
using battery power
Performance: Defer scan during
presentations
Performance: User may defer
scheduled scans
Performance: Defer at most hours
• Detect unknown macro threats
• Do not scan when the system is on battery power
• Scan anytime: Do not scan when the system is in
presentation mode
• Scan anytime: User can defer scans
• Scan anytime: User can defer scans: Maximum number of
times user can defer for one hour
Performance: System utilization
• Performance: System utilization
Performance: Artemis: Sensitivity
level
Scan Items: Find unknown
unwanted programs and Trojans
threats
Scan Items: Default + additional
file types
• McAfee GTI: Sensitivity level
See also
Migration notes for VirusScan Enterprise settings on page 32
Migration Guide
77
E
Changes to IPS Rules settings in Host Intrusion Prevention
As part of the migration process from Host Intrusion Prevention to Endpoint Security Threat
Prevention, these settings are removed, moved, renamed, or merged with other settings.
Table E-12
Signatures tab
Host Intrusion Prevention settings
Severity
Access Protection policy:
• Block and Report
Type
Does not migrate.
Platform
Does not migrate.
Log status
• Report
Client rules
Does not migrate.
ID
Does not migrate.
Table E-13
IPS Signature
Host Intrusion Prevention
settings
Signature name
• Rule: Options: Name
Severity level
Does not migrate.
Version Introduced
Does not migrate.
Notes
Description
• Notes
The Migration Assistant merges Notes and Description data
from this signature into a single Notes field.
Table E-14
Standard IPS Subrule Properties
Host Intrusion
Prevention settings
Name
• Rule: Name
The subrule name and signature name migrate to the rule name in
this format: <IPS Signature name>_<IPS Subrule name>.
Rule type
• Custom Rule: Subrule: Properties: Subrule type
Operations
• Custom Rule: Subrule: Properties: Operations
Parameters
• Custom Rule: Subrule: Properties: Targets (as parameters)
Parameters: Executables
• Custom Rule: Options: Executables
78
Migration Guide
Table E-15
Application Protection Rules tab
settings
Status
Does not migrate.
Inclusion Status
Does not migrate. Is used to determine whether to migrate
executables from excluded Application Protection Rules.
Table E-16
E
Application Protection Rule Properties
settings
Name
Does not migrate.
Status
Does not migrate.
Inclusion Status
Does not migrate. Is used to determine whether to migrate
executables from excluded Application Protection Rules.
Executables
• Exclusions: Process
Notes
Table E-17
Does not migrate.
Executable
Name
• Exclusions: Process: Name
File description
Does not migrate.
File name
• Exclusions: Process: File name or path
Fingerprint
• Exclusions: Process: MD5 hash
Signer
• Exclusions: Process: Signer
Note
Table E-18
Does not migrate.
Exception Rules tab
settings
Status
Does not migrate. Only enabled exceptions migrate.
Modified
Does not migrate.
Exception Name
Does not migrate.
First Executable
Migrates to one or more of these policies, based on criteria
explained in Appendix B, IPS Rules migration:
• Access Protection policy:
• Executable
• Exploit Prevention policy:
• Process
Modified
Does not migrate.
Migration Guide
79
E
Table E-18
Exception Rules tab (continued)
settings
Notes
Does not migrate.
Actions
Does not migrate.
Table E-19
IPS Exception
Host Intrusion
Prevention settings
Exception name
Does not migrate.
Status
Does not migrate. Only enabled exceptions migrate.
Signatures
Does not migrate directly. Is used to migrate to respective Files, Registry,
and Programs Rule types. The target is based on criteria explained in
Appendix B, IPS Rules migration, under Exceptions.
Parameters:
Executable: Type
Does not migrate.
Parameters:
Executable: Name
Migrates to both policies. The target is based on criteria explained in
• Executable Name or Process Name
• Executable Name or Exclusions: Process Name
Parameters:
Executable: File name
• If signature is Custom — Rule: Options: Executable: File Name or Path
• If signature is Global — Policy: Exclusions: File Name or Path
• Executable: File Name or Path
Parameters:
Executable:
Fingerprint
• If signature is Custom — Rule: Options: Executable: MD5 Hash
• If signature is Global — Policy: Exclusions: MD5 Hash
• Exclusions: Executable: MD5 Hash
Parameters:
Executable: File
description
80
Does not migrate.
Migration Guide
Changes to Firewall settings
Table E-19
E
IPS Exception (continued)
Host Intrusion
Prevention settings
Parameters:
Executable: Signer
• If signature is Custom — Rule: Options: Executable: Signer
• If signature is Global — Policy: Exclusions: Signer
• Exclusions: Executable: Signer
Parameters:
Executable: Action
Does not migrate.
Parameters:
Parameters: Domain
Group
Does not migrate.
Table E-20
Edit Parameter
Parameter name
• Subrule: Properties: Targets: Name
Value
• Subrule: Properties: Targets: Value
Table E-21
IPS Protection
settings
Reaction based on signature severity
level: Reaction
Is used with the IPS Rules Severity and Log status settings to
determine the target Block/Report setting for Access Protection
Rules. The target is based on criteria explained in Appendix B, IPS
Rules migration, under Signature-level settings in migrated IPS
Rules.
See also
Migration notes for IPS Rules settings on page 36
Signature-level settings in migrated IPS Rules on page 51
Subrule-level settings in migrated IPS Rules on page 52
Exceptions on page 53
Application Protection Rules on page 55
As part of the migration process from Host Intrusion Prevention 8.0 Firewall to Endpoint Security
Firewall, these settings are removed, moved, renamed, or merged with other settings.
Removed settings
These Host Intrusion Prevention Firewall settings are not migrated.
Migration Guide
81
E
Firewall Options
•
Learn mode
Client UI
•
General Settings: Show tray icon
•
General Settings: Flash tray icon
•
General Settings: Play sound
•
General Settings: Capture trace
•
General Settings: Show this custom message
•
General Settings: Allow user to notify administrator of false positives
•
General Settings: SMTP server name
•
General Settings: Send email to
•
Advanced Options: Product integrity check enabled
•
Advanced Options: Manual creation of client rules (for all features) enabled
•
Advanced Options: Administrator password to unlock the UI
•
Advanced Options: Disabling features settings
•
Advanced Options: Time-based password settings
•
Troubleshooting: Activity log size
•
Troubleshooting: IPS logging settings
•
Troubleshooting: Enable IPS engines settings
•
Application name
•
Mark trusted for IPS
•
Notes
Trusted Networks
•
Trust for IPS
These Host Intrusion Prevention Firewall settings are moved, renamed, or merged with other settings
during migration.
Table E-22
DNS Blocking
Endpoint Security Firewall settings
DNS Blocking: Blocked Domains
Options policy:
• DNS Blocking: Domain name
82
Migration Guide
E
Table E-23
Firewall Options
Firewall status: Enabled
Options policy:
• Enable Firewall
Firewall status: Adaptive mode
Options policy:
• Tuning Options: Enable Adaptive mode
Firewall status: Allow traffic for
unsupported protocols
Options policy:
Firewall status: Allow bridged traffic
Options policy:
• Protection Options: Allow traffic for unsupported
protocols
• Protection Options: Allow bridged traffic
Firewall client rules: Retain existing client
rules when this policy is enforced
Options policy:
Startup Protection: Allow only outgoing
traffic until the Host IPS service has
started
Options policy:
• Tuning Options: Retain existing user added rules and
Adaptive mode rules when this policy is enforced
• Protection Options: Allow only outgoing traffic until
firewall services have started
Protection options: Send events to ePO for Options policy:
Trusted Source violations
• McAfee GTI Network Reputation: Log matching traffic
Table E-24
Client UI
settings
Endpoint Security Firewall and Endpoint Security
settings
Display pop-up alert
Options policy:
• Tuning Options: Enable firewall intrusion alerts
Client UI language setting
• Client Interface Language
Firewall logging
• Debug Logging: Enable for Firewall
Table E-25
Fingerprint
Options policy:
• Trusted Executables: MD5 Hash
Table E-26
Trusted Networks
Include local subnet automatically: Enabled
Options policy:
• Defined Networks: Local subnet entry is added
Trusted networks
Options policy:
• Defined Networks: Trusted
Migration Guide
83
E
Changes to SiteAdvisor Enterprise settings
See also
Migration notes for McAfee Host IPS Firewall settings on page 40
As part of the migration process from SiteAdvisor Enterprise 3.5 to Web Control, these settings are
Removed settings
These SiteAdvisor Enterprise settings are not migrated.
Authorize List
•
Block phishing pages
Enable/Disable
•
SiteAdvisor menu option: Enable
•
SiteAdvisor menu option: Only allow with password
Enforcement Messaging
•
Site: Allow message (all languages)
•
Site: Enter explanation messages to display when users attempt to access sites you have
configured content filtering actions for: Warn explanation (all languages)
•
Authorize and Prohibit Lists: Allow message (all languages)
•
Authorize and Prohibit Lists: Allow explanation (all languages)
•
Zero Day Protection: Allow message (all languages)
Event Tracking
•
Domains and downloads: Track
•
Capture logged-on user name in events
General
•
Action Enforcement: Allow Warn sites
•
Action Enforcement: Enable Artemis scan
•
Control Panel Option: Enable
Hardening
•
Self Protection: Protect SiteAdvisor resources: all settings
These SiteAdvisor Enterprise settings are moved, renamed, or merged with other settings during
migration.
84
Migration Guide
Table E-27
E
Authorize List
Web Control settings
Test Site Patterns
Block and Allow List policy:
• Test Pattern button
Track events and request
information from the SiteAdvisor
server
• Enforce actions for file downloads based on their rating
Options policy:
• Log events for allowed sites configured in the Block and Allow
List
Give this Authorize list precedence
over Prohibit lists
• Enable allowed sites to take precedence over blocked sites
Table E-28 Content Actions
Action for Green and Action for Unrated
Content Actions policy:
• Block rating action
Phishing
Content Actions policy:
• Phishing web category
Options policy:
• Block phishing pages for all sites
Table E-29 Enable/Disable
SiteAdvisor policy enforcement: Enable
Options policy:
• Enable Web Control
SiteAdvisor toolbar: Enable
Options policy:
• Hide the toolbar on the client browser
Table E-30
Enforcement Messaging
Site: Enter short messages (up to 50 characters) to Enforcement Messaging policy:
display when users attempt to access sites you
• Site: Messages for sites blocked by Rating
have configured actions for
Actions
Site: Enter explanation messages (up to 1000
Enforcement Messaging policy:
characters) to display when users attempt to access
• Site: Explanations for sites blocked by Rating
sites you have configured rating actions for
Actions
Site: Enter explanation messages (up to 1000
• Site: Explanation for sites blocked by Web
sites you have configured content filtering actions
Category Blocking
for
Site Resources: Enter short messages (up to 50
characters) to display when users attempt to
download a file that is warned or blocked
• Site Downloads: Messages for site downloads
blocked by Rating Actions
Migration Guide
85
E
Table E-30
Enforcement Messaging (continued)
Site Resources: Enter a short message (up to 50
• Block List: Message for sites blocked by
a blocked phishing page
Phishing Pages
Authorize and Prohibit Lists: On Prohibit Lists
• Site Downloads: Message for sites on the
Block List
Fail Close: Enter short messages (up to 50
• McAfee GTI Unreachable: Message for sites
sites you have configured actions for
blocked when McAfee GTI ratings server is
not reachable
Fail Close: Enter explanation messages (up to 1000 Enforcement Messaging policy:
• McAfee GTI Unreachable: Explanation for
sites you have configured rating actions for
sites blocked when McAfee GTI ratings server
is not reachable
Zero Day Protection: Enter short messages (up to
50 characters) to display when users attempt to
access sites you have configured actions for
Zero Day Protection: Enter explanation messages
(up to 1000 characters) to display when users
attempt to access sites you have configured rating
actions for
Image
• Unverified Site Protection: Messages for sites
not yet verified by McAfee GTI
• Unverified Site Protection: Explanations for
sites not yet verified by McAfee GTI
• Image for Warn and Block Pages
Table E-31 Event Tracking
Track content categories for all green sites Options policy:
• Enable Web Control
• Page views and downloads: Track
Options policy:
• Send browser page views and downloads to Web
Reporter
Content Security Reporter Configuration
Options policy:
• Web Reporter configuration
Table E-32
General
Endpoint Security and Web Control settings
HTTP proxy server
• Proxy Server for McAfee GTI
86
HTTP proxy authentication: Use
authentication
Block Malicious and Warn sites in an
iframe
Options policy:
• Enable HTTP proxy authentication
• Enable HTML iFrames support
Migration Guide
Table E-32
E
General (continued)
Enable ePO event tracking for iframe
URL navigation
Options policy:
Zero Day Protection: Level
Options policy:
• Log Web Control iFrame events
• Apply this action to sites not yet verified by McAfee GTI
Fail Close: Enable
Options policy:
• Block sites by default if McAfee GTI ratings server is not
reachable
Accept Warn action at domain level:
Enable
Options policy:
Observe mode: Enable
Options policy:
• Allow warn action at domain level
• Enable Observe mode
File download enforcement: Enable
Options policy:
• Enable file scanning for file downloads
Artemis enforcement level
Options policy:
• McAfee GTI sensitivity level
Enable browser-based annotations
Options policy:
• Enable annotations in browser-based email
Enable non-browser-based annotations
Options policy:
• Enable annotations in non browser-based email
Private IP range: Enable
Options policy:
• Exclusions: Allow all IP addresses in the local network
• Exclusions: Specify IP addresses or ranges to exclude
from Web Control rating or blocking
Web gateway interlock: Enable
Options policy:
• Stand down if a web gateway appliance is detected
Client is using one of your
organization's default gateways
Options policy:
Web gateway enforcement is detected
Options policy:
• Use your organization's default gateway
• Detect web gateway enforcement
Enter the DNS name for the Internal
Landmark
Options policy:
Secure Search: Enable
Options policy:
• Specify internal landmark to use and DNS name for
internal landmark
• Enable Secure Search
Migration Guide
87
E
Changes to McAfee Endpoint Protection for Mac settings
Table E-32
General (continued)
Search Engine
Options policy:
• Set the default engine in supported browsers
Block links to risky sites
Options policy:
• Block links to risky sites in search results
Table E-33 Hardening
Protect SiteAdvisor browser plugin:
Enable
Options policy:
• Prevent user from uninstalling or disabling browser
plug-in
Table E-34 Prohibit List
Test Site Patterns
• Test Pattern button
See also
Migration notes for SiteAdvisor Enterprise settings on page 42
As part of the migration process from McAfee Endpoint Protection for Mac 2.3, these settings are
Removed settings
These settings from the Anti-malware policy are not migrated.
General tab
•
Disable the local auto-update schedule
On-demand Scan tab (all settings)
Exclusions tab
•
Exclude specific disks, files, and folders: On-demand Scan
These McAfee Endpoint Protection for Mac settings from the Anti-malware policy are migrated to the
On-Access Scan policy in Threat Prevention.
88
Migration Guide
E
Table E-35 General tab
McAfee Endpoint Protection for Mac settings
General policies controlling overall functioning of
Anti-malware: On-access Scan
General policies controlling overall functioning of
Anti-malware: Spyware Scan
• Detect unwanted programs (Standard tab)
Table E-36 On-access Scan tab
settings
On-access Scan policies: Scan contents
of Archives and Compressed Files
On-Access Scan policy (Standard tab):
• Compressed archive files
On-access Scan policies: Scan Apple Mail On-Access Scan policy (Standard tab):
Messages
• Compressed MIME-encoded files
On-access Scan policies: Scan files on
Network Volumes
• On network drives
On-access Scan policies: Maximum scan
time (seconds)
Scan files:
• On Read
• When reading from disk
• On Write
• When writing to disk
• Read & Write
• Let McAfee decide
When a virus is found and If the above
action fails:
Threat detection first response and If first response fails:
• Clean
• Quarantine
• Delete
• Notify
• Specify maximum number of seconds for each file scan:
• Clean
• Delete
• Delete
• Deny
If the primary action is Quarantine and the secondary
action is Delete in the source policy, the target settings
are Delete and Deny.
When a spyware is found and If the
above action fails:
Unwanted program first response and If first response
fails:
• Clean
• Clean
• Quarantine
• Delete
• Delete
• Delete
• Notify
• Deny
If the primary action is Quarantine and the secondary
action is Delete in the source policy, the target settings
are Delete and Deny.
Migration Guide
89
E
Changes to McAfee VirusScan Enterprise for Linux settings
Table E-37 Exclusions tab
settings
Exclude specific disks, files, and folders:
On-access Scan
• Exclusions: File name or path including subfolder for
read and write
See also
Migration notes for McAfee Endpoint Protection for Mac settings on page 44
As part of the migration process from McAfee VirusScan Enterprise for Linux 2.0.2, these settings are
You can manage Endpoint Security for Linux with the Endpoint Security Threat Prevention and
Common module extensions in McAfee ePO.
Endpoint Security Firewall and Web Control are not supported for Linux.
Removed settings
These settings from the Actions tab of the On-Access Scanning policy are not migrated.
•
If scanning fails
•
If scanning times out
Other policies are not migrated.
These McAfee VirusScan Enterprise for Linux settings from the On-Access Scanning policy are
migrated to the On-Access Scan policy in Threat Prevention.
Table E-38 On Access Scanning policy: Actions tab
90
VirusScan Enterprise for Linux settings
When Viruses and Trojans are found and If the
above action fails
Threat detection first response and If first
response fails:
• Clean
• Clean
• Delete
• Delete
• Deny
• Deny
When Programs & Jokes are found and If the above
action fails
Unwanted program first response and If first
response fails:
• Clean
• Clean
• Delete
• Delete
• Deny
• Deny
Migration Guide
E
Table E-39 On Access Scanning policy: Advanced tab
VirusScan Enterprise for Linux
settings
Heuristics: Find unknown program
viruses
Heuristics: Find unknown macro viruses
Non-viruses: Find potentially unwanted
programs
Non-viruses: Find joke programs
• Additional scan options: Detect unwanted programs
Compressed files: Scan inside
multiple-file archives (e.g. .ZIP)
Compressed files: Decode MIME
encoded files
• What to scan: Compressed MIME-encoded files
• What to scan: Compressed archive files
Table E-40 On Access Scanning policy: Detections tab
settings
Scan files:
• When writing to disk
• When to scan: When writing to disk
• When reading from disk
• When to scan: When reading from disk
Scan files:
• On network mounted volume
• What to scan: On network mounted volume
What to scan
• All files
• What to scan: All files
• Default + additional file types
• Specified file types
• What to scan: Specified file types only
What not to scan
• Exclusions: File name or path including subfolder for read
and write
Maximum Scan Time: Maximum scan
time (seconds)
• Specify maximum number of seconds for each file scan:
Table E-41 On Access Scanning policy: General tab
On-access Scan: Enable on-access scanning
On-access Scan: Quarantine Directory
Options policy:
• Quarantine folder
Migration Guide
91
E
Table E-41 On Access Scanning policy: General tab (continued)
Maximum Scan Time: Enable a maximum
scanning time for all files
Maximum Scan Time: Maximum scan time
(seconds)
• Specify maximum number of seconds for each file
scan
• Scan Timeout
Table E-42 On-Demand Scan client tasks
settings
Scan Items
• Scan Options: Scan Locations: user-defined path
Where to scan
• Scan Options: Scan subfolders
What to scan: Default + specified
user-defined extensions
What to scan: Specified user-defined
extensions
• What to scan: Specified user-defined extensions
Exclusions
• Exclusions
Advanced: Find unknown program
virus
Advanced: Find unknown macro
viruses
Advanced: Find potentially unwanted
programs
Advanced: Scan inside multiple file
archives
Advanced: Decode MIME encoded
files
Actions: Primary Action Virus
• Additional scan options: Find potentially unwanted programs
• Additional scan options: Compressed Archive Files:
• Additional scan options: Compressed MIME-encoded files
• Remediation: Primary Action Virus
Actions: Secondary Action Virus
• Remediation: Secondary Action Virus
See also
Migration notes for VirusScan Enterprise for Linux settings on page 46
92
Migration Guide
Index
A
about this guide 5
Access Protection
port-blocking rules not migrated 32, 57
Self Protection settings 32
Application Protection Rules, migrated 36
assignments
migrating 15
migration paths and 11
verifying migration 16
automatic migration
Common Options policy 17
comparing to manual 11
migrating client tasks 15
migrating Host IPS Catalog 15
migrating policies 15
multi-platform policies and 15, 27
overview 13
repeat migrations 17
single-platform policies and 27
target policy names and notes 25
verifying migrated objects 16
B
best practices
guidelines for choosing automatic migration 11
guidelines for choosing manual migration 11
manual migration, viewing policy maps 20
migrating exclusions 32
migrating Host IPS Catalog manually 7, 24, 40
preparing to migrate 12
buffer overflow protection, See Exploit Prevention
C
Catalog, Firewall, See Firewall Catalog
Catalog, Host IPS, See Host IPS Catalog
checklist, pre-migration 12
client software, deployment 10
Client Task Catalog
pre-migration review 12
verifying migration 16, 23
client tasks
migrated, Threat Prevention 46, 71, 90
client tasks (continued)
migrated, VirusScan Enterprise 71
migrated, VirusScan Enterprise for Linux 46, 90
migrating assignments 15
migrating automatically 15
migrating manually 22
repeat migrations 17, 24
Common Options policy
automatic migrations 17
migrated policy maps, illustrated 63
source policies, illustrated 30
compatible products 7
conventions and icons used in this guide 5
D
default settings in migrated policies 25
deployment, product 10
documentation
audience for this guide 5
product-specific, finding 6
typographical conventions and icons 5
E
Endpoint Protection for Mac
license requirements for migration 44
migration details 44
on-access scan settings, migrated 35
policies, migrated 44
policies, migration changes 88
policies, multi-platform 44
Endpoint Security Firewall
compatibility with Host IPS Firewall 40
creating port-blocking rules 32, 57, 59, 61
policies, migrated 39, 40
policies, multiple-instance 40
trusted networks 40
Migration Guide
93
Index
Endpoint Security for Linux
migrated policy tables 90
Endpoint Security for Mac
error messages 49
exclusions
Application Protection Rules 36
best practices 32
IPS Rules 36
on-access scanning 32, 46
on-access scanning, migrated 71, 88, 90
on-demand scanning 32, 46
regular expressions 46
root-level folders 32
Exploit Prevention, migrated settings 32
F
Firewall
See also Endpoint Security Firewall
best practice, migrating 7
Firewall Catalog
best practice 24, 40
best practice, migrating 12
migrating 15, 23, 40
synchronizing with migrated policies 40
firewall rules, creating port-blocking rules 32, 57, 59, 61
H
best practice, migrating Catalog 40
changes to migrated Host Intrusion Prevention settings 40
compatibility with Endpoint Security Firewall 40
IPS Rules policies, migration changes 78
migrating Host IPS Catalog with policies 40
migrating IPS Rules 36, 51–53
migration details 36, 40
policies, migrated 36, 39, 40
policies, migrated to Common Options 30
Host IPS Catalog
best practice, migrating 7, 12, 24, 40
migrating 15, 23, 40
synchronizing with migrated policies 40
94
I
installation, Migration Assistant 12
IPS Rules, migration details 36, 51–53
L
legacy products, supported 7
license requirements 7, 44, 46
Linux product migration, See VirusScan Enterprise for Linux
M
Macintosh product migration, See Endpoint Protection for Mac
managed systems, product deployment 10
manual migration
best practice, viewing policy maps 20
comparing to automatic 11
migrating client tasks 22
migrating Host IPS Catalog 23
migrating policies 20
multi-platform policies and 20, 27, 44, 46
overview 19
single-platform policies and 20, 27
target policy names and notes 25
verifying migrated objects 23
McAfee Agent, deployment 10
McAfee Default policy 25
McAfee ServicePortal, accessing 6
migration
choosing automatic or manual 11
error messages 49
overview 9
overview, automatic 13
overview, manual 19
pre-migration tasks 12
supported legacy products 7
verifying migrated assignments 16
verifying migrated objects 16, 23
Migration Assistant
automatically migrating settings 15
installing 12
manually migrating client tasks 22
manually migrating Host IPS Catalog 23
manually migrating policies 20
multi-platform policies
defined 27
migrating automatically 15, 44, 46
migrating manually 20, 44, 46
naming conventions 25
precedence of settings, by operating system platform 27
multi-slot policies, See multiple-instance policies
multiple-instance policies 26, 40, 42
Migration Guide
Index
O
on-access scan settings
migrated 35, 71, 88, 90
root-level exclusions 32
on-demand scan settings
client tasks 46
migrated 71, 90
root-level exclusions 32
overview
automatic migration 13
manual migration 19
migration 9
product deployment 10
P
policies
changes, overview 8
default settings 25
merging 28
migrating assignments 15
migrating automatically 15
multi-platform 15, 25, 27, 44, 46
multiple-instance, migrating 26, 40, 42
server settings, VirusScan Enterprise 32
single-platform 27
target policy names 25
target policy notes 25
workstation settings, VirusScan Enterprise 32
policies, migrated
changes to migrated Endpoint Protection for Mac settings
44
changes
changes
changes
changes
to migrated Host Intrusion Prevention settings 40
to migrated IPS Rules settings 36, 51–53
to migrated SiteAdvisor Enterprise settings 42
to migrated VirusScan Enterprise for Linux
settings 46
changes to migrated VirusScan Enterprise settings 32
Common Options 30
Endpoint Protection for Mac 44, 88
Endpoint Security Firewall 39, 81
Host Intrusion Prevention 30
Host Intrusion Prevention, Firewall 39, 81
Host Intrusion Prevention, IPS Rules 36, 78
illustrated 63
multi-platform policies 27, 44, 46
single-platform policies 27
SiteAdvisor Enterprise 30, 42, 84
Threat Prevention 31, 36, 44, 46, 71, 78, 90
VirusScan Enterprise 30, 31, 71
policies, migrated (continued)
VirusScan Enterprise for Linux 46, 90
Web Control 42, 84
Policy Catalog
policy mapping
Common Options policy 30
Endpoint Protection for Mac 44, 88
Endpoint Security Firewall 39, 81
Host Intrusion Prevention, Firewall 39, 81
Host Intrusion Prevention, IPS Rules 36, 78
overview 8
overview, illustrated 63
SiteAdvisor Enterprise 42, 84
Threat Prevention 31, 36, 44, 46, 71, 78
VirusScan Enterprise 30, 31, 71
Web Control 42, 84
port-blocking rules
not migrated 32, 57
re-creating as firewall rules 57, 59, 61
Q
quarantine folder path 32
R
requirements
Endpoint Security, installing 10
Migration Assistant, installing 12
supported legacy products 7
S
Self Protection, migrated settings 32
server and workstation settings, VirusScan Enterprise 32
ServicePortal, finding product documentation 6
single-platform policies
defined 27
naming conventions 25
SiteAdvisor Enterprise
T
tasks, migrated
Threat Prevention 46, 71, 90
VirusScan Enterprise 71
Migration Guide
95
Index
tasks, migrated (continued)
technical support, finding product information 6
Threat Prevention
changes to migrated Endpoint Protection for Mac settings
44
changes to migrated IPS Rules settings 36, 51–53
changes to migrated VirusScan Enterprise for Linux
settings 46
changes to migrated VirusScan Enterprise settings 32
exclusions, root-level folders 32
migrating IPS Rules 36, 51–53
on-demand scan exclusions 32
policies, merged 32
policies, migrated 31, 32, 36, 44, 46
policies, migration changes 71, 78, 88, 90
quarantine folder path 32
tasks, migration changes 71, 90
workstation and server policy settings 32
troubleshooting, error messages 49
V
verification
migrated assignments 16
migrated objects 16, 23
Migration Assistant installation 12
Access Protection port-blocking rules not migrated 32, 57
buffer overflow protection 32
exclusions, root-level folders 32
96
VirusScan Enterprise (continued)
on-access scan exclusions 32
on-demand scan exclusions 32
policies, migrated 31, 32
tasks, migration changes 71
workstation and server policy settings 32
and Endpoint Security modules 46
client tasks, migrated 46
exclusions, regular expressions 46
license requirements for migration 46
policies, multi-platform 46
tasks, migration changes 90
W
Web Control
Block and Allow List 42
changes to migrated SiteAdvisor Enterprise settings 42
Content Actions 42
policies, merged 42
policies, multiple-instance 42
workstation and server settings, VirusScan Enterprise 32
Migration Guide
0-00

Endpoint Security 10.2.0 Migration Guide

Transcription

Similar documents

Migration to Google Apps For Education and Goodbye MICROSOFT!

SEMView – An 8K SEM Image Control System

Emeryville Advanced Imaging Referral Form Back

SmartWorks Pro Datasheet

TAGLN Geninin Bloke Edilmesinin Wuzhishan Domuz Kemik İliği

HP Scanjet Datasheet

Detecting Malware With Memory Forensics

Aggie Agenda 87 - Department of Soil and Crop Sciences

F300 MFP Specifications