McAfee ePolicy 3, 3.5, 3.6 System Compliance Profiler

Configuration Guiderevision 1.0

System Compliance Profiler®

For use with ePolicy Orchestrator 3.0.x, 3.5, or 3.6 Beta

version 1.1

McAfee® System ProtectionIndustry-leading intrusion prevention solutions

COPYRIGHTCopyright © 2005 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NA NETWORK ASSOCIATES, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NETWORK ASSOCIATES, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA), YOUR NETWORK. OUR BUSINESS. are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

AttributionsThis product includes or may include:

Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier.

Software written by Douglas W. Sauder. Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. International Components for Unicode (“ICU”) Copyright © 1995-2002 International Business Machines Corporation and others. Software developed by CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc. FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany. Outside In® Viewer Technology © 1992-2001 Stellent Chicago, Inc. and/or Outside In® HTML Export, © 2001 Stellent Chicago, Inc. Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, © 1998, 1999, 2000. Software copyrighted by Expat maintainers. Software copyrighted by The Regents of the University of California, © 1989. Software copyrighted by Gunnar Ritter. Software copyrighted by Sun Microsystems®, Inc. © 2003. Software copyrighted by Gisle Aas. © 1995-2003. Software copyrighted by Michael A. Chase, © 1999-2000. Software copyrighted by Neil Winton, © 1995-1996. Software copyrighted by RSA Data Security, Inc., © 1990-1992. Software copyrighted by Sean M. Burke, © 1999, 2000. Software copyrighted by Martijn Koster, © 1995. Software copyrighted by Brad Appleton, © 1996-1999. Software copyrighted by Michael G. Schwern, © 2001. Software copyrighted by Graham Barr, © 1998. Software copyrighted by Larry Wall and Clark Cooper, © 1998-2000. Software copyrighted by Frodo Looijaard, © 1997. Software copyrighted by the Python Software Foundation, Copyright © 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. Software copyrighted by Beman Dawes, © 1994-1999, 2002. Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek © 1997-2000 University of Notre Dame. Software copyrighted by Simone Bordet & Marco Cravero, © 2002. Software copyrighted by Stephen Purcell, © 2001. Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). Software copyrighted by International Business Machines Corporation and others, © 1995-2003. Software developed by the University of California, Berkeley and its contributors. Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http://www.modssl.org/). Software copyrighted by Kevlin Henney, © 2000-2002. Software copyrighted by Peter Dimov and Multi Media Ltd. © 2001, 2002. Software copyrighted by David Abrahams, © 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, © 2000. Software copyrighted by Boost.org, © 1999-2002. Software copyrighted by Nicolai M. Josuttis, © 1999. Software copyrighted by Jeremy Siek, © 1999-2001. Software copyrighted by Daryle Walker, © 2001. Software copyrighted by Chuck Allison and Jeremy Siek, © 2001, 2002. Software copyrighted by Samuel Krempp, © 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted by Doug Gregor ([email protected]), © 2001, 2002. Software copyrighted by Cadenza New Zealand Ltd., © 2000. Software copyrighted by Jens Maurer, © 2000, 2001. Software copyrighted by Jaakko Järvi ([email protected]), © 1999, 2000. Software copyrighted by Ronald Garcia, © 2002. Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, © 1999-2001. Software copyrighted by Stephen Cleary ([email protected]), © 2000. Software copyrighted by Housemarque Oy <http://www.housemarque.com>, © 2001. Software copyrighted by Paul Moore, © 1999.

Software copyrighted by Dr. John Maddock, © 1998-2002. Software copyrighted by Greg Colvin and Beman Dawes, © 1998, 1999. Software copyrighted by Peter Dimov, © 2001, 2002. Software copyrighted by Jeremy Siek and John R. Bandela, © 2001. Software copyrighted by Joerg Walter and Mathias Koch, © 2000-2002.

Issued June 2005 / McAfee System Compliance Profiler® software version 1.1 DOCUMENT BUILD 005.1-<EN>

http://www.openssl.org/

http://www.apache.org/

http://www.apache.org/

http://www.apache.org/licenses/LICENSE-2.0.txt

http://www.python.org

http://www.python.org

http://www.extreme.indiana.edu/

http://www.extreme.indiana.edu/

http://www.modssl.org/

http://www.modssl.org/

http://www.boost.org/libs/bind/bind.html

http://www.boost.org/libs/bind/bind.html

http://www.boost.org

http://www.boost.org

http://www.housemarque.com

Contents

1 Introducing System Compliance Profiler 4System Compliance Profiler overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

How System Compliance Profiler works with ePolicy Orchestrator . . . . . . . . .11

Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2 Adding System Compliance Profiler to ePolicy Orchestrator 19ePolicy Orchestrator 3.0.x requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Adding System Compliance Profiler to the ePolicy Orchestrator server . . . . 20

Upgrading System Compliance Profiler from version 1.0 . . . . . . . . . . . . . . . . 21

Removing System Compliance Profiler from the ePolicy Orchestrator server 22

3 Deploying the System Compliance Profiler client scanner 24System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Using ePolicy Orchestrator to deploy System Compliance Profiler . . . . . . . . 24

Installing System Compliance Profiler manually on clients . . . . . . . . . . . . . . 27

Removing System Compliance Profiler from clients . . . . . . . . . . . . . . . . . . . . 27

4 Using compliance rules and scans 29Overview of using compliance rules in on-demand scans . . . . . . . . . . . . . . . 29

About System Compliance Profiler rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Creating and editing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Using rules and rule groups for scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Scheduling System Compliance Profiler on-demand scan tasks . . . . . . . . . . 41

Update pre-defined System Compliance Profiler rules from McAfee . . . . . . 43

5 Working with Scan Results 46System Compliance Profiler reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

About running System Compliance Profiler reports in ePolicy Orchestrator. 49

Generating System Compliance Profiler reports . . . . . . . . . . . . . . . . . . . . . . . 51

A Frequently Asked Questions 54Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

B System Compliance Profiler metrics 58Client memory use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Network bandwidth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

ePolicy Orchestrator impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

iii

1 Introducing System Compliance Profiler Overview of the product, how it works with ePolicy

Orchestrator, and new features in this release

System Compliance Profiler® 1.1 is client scanner that scans computers on your network to determine whether they comply with policies that you set up in ePolicy Orchestrator®.

What’s covered in this chapterSystem Compliance Profiler overview

What’s new in this release

How System Compliance Profiler works with ePolicy Orchestrator

Using this guide

Resources

System Compliance Profiler overviewSystem Compliance Profiler’s features include:

Microsoft patch compliance reporting.

Customizable compliance assessment based on scans for specific files, registry entries, services and Microsoft patches.

Downloadable rule templates.

File and patch integrity verification (with MD5 “fingerprinting”).

Complete integration with McAfee ePolicy Orchestrator, for centralized administration and host-based compliance reporting.

Graphical compliance reports with drill-down paths.

The System Compliance Profiler software scans remote computers to determine whether they comply with policies that you set up. Policies consist of rules, each of which tells the software to look for a specific file, registry key, patch, or service on scanned computers. Computers that meet all of your rule criteria are in compliance with your policies. Computers that do not meet rule criteria have rule violations. You can use System Compliance Profiler to create graphical and tabular reports that show which network computers do and do not comply with company policies.

4

System Compliance Profiler® 1.1 Configuration Guide Introducing System Compliance ProfilerWhat’s new in this release

1

System Compliance Profiler integrates into the McAfee ePolicy Orchestrator management software. This means that you use ePolicy Orchestrator to configure and deploy the software. For details on the ePolicy Orchestrator and System Compliance Profiler interfaces, see Accessing System Compliance Profiler through the ePolicy Orchestrator console on page 12.

System Compliance Profiler works by installing remote scanning software on each computer that you want to monitor. This scanning software periodically scans for files, registry keys, patches, and services. It then relays the information it collects back to the ePolicy Orchestrator server. Once the software finishes its scans and reports back, you can use System Compliance Profiler and ePolicy Orchestrator to run reports based on the collected data.

What’s new in this releaseThis release of System Compliance Profiler includes the following new features or enhancements:

Reboot state awareness.

Using registry keys to dynamically resolve file paths.

Filtering and sorting for security patch templates.

Running rules only when specific applications are present.

Improved rules interface and features.

More flexibility and granularity for defining rules.

Use ePolicy Orchestrator pull tasks to update predefined McAfee rules automatically.

Each of these new features is detailed in the sections that follow.

Reboot state awareness

Current release The goal of this feature is to determine if a system is in violation of a rule only because the machine has not been rebooted yet. If the file being checked is in violation of the rule, and it is scheduled to be replaced at the next reboot, then the violation event contains extra data to indicate that a reboot is needed. This information will be displayed in the rule violation reports.

Benefits After applying a patch on your managed machines, they may require a reboot. Until they are rebooted, they will continue to show up as non-compliant in your System Compliance Profiler reports. This feature is an indication that rebooting the machines may make them compliant in the next System Compliance Profiler scan, and gives a more accurate snapshot of system status.

5


1

Using registry keys to dynamically resolve file paths

Where to find The Compliant/Non-Compliant Summary report will include the reboot state awareness category. The graph has a new pie container for systems that need rebooting.

For more information See Compliance & Non-Compliance Summary on page 47 for more information on how computer compliance data is reflected in reports.

Current release Use registry key values when specifying file path locations for file based rules. In the Edit Rule page, the drop-down box for the file path contains an additional choice labeled HKEY_LOCAL_MACHINE. If you choose this, you can specify the registry key location for the registry key that contains the file path of the file being searched for. Note that this registry path will also contain the registry value being examined.

Benefits Use registry keys to reference file paths dynamically, rather than having to hardcode the file paths into your rules.

Where to find The Edit Rule page of the System Compliance Profiler Rules policy page, the File path drop-down list contains a new option for HKEY_LOCAL_MACHINE to specify a registry key containing a file path.

For more information About System Compliance Profiler rules on page 30

6


1

Filtering and sorting for security patch templates

Current release Group and filter the predefined McAfee security patch rules to show only the rules you are interested in viewing. When you select the Security Patch Rules group, or any rules under this group, you can click a Filter button to filter and sort based on the following criteria:

Microsoft Security Bulletin #

Microsoft patch release date

Microsoft severity rating

Microsoft identifier (K or QB number)

Affected operating systems

Affected applications

Benefits The list of security patches can become quite long. Using filtering and sorting can make the list more manageable.

Where to find To access this feature:

1 Open the Rules page of the System Compliance Profiler policy pages.

2 Select the Security Patch Rules group or any patch rules group or rules within Security Patch Rules to enable the new Filter button.

3 Click Filter to open the Filtering and Sorting page. Specify a filter criteria as needed.

For more information Creating and editing rules on page 33

7


1

Running rules only when specific applications are present

Improved rules interface and features

Current release Set conditions to evaluate certain rules only if a specified application is present on the computer. For example, if you have a group of rules that scan for Microsoft Exchange Server 2000 patches, you can set a condition to evaluate these rules only if Exchange Server 2000 is actually installed on the computer.

Benefits Improves performance by running only those rules that are relevant for the software installed on a given computer. It also eliminates the false positive violations that are generated when a scan does not find a patch on that computer because the relevant software is not installed.

Where to find The Edit Group page contains an Application rule drop-down list. Select an application from this list to test for on the computer before running the rule or rule group.

For more information Creating and editing rules on page 33

Current release This release contains several new features to improve the usability and interface of the policy pages:

All user-defined custom rules are stored in a Custom Rules group in the Rules list.

Right-click copy feature has a new Copy to Custom Rules feature to allow you to easily copy any pre-defined rule to the custom rules folder so you can customize it.

New Description text box in the Edit Group page allows you to modify rule group descriptions to suit your needs.

Summary View and Advanced View buttons to toggle Rules list between showing and hiding rule details.

Benefits Improved usability and interface make it easier to work with rules.

Where to find The main System Compliance Profiler | Rules policy page.

For more information Chapter 4, Using compliance rules and scans

8


1

More flexibility and granularity for defining rules

Current release This release includes additional criteria for using file matching rules:

File age by the time it was last modified.

File size

File version can be less than or equal to or greater than or equal to a specified value

Registry key values can be less than or equal to or greater than or equal to a specified value.

Registry key is in HKEY_LOCAL_MACHINE.

Benefits Define more focused and flexible rules.

Where to find The Edit Rule page. To get here:

1 In the ePolicy Orchestrator console, go to System Compliance Profiler | Rules policy page.

2 Select any rule in one of your Custom Rules list.

3 Click Edit.

For more information Chapter 4, Using compliance rules and scans

9


1

Use ePolicy Orchestrator pull tasks to update predefined McAfee rules automatically

Use wildcards when matching filenames and registry keys in compliance rules

Current release ePolicy Orchestrator updates the pre-defined McAfee rules automatically with source repository pull tasks. This uses the same automated update architecture that ePolicy Orchestrator uses to update DAT anti-virus signatures, anti-virus engines, and Desktop Firewall IDS signatures.

Once the repository has been updated, use a replication task to copy the rule updates to any distributed repositories, then run an ePolicy Orchestrator Agent Update client task to update client rules.

Benefits Using regularly scheduled Repository Pull tasks to update pre-defined rules means System Compliance Profiler is scanning for the most up-to-date rules.

Where to find In the ePolicy Orchestrator console, select Repository from the console tree to find the Pull Now or New Pull Task features.

For more information Update pre-defined System Compliance Profiler rules from McAfee on page 43

See the ePolicy Orchestrator Product Guide for more information on pull tasks and agent update client tasks.

Current release You may use wildcards to match a file name or registry key. Using the ? wildcard matches a single character. The * wildcard matches any number of characters.

Benefits Using wildcards in your rules can help make sure the rule can account for small variations in file names or registry keys.

10

System Compliance Profiler® 1.1 Configuration Guide Introducing System Compliance ProfilerHow System Compliance Profiler works with ePolicy Orchestrator

1

How System Compliance Profiler works with ePolicy Orchestrator

This section provides a brief overview of how System Compliance Profiler works within ePolicy Orchestrator. Refer to other chapters of this guide for more details on each of these aspects.

This section includes the following topics:

At a glance: System Compliance Profiler and ePolicy Orchestrator

Accessing System Compliance Profiler through the ePolicy Orchestrator console


At a glance: System Compliance Profiler and ePolicy Orchestrator

Use ePolicy Orchestrator to configure and manage the System Compliance Profiler software. The basic steps involved are:

1 Add System Compliance Profiler to your ePolicy Orchestrator server repository if you are using ePolicy Orchestrator 3.0.x.

Before you can use the two products together, you must add the System Compliance Profiler NAP, deployment packages and reports to the ePolicy Orchestrator Repository. For details, see Adding System Compliance Profiler to the ePolicy Orchestrator server on page 20.

2 Deploy System Compliance Profiler to client computers.

Use the ePolicy Orchestrator console to deploy System Compliance Profiler to computers in your Directory console tree. You must deploy the software to each computer that you want to scan.

Where to find The Edit Rule page. To get here:

1 In the ePolicy Orchestrator console, go to System Compliance Profiler | Rules policy page.

2 Select any rule in one of your Custom Rules.

3 Click Edit.

For more information Defining criteria for rules on page 34

See the ePolicy Orchestrator Product Guide for more information on pull tasks and agent update client tasks.

Note

This step is only required if you are running ePolicy Orchestrator 3.0.x. The System Compliance Profiler NAP, deployment package, and reports are installed by default with ePolicy Orchestrator 3.5 and 3.6.

11


1

3 Configure System Compliance Profiler policies and scans.

Once your System Compliance Profiler system is set up, you can start scanning computers for files, services, patches, and registry keys. To do this, you first set up rules in ePolicy Orchestrator. These rules make up your policies. Once you finish defining policies for different users, you set up System Compliance Profiler scan tasks. Scan tasks are instructions that ePolicy Orchestrator sends to computers running System Compliance Profiler. You can scan individual computers, or groups of computers. You can also schedule scans to occur at specific times.

4 System Compliance Profiler runs scans on client computers.

ePolicy Orchestrator sends the scan tasks to computers running System Compliance Profiler. At the scheduled time, these computers run the scans that you specified, collect the scan results, and transmit them to ePolicy Orchestrator.

System Compliance Profiler scans do not require many local or network resources. While the exact amount of network traffic will vary based on how many rules a given computer receives, the average bandwidth requirement is approximately 200 bytes per rule.

5 Run reports in ePolicy Orchestrator to view scan results.

Once ePolicy Orchestrator receives scan results from System Compliance Profiler, it adds the information to its database. After the results are stored, you can use the ePolicy Orchestrator console to run reports that list any vulnerabilities that System Compliance Profiler found.


You use the ePolicy Orchestrator console to access and configure System Compliance Profiler. To accomplish this, the console includes three areas, presented as tabs on the details pane:

The Policies tab, where you create your System Compliance Profiler rules.

The Tasks tab, where you create and schedule System Compliance Profiler on-demand scan tasks.

The Reports area, where you generate reports based on System Compliance Profiler scan results.

The System Compliance Profiler policy pagesManage policies for System Compliance Profiler just as you would for any other security product managed by ePolicy Orchestrator.

Policies are the rules that you define for each computer scanned by System Compliance Profiler. You use the ePolicy Orchestrator console to configure the policies for how you want to scan selected computers using System Compliance Profiler rules. The ePolicy Orchestrator agent on the client computer where System Compliance Profiler is installed collects these policy updates at regular intervals. You then configure scan tasks to run on the clients using the policies you specify.

Note

If you are using ePolicy Orchestrator 3.0.x, the policy pages for System Compliance Profiler 1.1 are not installed by default. See Chapter 2, Adding System Compliance Profiler to ePolicy Orchestrator.

12


1

To access the System Compliance Profiler policy pages:

1 Select the Directory, or a site, group, or computer node in the Directory tree.

2 In the details pane, click the Policies tab.

3 Expand the policy list to System Compliance Profiler 1.1 | Rules, then click the policy name.

4 View the policy pages in the lower details pane.

The Rules page lets you enable and disable configured rules, create and edit customized rules, and update pre-defined McAfee rules from the McAfee web site.

Use client tasks to configure on-demand scans on client computersThe System Compliance Profiler policy pages (NAP file) includes an on-demand scan task for creating and scheduling scan tasks on client computers. When you check the NAP file into the master repository on the ePolicy Orchestrator server, the System Compliance Profiler on-demand scan task is available in the list of available client scan tasks.

To access the System Compliance Profiler on-demand scan task:

1 Select the Directory, or a site, group, or computer node in the console tree.

2 In the details pane, click the Tasks tab.

3 Right-click the details pane and select Schedule Task.

4 From the Schedule Task page, select System Compliance Profiler 1.1 On-Demand Scan.

Figure 1-1 The System Compliance Profiler Rules policy page

13

System Compliance Profiler® 1.1 Configuration Guide Introducing System Compliance ProfilerUsing this guide

1

Run System Compliance Profiler reportsTo see the results of your System Compliance Profiler scans, generate reports in ePolicy Orchestrator. System Compliance Profiler automatically adds its custom reports to the Reporting area of the ePolicy Orchestrator console when you install the software. For more information on these reports, see Working with Scan Results on page 46.

Using this guideThis guide provides information on configuring and using your product.

AudienceThis information is intended primarily for network administrators who are responsible for their company’s anti-virus and security program.

ConventionsThis guide uses the following conventions:

Bold Serif All words from the user interface, including options, menus, buttons, and dialog box names.

Example:Type the User name and Password of the desired account.

Courier The path of a folder or program; a web address (URL); text that represents something the user types exactly (for example, a command at the system prompt).

Examples:The default location for the program is:

C:\Program Files\Network Associates\VirusScan

Visit the McAfee Security web site at:http://www.mcafeesecurity.com

Run this command on the client computer:C:\SETUP.EXE

Italic For emphasis or when introducing a new term; for names of product documentation and topics (headings) within the material.

Example: Refer to the VirusScan Enterprise Product Guide for more information.

<TERM> Angle brackets enclose a generic term.

Example: In the console tree under ePolicy Orchestrator, right-click <SERVER>.

Note

Note: Supplemental information; for example, an alternate method of executing the same command.

Tip

Tip: Suggestions for best practices and recommendations from McAfee Security for threat prevention, performance and efficiency.

14

System Compliance Profiler® 1.1 Configuration Guide Introducing System Compliance ProfilerResources

1

Resources Refer to these sections for additional resources:

Getting product information

Links from within the ePolicy Orchestrator console

Product services

Contact information

Getting product informationePolicy Orchestrator documentation — Product introduction and features, detailed instructions for configuring the software, information on deployment, recurring tasks, and operating procedures.

Help — High-level and detailed information accessed from the ePolicy Orchestrator console. Use the Help menu and/or Help button for page-level help.

Configuration Guide* — For use with ePolicy Orchestrator®. Procedures for configuring, deploying, and managing your McAfee Security product through ePolicy Orchestrator management software.

Release Notes‡ — ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation.

Contacts‡ — Contact information for McAfee Security services and resources: technical support, customer service, Security Headquarters (AVERT Anti-virus & Vulnerability Emergency Response Team), beta program, and training. This file also includes phone numbers, street addresses, web addresses, and fax numbers for company offices in the United States and around the world.

License* — The McAfee License Agreement booklet that includes all of the license types you can purchase for your product. The License Agreement sets forth general terms and conditions for the use of the licensed product.

Caution

Caution: Important advice to protect your computer system, enterprise, software installation, or data.

Warning

Warning: Important advice to protect a user from bodily harm when interacting with a hardware product.

ePolicy Orchestrator 3.6 Installation Guide.

ePolicy Orchestrator 3.6 Product Guide.

ePolicy Orchestrator 3.6 Reporting Guide.

ePolicy Orchestrator 3.6 Walkthrough Guide.

* An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site.

^ A printed manual that accompanies the product CD. Note: Some language manuals may be available only as a .PDF file.

‡ Text files included with the software application and on the product CD.

15


1

Links from within the ePolicy Orchestrator consoleThe Start Page of the ePolicy Orchestrator console provides links to some useful resources:

Help Topics

Virus Information Library

Technical Support

Help TopicsUse this link to access the online Help topics for the product.

Virus Information LibraryUse the Virus Information link to access the McAfee Anti-Virus & Vulnerability Emergency Response Team (AVERT) Virus Information Library. This web site has detailed information on where viruses come from, how they infect your system, and how to remove them.

In addition to genuine viruses, the Virus Information Library contains useful information on virus hoaxes, such as those virus warning that you receive via e-mail. A Virtual Card For You and SULFNBK are two of the best-known hoaxes, but there are many others. Next time you receive a well-meaning virus warning, view our hoax page before you pass the message on to your friends.

To access the Virus Information Library:

1 Open the ePolicy Orchestrator console. The console opens to the Start Page in the details pane.

2 Select Virus Information.

Technical SupportUse the Technical Support for ePolicy Orchestrator link to access the McAfee PrimeSupport KnowledgeCenter Service Portal web site. Browse this site to view frequently asked questions (FAQs), documentation, and perform a guided knowledge search.

To access McAfee technical support:

1 Open the ePolicy Orchestrator console. The console opens to the Start Page in the details pane.

2 Select Technical Support for ePolicy Orchestrator.

3 Follow the directions on the web site.

Tip

If the product’s built-in help system (accessed from within the software by clicking the Help menu) displays incorrectly on your system, your version of Microsoft® Internet Explorer may not be using ActiveX controls properly. These controls are required to display the help file. Make sure that you install the latest version of Internet Explorer.

16


1

Product servicesThe following services are available to help you get the most from your McAfee products:

Beta program

HotFixes and Patches

Product “end-of-life” support

Beta programThe McAfee beta program enables you to try our products before full release to the public — you can learn about and test new features for existing products, as well as try out entirely new products. This program can help you test and implement updated and new features earlier, and in a safe environment. You get the chance to suggest new product features, as well as deal directly with McAfee engineering staff.

To find out more, visit:

http://www/mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm

HotFixes and PatchesHotFixes and Patches are released with updated files, drivers, executables, etc., between the major releases of a product. To access the latest HotFixes and Patches, visit:

http://www.mcafeesecurity.com/us/downloads/updates/hotfixes.asp

Product “end-of-life” supportYour anti-virus software must be kept up-to-date to remain effective against viruses and other potentially harmful software. It is important to update the virus definition (DAT) files regularly. To enable the software to counter the continuing threat, we often make architectural changes to the way that the DAT files and virus-scanning engine work together. It is therefore important that you update your engine when a new version is released. An older engine will not catch many of the new emerging threats.

When we release a new engine, we announce the date after which the existing engine will no longer be supported. For information on our product “end-of-life” policy and for a full list of supported engines and products, visit:

http://www.mcafeesecurity.com/us/products/mcafee/end_of_life.htm

Contact information

Technical Support

Home Page http://www.mcafeesecurity.com/us/support/technical_support

KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx

PrimeSupport Service Portal * https://mysupport.nai.com

McAfee Beta Program

http://www.mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm

17


http://www.mcafeesecurity.com/us/downloads/updates/hotfixes.asp

http://www.mcafeesecurity.com/us/products/mcafee/end_of_life.htm

http://www.mcafeesecurity.com/us/support/technical_support

https://knowledgemap.nai.com/phpclient/homepage.aspx

https://mysupport.nai.com



1

Security Headquarters — AVERT: Anti-virus & Vulnerability Emergency Response Team

Home Page http://www.mcafeesecurity.com/us/security/home.asp

Virus Information Library http://vil.nai.com

AVERT WebImmune, * Submitting a Sample

https://www.webimmune.net/default.asp

AVERT DAT Notification Service http://vil.mcafeesecurity.com/vil/join-DAT-list.asp

Download Site

Home Page http://www.mcafeesecurity.com/us/downloads/

DAT File and Engine Updates http://www.mcafeesecurity.com/us/downloads/updates/default.asp

ftp://ftp.mcafeesecurity.com/pub/antivirus/datfiles/4.x

Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp

Training

On-Site Training http://www.mcafeesecurity.com/us/services/security/home.htm

McAfee University http://www.mcafeesecurity.com/us/services/education/mcafee/university.htm

Customer Service

E-mail https://secure.nai.com/us/forms/support/request_form.asp

Web http://www.mcafeesecurity.com/us/index.asp

http://www.mcafeesecurity.com/us/support/default.asp

US, Canada, and Latin America toll-free: +1-888-VIRUS NO or +1-888-847-8766

Monday – Friday, 8 a.m. – 8 p.m., Central Time

For additional information on contacting McAfee — including toll-free numbers for other geographic areas — see the Contact file that accompanies this product release.

* Logon credentials required.

18

http://www.mcafeesecurity.com/us/security/home.asp

http://vil.nai.com

https://www.webimmune.net/default.asp

http://vil.mcafeesecurity.com/vil/join-DAT-list.asp

http://www.mcafeesecurity.com/us/downloads/

http://www.mcafeesecurity.com/us/downloads/updates/default.asp

ftp://ftp.mcafeesecurity.com/pub/antivirus/datfiles/4.x

https://secure.nai.com/us/forms/downloads/upgrades/login.asp

http://www.mcafeesecurity.com/us/services/security/home.htm

http://www.mcafeesecurity.com/us/services/education/mcafee/university.htm

https://secure.nai.com/us/forms/support/request_form.asp

http://www.mcafeesecurity.com/us/index.asp

http://www.mcafeesecurity.com/us/support/default.asp

2 Adding System Compliance Profiler to ePolicy OrchestratorManually add the NAP file and deployment package to the

repository

This section describes how to add the System Compliance Profiler 1.1 deployment package and NAP file to the ePolicy Orchestrator software repository. You must add both of these to your ePolicy Orchestrator repository to be able to deploy and manage System Compliance Profiler with ePolicy Orchestrator.

What’s in this chapterThis chapter contains the following topics:

ePolicy Orchestrator 3.0.x requirements

Adding System Compliance Profiler to the ePolicy Orchestrator server

Upgrading System Compliance Profiler from version 1.0

Removing System Compliance Profiler from the ePolicy Orchestrator server

ePolicy Orchestrator 3.0.x requirementsThis chapter assumes that you have already installed the ePolicy Orchestrator server and console. The System Compliance Profiler user interface installs and runs on an ePolicy Orchestrator server version 3.0.x or higher. You access it using the ePolicy Orchestrator console. For more information on these processes, see the ePolicy Orchestrator Product Guide.

If you are running ePolicy Orchestrator 3.0.2, install patch 6You must install patch 6 for ePolicy Orchestrator 3.0.2 to be able to run System Compliance Profiler 1.1. If you are running ePolicy Orchestrator 3.0.0 or 3.0.1, System Compliance Profiler 1.1 works without requiring any patches or other updates.

Note

Refer to this chapter only if you are running System Compliance Profiler 1.1 with ePolicy Orchestrator 3.0.x. The System Compliance Profiler 1.1 deployment package, NAP file, and reports are installed automatically when you install the ePolicy Orchestrator 3.5 or 3.6 server and console. If you are using ePolicy Orchestrator 3.5 or 3.6, you can skip this chapter.

19

System Compliance Profiler® 1.1 Product Guide Adding System Compliance Profiler to ePolicy OrchestratorAdding System Compliance Profiler to the ePolicy Orchestrator server

2

Configure firewall ports for System Compliance Profiler communicationIf you intend to communicate through a firewall with computers running System Compliance Profiler, you must also configure ports 80 and 8081 to allow traffic between your ePO agents and your server. These are the default ports for those components. If you selected different ports during your ePolicy Orchestrator installation, configure your firewall to allow those ports instead.

Adding System Compliance Profiler to the ePolicy Orchestrator server

This section covers adding the System Compliance Profiler deployment package, NAP file policy pages, and reports to the ePolicy Orchestrator server. You must perform these steps to deploy and manage System Compliance Profiler with ePolicy Orchestrator.

It does not cover deploying the System Compliance Profiler to client computers in your network. For details on how to do that, see Chapter 3, Deploying the System Compliance Profiler client scanner.

To add System Compliance Profiler to your ePolicy Orchestrator server:

1 Retrieve the PKGCATALOG.Z and PATCH1100.NAP files.

2 Add the deployment package to the master repository.

3 Add the NAP policy pages to the server.

Retrieve the PKGCATALOG.Z and PATCH1100.NAP filesThe PKGCATALOG.Z deployment package and PATCH1100.NAP policy files are included in the System Compliance Profiler 1.1 installation files from McAfee. You find these installation files either on your product CD or on the McAfee web site.

Retrieve the files, either from the product CD or McAfee web site, and save them to a temporary folder on your ePolicy Orchestrator server.

Add the deployment package to the master repository1 Log on to the ePolicy Orchestrator console.

2 Select Repository from the console tree.

3 In the details pane under AutoUpdate tasks, click Check in package.

4 Follow the ePolicy Orchestrator wizard instructions. When prompted:

a Select Products or updates as the package type.

b Navigate to the System Compliance Profiler/Product directory and select PkgCatalog.z as the package name.

5 After finishing the check-in wizard, wait while the deployment package is added to the repository.

Add the NAP policy pages to the server1 Select Repository from the console tree, and under AutoUpdate tasks click Check in NAP.

20

System Compliance Profiler® 1.1 Product Guide Adding System Compliance Profiler to ePolicy OrchestratorUpgrading System Compliance Profiler from version 1.0

2

2 Follow the wizard instructions. When prompted:

a Select Add new software to be managed as the task type.

b Select Patch1100.nap as the file name.

3 After finishing the check-in wizard, wait while the NAP is added to the repository.

Add System Compliance Profiler reports to the databaseCheck in the extended reporting NAP file to add System Compliance Profiler reports to the ePolicy Orchestrator reporting database. This will allow you to run reports in ePolicy Orchestrator on the System Compliance Profiler scan results.

To check in the extended reporting NAP:

1 Select Repository from the console tree, and click Check in NAP.

2 Follow the wizard instructions. When prompted:

a Select Add new reports as the task type.

b Select Patch_Reports.nap as the file name.

3 After finishing the check-in wizard, wait while the NAP is added to the repository.

System Compliance Profiler is now stored in the Repository. You must also deploy the System Compliance Profiler software to your ePolicy Orchestrator server before running any scans. See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22 for details.

You can verify that the System Compliance Profiler software is in ePolicy Orchestrator’s Repository by selecting any computer, group, or site from the console tree. Click the Policies tab to make it active. System Compliance Profiler should appear in the list of available software.

Upgrading System Compliance Profiler from version 1.0If you are already using System Compliance Profiler 1.0 with ePolicy Orchestrator 3.0.x, you can easily upgrade to version 1.1 without losing any of your custom rules created in version 1.0.

To upgrade System Compliance Profiler 1.1 over an existing 1.0 version:

1 Retrieve the 1.1 installation files, either from your product CD or McAfee download site.

2 Check in the System Compliance Profiler 1.1 NAP and deployment package following the instructions in this chapter.

Tip

Do not first remove the 1.0 NAP from the ePolicy Orchestrator server! Any custom rules you have defined in System Compliance Profiler 1.0 will be automatically copied to version 1.1 when you install the 1.1 NAP. This way, you won’t lose any custom rules you have created.

After you have completed the upgrade to version 1.1, you can remove the 1.0 NAP from the repository.

21

System Compliance Profiler® 1.1 Product Guide Adding System Compliance Profiler to ePolicy OrchestratorRemoving System Compliance Profiler from the ePolicy Orchestrator server

2

3 Edit the default deployment task to Install the System Compliance Profiler 1.1, and set the action for System Compliance Profiler 1.0 to Ignore, to have ePolicy Orchestrator install version 1.1 on client computers in your network. The installer for SCP 1.1 will automatically upgrade SCP 1.0 installations to SCP 1.1 on clients.

Note when you are finished that there will be two entries in the Policy tab on the ePolicy Orchestrator console for both versions 1.0 and 1.1. This is similar to the way ePolicy Orchestrator can contain NAP files for multiple versions of other products, such as VirusScan Enterprise. As you begin working with System Compliance Profiler 1.1, be sure to make additional policy changes only in the System Compliance Profiler 1.1 policy pages. In fact, after you have fully installed and deployed version 1.1, you may want to remove the 1.0 NAP file from the ePolicy Orchestrator repository to avoid confusion.

Removing System Compliance Profiler from the ePolicy Orchestrator server

This section covers removing the System Compliance Profiler deployment package, NAP file, and reports from the ePolicy Orchestrator master repository. It does not cover removing System Compliance Profiler from any client computers to which you have deployed it. For details on how to do that, see Removing System Compliance Profiler from clients on page 27.

Removing the System Compliance Profiler NAP from the ePolicy Orchestrator server1 Start the ePolicy Orchestrator console and log on to your server.

2 If necessary, expand this server’s icon in the console tree to see the Repository icon.

3 Expand Repository to see its contents.

4 Expand Managed Products, then Windows.

5 Right-click System Compliance Profiler and select Remove.

6 Click Yes when ePolicy Orchestrator asks whether to remove the software.

7 Click OK.

Removing the System Compliance Profiler deployment package from the ePolicy Orchestrator repository1 Start the ePolicy Orchestrator console and log on to your server.

2 In the console tree, go to Repository | Software Repositories | Master to view the contents of the master repository.

3 In the details pane of the console, scroll through the Packages table to locate the System Compliance Profiler deployment package. The Name is System Compliance Profiler and the Type is Install.

4 Select the deployment package and select Delete.

If you are using distributed repositories, be sure to replicate the change to your distributed repositories so ePolicy Orchestrator can delete the package from them as well.

22

System Compliance Profiler® 1.1 Product Guide Adding System Compliance Profiler to ePolicy OrchestratorRemoving System Compliance Profiler from the ePolicy Orchestrator server

2

Removing System Compliance Profiler reports1 Start ePolicy Orchestrator.

2 Expand Reporting to see its contents.

3 Expand Report Repository.

4 Locate and right-click System Compliance Profiler.

5 Click Remove.

6 Click Yes when ePolicy Orchestrator asks whether to remove the reports.

23

3 Deploying the System Compliance Profiler client scannerUse the ePolicy Orchestrator deployment task to install

System Compliance Profiler on client computers

This chapter describes the process for deploying System Compliance Profiler 1.1 to client computers. You must deploy System Compliance Profiler to any computer that you want to scan for patch compliance—the software can only scan locally on the same computer on which it is installed.

What’s in this chapterSystem requirements

Using ePolicy Orchestrator to deploy System Compliance Profiler

Installing System Compliance Profiler manually on clients

Removing System Compliance Profiler from clients

System requirementsThe System Compliance Profiler client scanner only functions as part of an ePolicy Orchestrator deployment, and therefore will only be installed on computers running an ePolicy Orchestrator agent. Computers running an agent already meet the minimum system requirements for the System Compliance Profiler client scanner. Refer to the ePolicy Orchestrator documentation for details on the system requirements for the agent.

Using ePolicy Orchestrator to deploy System Compliance Profiler

Deploying System Compliance Profiler involves installing scanning software on remote computers. This software receives the rules and policy information that you set up in ePolicy Orchestrator, runs the tasks that you schedule, and reports back with any results.

Note

If you intend to communicate through a firewall with computers running System Compliance Profiler, you must also configure ports 80 and 8081 to allow traffic between your ePO agents and your server. These are the default ports for those components. If you selected different ports during your ePolicy Orchestrator installation, configure your firewall to allow those instead.

24

System Compliance Profiler® 1.1 Product Guide Deploying the System Compliance Profiler client scannerUsing ePolicy Orchestrator to deploy System Compliance Profiler

3

About using the ePolicy Orchestrator Deployment taskThe ePolicy Orchestrator agent uses the default deployment task to deploy, or install, client software such as VirusScan Enterprise, Desktop Firewall, or System Compliance Profiler on computers in your network. The following System Compliance Profiler deployment instructions assume that you have:

Installed ePolicy Orchestrator server and console.

Populated the ePolicy Orchestrator Directory with all of the sites, groups, and computers to which you plan to deploy System Compliance Profiler.

Deployed ePolicy Orchestrator agents to any computers where you plan to install System Compliance Profiler.

For more information on these processes, see the ePolicy Orchestrator Product Guide.

Enabling System Compliance Profiler deployment1 In your ePolicy Orchestrator console, select Directory from the console tree.

ePolicy Orchestrator expands the Directory to show all the sites, groups, and computers that it currently manages.

2 Select a site, group, or computer to which you want to deploy System Compliance Profiler.

3 In the upper details pane, click Tasks to display that tab.

ePolicy Orchestrator lists all the tasks for this site, group, or computer.

4 Double-click the Deployment task to open the ePolicy Orchestrator Scheduler dialog box.

5 On the Task tab, click Settings to open the Task Settings dialog box.

6 If necessary, deselect the Inherit checkbox.

Caution

If you are using System Compliance Profiler with ePolicy Orchestrator 3.0.x, you must deploy System Compliance Profiler scanner to the ePolicy Orchestrator itself. If you do not, reporting does not function properly. This is not required for ePolicy Orchestrator 3.5 or 3.6, although you will most likely want to install System Compliance Profiler on your server anyway.

25

System Compliance Profiler® 1.1 Product Guide Deploying the System Compliance Profiler client scannerUsing ePolicy Orchestrator to deploy System Compliance Profiler

3

7 In the Product deployment options list, locate System Compliance Profiler.

8 Select Install from the Action list.

Set any products that you do not want to deploy to Ignore.

9 Click OK to return to the ePolicy Orchestrator Scheduler dialog box.

Now that you have configured this task to deploy System Compliance Profiler, create a schedule for the task.

Creating a schedule for the Deployment task1 In the ePolicy Orchestrator Scheduler dialog box, click Task to display that tab.

2 In the Schedule Settings area, deselect Inherit.

3 Select Enable to make the task active.

4 Click the Schedule tab.

5 Deselect the Inherit checkbox, then set up the time when you want the System Compliance Profiler software deployed.

To deploy the software immediately, select Run Immediately from the Schedule Task list. The deployment task will then run at the next ePO policy enforcement interval, or when you perform an agent wakeup call. For instructions, see the ePolicy Orchestrator Product Guide.

6 Click OK.

ePolicy Orchestrator deploys the System Compliance Profiler software to this site, group, or computer at the time you specified.

Figure 3-1 Configure the deployment task to install System Compliance Profiler

26

System Compliance Profiler® 1.1 Product Guide Deploying the System Compliance Profiler client scannerInstalling System Compliance Profiler manually on clients

3

To verify that the System Compliance Profiler software deployed properly, select the name of the remote computer from the console tree. Select the Properties tab from the details pane. System Compliance Profiler should appear in the list of installed applications. (Allow enough time for the deployment task to run first.)

Installing System Compliance Profiler manually on clients

You don’t need to use ePolicy Orchestrator to deploy System Compliance Profiler to client computers. If you choose, you can use another method, such as installing it manually, installing it with a network login script, or using another third-party deployment tool.

To do this, you can run the PATCHSCANINSTALLER.EXE installer. You can either run this manually from the client computer where you want it to install, or you can distribute the installer for inclusion in login scripts or software deployment using other methods.

Where can I find the System Compliance Profiler installer?If you downloaded System Compliance Profiler from the McAfee web site to run with ePolicy Orchestrator 3.0.x, you can find the PATCHSCANINSTALLER.EXE in the product download ZIP file.

If you are running ePolicy Orchestrator 3.5 or 3.6, you can find the PATCHSCANINSTALLER.EXE installer on your ePolicy Orchestrator server. By default, it is installed in the following folder for 3.5:

C:\Program Files\Network Associates\ePO\3.5.0\DB\Software\Current\PATCH__1100\Install\0000

And the following folder in 3.6

C:\Program Files\McAfee\ePO\3.6.0\DB\Software\Current\PATCH__1100\Install\0000

Running the System Compliance Profiler installerWhen you execute PATCHSCANINSTALLER.EXE, System Compliance Profiler installs in silent mode. There is no installation interface or options to configure.

You can run PATCHSCANINSTALLER.EXE from the command line to uninstall System Compliance Profiler. To do this, run the executable with the /u command line, like this:

PATCHSCANINSTALLER.EXE /u

Removing System Compliance Profiler from clientsYou can use the deployment task in the ePolicy Orchestrator console to remove System Compliance Profiler from client computers, or you can run the installer from the command line on the client system.

Using the deployment task to remove System Compliance ProfilerTo use the ePolicy Orchestrator deployment task to remove System Compliance Profiler:

27

System Compliance Profiler® 1.1 Product Guide Deploying the System Compliance Profiler client scannerRemoving System Compliance Profiler from clients

3

1 Start the ePolicy Orchestrator console and log on to your server.

2 In the console tree, expand the Directory and select the site, group, or computer from which you want to remove System Compliance Profiler.

3 In the ePolicy Orchestrator details pane, click the Tasks tab.

4 Right-click the Deployment task, then select Edit Task to open the ePolicy Orchestrator Scheduler dialog box.

5 On the Task tab, click Settings to open the Task Settings dialog box.

6 If necessary, deselect the Inherit checkbox.

7 In the Product deployment options list, locate System Compliance Profiler.

8 Select Remove from the Action list.

9 Click OK to return to the ePolicy Orchestrator Scheduler dialog box.

10 Click OK to save your changes.

ePolicy Orchestrator will remove the System Compliance Profiler clients at the time specified in the task. To change the task’s schedule, use the procedure outlined in Creating a schedule for the Deployment task on page 26.

Remove System Compliance Profiler with a command line.You can run PATCHSCANINSTALLER.EXE from the command line to uninstall System Compliance Profiler. To do this, PATCHSCANINSTALLER.EXE must be on the client computer. Run the executable with the /u command line, like this:

PATCHSCANINSTALLER.EXE /u

28

4 Using compliance rules and scansCreate rules and client on-demand scans to check

compliance on client computers

This section describes how to use the ePolicy Orchestrator console to configure the System Compliance Profiler software to scan your network for system compliance.

What’s in this chapterOverview of using compliance rules in on-demand scans

About System Compliance Profiler rules

Creating and editing rules

Using rules and rule groups for scanning

Scheduling System Compliance Profiler on-demand scan tasks

Update pre-defined System Compliance Profiler rules from McAfee

Overview of using compliance rules in on-demand scans

Once you have installed and deployed System Compliance Profiler, you can configure the policies, or rules, that the compliance scanner should use when it scans each computer. Then you can configure scans to run at scheduled times that scan computers for compliance or violation of the rules you specify.

Basically, the process involves:

1 Creating and editing rules that specify what you want System Compliance Profiler to scan for.

2 Scheduling System Compliance Profiler on-demand scan tasks in ePolicy Orchestrator, to make it enforce your System Compliance Profiler rules.

After you set up rules and run scans, you can run reports in ePolicy Orchestrator to see the results. See Working with Scan Results on page 46 for more information.

29

System Compliance Profiler® 1.1 Product Guide Using compliance rules and scansAbout System Compliance Profiler rules

4

About System Compliance Profiler rulesSystem Compliance Profiler uses rules to determine what it should scan for on target computers. A rule is a set of conditions that the scanner looks for on client machines. Computers that meet these rules are compliant, those that do not are in violation of the rules.

You can create rules that scan for specific files, registry keys, services, or Microsoft patches. For example, you can use System Compliance Profiler rules to search for specific patches that have been released by Microsoft to see how many computers on your network have the latest and most important security patches installed.

How System Compliance Profiler on-demand scans use rulesIn most cases you can specify whether the item should or should not exist on a target computer. For example, you could create a rule to tell System Compliance Profiler that the file sample.exe should not exist on a specific computer. In some cases you can specify a value that items need to match in some way. For example, you could check an application’s version number to make certain it is higher than 1.0. Rules describe what a target computer should have installed. If System Compliance Profiler finds that one of your rules does not apply — for example, an application is not installed where it should be — it considers this situation a rule violation.

Severity of rule violationsTo help you distinguish between critical and less critical rule violations, rules have severity levels associated with them. When you create a new rule, you select Critical, Major, Minor, Warning, or Informational. If System Compliance Profiler finds a computer that doesn’t meet the criteria in your rule, it attaches your chosen severity level to the violation data and relays this to ePolicy Orchestrator. When you create compliance reports to see your System Compliance Profiler scan results, you can view and filter the results based on these severity levels.

File-based scanning and MD5 hashesFile-based System Compliance Profiler rules are useful for checking whether specific files exist, and at what version number. In some cases, however, you may need to scan files to verify that they have not been tampered with on target computers. System Compliance Profiler lets you do this by specifying an MD5 hash for scanned files.

An MD5 hash is a file’s digital signature. If anyone tampers with or changes the file, its digital signature changes. Copies of a file should have identical digital signatures.

In order to create an MD5-based rule, you must have an existing hash for the file you want to verify. You can use commonly available utilities to generate this digital signature (for example, Command Line Message Digest Utility, available from http://www.fourmilab.ch/md5). Once you have the hash, paste it into your file-based System Compliance Profiler rule. The software will compare it to copies of the file on scanned computers, and alert you if it finds any inconsistencies in the signatures.

Note

Non-compliant rule groups have a severity level associated with them in System Compliance Profiler reports. You do not specify this level when you create a group. Instead, ePolicy Orchestrator assigns the group a severity level when it generates a report. If more than one rule in the group failed, ePolicy Orchestrator uses the highest severity level of the failed rules. For example, if both a Minor rule and a Critical rule failed, ePolicy Orchestrator would list the group’s severity level as Critical in your reports.

30


4

Types of rules used by System Compliance ProfilerThe main Rules page of the System Compliance Profiler NAP file contains the list of rules available.

Enable or disable any rule to include it in your scansIncluding your rules in your on-demand compliance scans is easy—just enable any rules or rule groups you want to use in your scan by clicking in the appropriate checkbox. You can enable any combination of pre-defined rules and custom rules in this way.

There are several different types of rules in this list.

Pre-defined rules from McAfee

Custom rules you create yourself

Archived rules

Each of these are described below.

Pre-defined rules from McAfeeSystem Compliance Profiler 1.1 ships with a set of pre-defined rules for common types of patches and files that you will likely want to scan for on computers in your network. These include such things as all recent Windows security patches from Microsoft and common applications you may not want to allow on workstations in your network.

Figure 4-1 The main Rules page

Warning

In System Compliance Profiler 1.0, you could only enable pre-defined rules if you first copy them from the rule templates list to your active rules list. This is no longer necessary in version 1.1. You can enable any rule, either custom or pre-defined, simply by selecting it in the Rules list.

You must only copy a pre-defined rule to your Custom Rules group if you want to edit it to create a custom rule from it.

31


4

You can enable these rules to include them in your client on-demand scans. You can also use them as templates for creating your own custom rules. To do this, you can copy any rule group or rule from any of the pre-defined rule groups into your Custom Rules folder and modify it as needed. While you can edit copies of the pre-defined rules in your Custom Folder, you cannot edit or delete any of the original pre-defined rules.

To copy a template, right-click its name and select Copy from the menu. This places all of the template’s data on your Windows Clipboard, in text-only format. You can then paste the template into another group, or into the System Compliance Profiler Rules list (which makes it an active rule), or share the template with other users by sending them the template data. You can also copy templates sent to you from other users, and import them into your existing Templates and Rules Archive list.

Custom rules you create yourselfIf none of the pre-defined rules meet your needs, you can create custom rules yourself. To do this, you can either create a rule from scratch or copy a pre-defined rule into your Custom Rules folder and edit it.

Archived rulesYou can archive your custom rules in this group. When you do this, this group contains archived copies of any custom rules that you have created rule sets you have saved. Saved rule sets are called archives. You can replace your current rule set with an archived rule set by clicking Activate.

Table 4-1 Pre-defined Rule Groups

Group name Purpose

Security Patch Rules Rules in this group test for the presence of recent Microsoft security patches, hotfixes, and service packs.

Infection Rules These templates provide guides for detecting viruses and similar malicious applications. These compliment, but do not replace, dedicated anti-virus software.

Application Rules Templates in this group provide guides for detecting software that should, or should not, be allowed on network computers.

Misc Rules This group contains templates that do not fit any of the other default template groups.

32

System Compliance Profiler® 1.1 Product Guide Using compliance rules and scansCreating and editing rules

4

About rule groupsAll rules are organized in rule groups. When you create custom rules, you must first create a rule group container for them. Rule groups are logical collections of rules that System Compliance Profiler can test for together. You can enable rule groups to enable all the child rules within that group.

You configure a rule group so that all child rules must match for the system to be compliant with the rule group. Or, you can create a rule where any of the child rules must match for the system to be compliant with that rule.

Use the All rules are true or Any rules are true options to specify which child rules of the group must be true for the system to be compliant with the rule group.

Creating and editing rulesYou can create new custom rules in your Custom Rules folder, or you can open any custom rule you have already created and edit it.

Figure 4-2 Rules are organized into groups (folders)

Figure 4-3 Create groups for similar rules

Rules

33


4

Creating, editing and deleting rules

Defining criteria for rules

Creating, editing and deleting rulesFrom the list of rules on the main Rules policy page, you can create new rules, or edit and delete existing ones. You can only do this for rules in your Custom Rules folder. You cannot create or edit rules in any of the pre-defined rule groups.

Creating a new rule1 On the System Compliance Profiler Rules page, right click a group in the Custom Rules

group and select Add Rule.

2 Enter rule criteria in the Add Rule page.

3 Click OK to save the changes to the rule.

4 Click Apply at the top of the page to save your policy changes.

Edit an existing rule1 On the System Compliance Profiler Rules page, right click an existing rule in the

Custom Rules group and select Edit.

2 Make changes to the rule criteria in the Edit Rule page.

3 Click OK.

4 Click Apply at the top of the page to save your policy changes.

Delete an existing rule1 On the System Compliance Profiler Rules page, highlight an existing rule in the

Custom Rules group by clicking on it once.

2 Click Delete button.

3 Click Apply at the top of the page to save the policy change.

Defining criteria for rulesUse the Add Rule page, or Edit Rule page for editing existing rules, to specify the criteria for the rule. The interface of the Add Rule and Edit Rule page are very similar. This section discusses the Add Rule page for adding rules, but much of this explanation also holds for editing existing rules in the Edit Rule page.

34


4

This can be what versions of Windows to test for, and whether to test for specific files in specific folders, specific registry keys and registry key values, or the presence of a specific Microsoft patch.

All rules have the basic criteria of name, severity, and operating system. In addition, you can specify that the rule test for the existence (or nonexistence) of one of the following:

Each of these is covered in greater detail in the sections that follow.

Figure 4-4 Enter rule criteria in the Add Rule or Edit Rule page

A file

A registry key

A Microsoft patch

An NT service

35


4

Basic Criteria: severity and operating system

Matching a fileSelect a basic root directory from the File path list, and enter any additional subdirectory names in the text box to complete the path.

Enter the file name you want to scan for in the File name text box. You may use wildcards to match a file name. Using the ? wildcard matches a single character. The the * wildcard match any number of characters.

From the remaining list, select a matching strategy for the rule (for example, File exists or Version is equal to). If necessary, enter an appropriate value in the associated text field.

When matching a version number, the software only accepts numbers and points (e.g., “1.0.1”). You cannot enter characters (e.g., “1a”).

Matching a registry keySelect a basic key root from the Registry key list, and enter any additional key names in the text box to complete the path.

Enter the name of the key value you want to scan for in the Value name text box.

Table 4-2

Field Description

Name of rule Type a descriptive name for the rule in this field. This is how the rule displays in the rule list.

Creating a meaningful name that describes what the rule is designed to scan for makes reading your System Compliance Profiler reports easier. For example, use “MS Outlook RegKey” for a rule that scans for Microsoft Outlook registry keys.

Severity Specify a severity for the event that will be generated when a computer is found to be non-compliant with the rule. These severity levels are the same as for other ePolicy Orchestrator events: Critical, Major, Minor, Warning, and Informational.Severity level is a mechanism for determining how and when events, in this case scan results of rule violations, are sent by the ePolicy Orchestrator agent back to the server. You can also use severity to filter your compliance reports.

Note: Consider how you have your ePolicy Orchestrator agent policies configured for sending events back to the ePolicy Orchestrator server. By default, the agent forwards Critical events immediately to the server; events of all other severity types are saved by the agent and sent to the server at the agents regular ASCI. Unless you change your default settings, it may take some time for non-critical scan results to be sent back to the server.

Operating System Specify which operating systems the current rule pertains to. For example, assume a certain registry key or Microsoft patch only exists with certain versions of Windows, you can deselect the Windows versions that don’t apply.

Some scans only work on certain operating systems. As a result, if you select Match a Microsoft patch or Match a service, then System Compliance Profiler automatically deselects Windows 98 and Windows ME.

36

System Compliance Profiler® 1.1 Product Guide Using compliance rules and scansUsing rules and rule groups for scanning

4

From the remaining list, select a matching strategy for the rule (for example, Registry key exists or Data is equal to). If necessary, enter an appropriate value in the associated text field.

When matching using “less than,” “greater than,” or “equal to” operators, you can only match DWORD and String values. You may use wildcards for the value if you use the “equal to” operator. Using the ? wildcard matches a single character. The the * wildcard match any number of characters.

Match a Microsoft patchEnter the patch’s unique Microsoft identifier in the Patch name text box. This value should begin with either Q... or KB... (for example, KB824141).

Match a serviceEnter the name of the service in the Service name text box. Some common services that you might want to search for include:

IIS Admin Service

Internet Connection Sharing

Telnet

WWW Publishing Service

From the remaining list, select a matching strategy for the rule (for example, Service is running).

Using rules and rule groups for scanningTopics covered in this section are:

Enabling and Disabling rules and rule groups

Using pre-defined rules as templates for custom rules

Copying rules or groups from one custom group to another

Importing and exporting rules to and from plain text

Archiving your custom rules for later use

Enabling and Disabling rules and rule groupsThe Rules page lists all of the custom and pre-defined rules that exist for your installation of System Compliance Profiler. Just because they’re in this list, however, doesn’t mean that an SCP on-demand scan on a client computer, can use them. You first have to enable the rules you want the on-demand client scan task to test for.

All rules are disabled by default, and you must enable those rules that you want your System Compliance Profiler scan task to scan for. You can enable and disable individual rules, or rule groups, in the rule list so that System Compliance Profiler only applies the rules that you consider appropriate at a given time.

37


4

Enable both pre-defined or custom rulesWhile you can only edit or delete your own custom rules and rule groups, you can enable or disable any rule or rule group, either custom or pre-defined.

Enable and disable rules by selecting them in the listTo enable a rule:

1 From the Rules page of the System Compliance Profiler policy page, select a rule or group in the list so that its checkbox shows as checked. To enable every rule in a group, select the rule group, which enables all the child rules.

2 Click Apply to save your policy changes.

The changes to enabled rules will be passed to the System Compliance Profiler scanner on each client computer when the ePolicy Orchestrator agent for that computer calls into the server at its next ASCI. The newly enabled rules are used by the on-demand scan the next time that scan is scheduled to run.

Using pre-defined rules as templates for custom rulesYou can copy any existing pre-defined rule or rule group into your Custom Rules group and edit it there. This can save you time over creating a rule from scratch.

To do this:

1 On the System Compliance Profiler Rules tab, deselect Inherit if necessary.

2 In the list of pre-defined rules, select Copy to | Custom Rules.

The rule or rule group is added to your Custom Rules group.

3 Open the copy of the rule in your Custom Rules folder and edit it as needed.

4 Click Apply to save the policy changes.

Copying rules or groups from one custom group to anotherYou can also move rules and groups around in your Custom Rules folder. For example, you may want to move a rule from one group to another. Use the Copy to Clipboard feature to copy and paste rules from one group to another.

To do this:

1 On the System Compliance Profiler Rules tab, deselect Inherit if necessary.

2 Right-click the rule or group you want to copy and select Copy to | Clipboard.

3 Select a target group to which to add the copied rule or group.

4 Right-click the target group and select Paste.

5 Click Apply to save the policy changes.

38


4

Importing and exporting rules to and from plain textIn addition to using the Copy to Clipboard feature to paste copied rules or groups into other rule groups in your Custom Rules folder, you can also paste the rules into text files or e-mail messages. This allows you share your System Compliance Profiler rules and rule groups with other users, for example another ePolicy Orchestrator administrator.

You can also import other rules by pasting text rules into your System Compliance Profiler rule list in the ePolicy Orchestrator console.

To export a rule or group to a text file1 On the System Compliance Profiler Rules tab, deselect Inherit if necessary.

2 Right-click the rule or group you want to export and select Copy to | Clipboard.

3 Open a text editor or e-mail message (or any Windows application field that accepts pasted text from the Windows Clipboard).

4 Paste the rule from the clipboard by using Ctrl-V or other Windows paste command.

In text format, exported rules look something like this, beginning with a BEGIN COPIED RULES header and ending with END COPIED RULES:

-- BEGIN COPIED RULES ---

RuleLabel_0=MS02-055 Unchecked buffer in Windows

RuleEnabled_0=true

RuleGroup_0=false

RuleType_0=2

...

RulePath_1_1=Internet Explorer

RuleName_1_1=iexplore.exe

RuleCompare_1_1=1

RuleValue_1_1=6.0.3790.0

-- END COPIED RULES ---

Import a text-based rule or group into System Compliance ProfilerYou can also view your copied rule or template text in any application that accepts plain text. Valid data starts with “--- BEGIN COPIED RULES ---” and finishes with “--- END COPIED RULES ---”. Make certain that you include these lines when you import or export data, or your selected rules or templates will not work properly.

To import a plain text rule:

1 Obtain a text version of the rule or template that you wish to use.

Note

While you can view, copy, and paste text versions of your rules and templates, System Compliance Profiler does not support editing them in text form. To edit a rule or template, paste its text into System Compliance Profiler, and then modify the resulting rule or template using the software’s Edit Rule page.

39


4

2 Select and copy the rule text, including the “--- BEGIN COPIED RULES ---” and “--- END COPIED RULES ---” lines.

3 On the System Compliance Profiler Rules tab in the ePolicy Orchestrator console.

4 Navigate to the group where you want to import the data.

5 Right-click the group name, and click Paste.

System Compliance Profiler uses the imported data as a new rule or group.

6 Click Apply to save your changes.

Archiving your custom rules for later useThe Archive button saves a snapshot of all groups and rules in your Custom Rules folder. You can use this feature to save the rules and rule groups that are currently in your Custom Rules group as a rule set.

Archiving a rule set1 On the System Compliance Profiler Rules tab, deselect the Inherit checkbox.

2 In the System Compliance Profiler Rules list, select your rule set.

3 Click Archive.

System Compliance Profiler asks for a name for the archived rule set. It uses the name of the current rule set by default.

4 Enter an archive name, then click OK.

System Compliance Profiler adds the archived rule set to the Archives group in the Templates and Rules Archive list.

Restoring an archived rule set1 On the System Compliance Profiler Rules tab, deselect the Inherit checkbox.

2 In the Archive list, open your Archives group.

3 Select the name of the rule set that you want to use.

4 Click Activate.

System Compliance Profiler asks you to verify that you want to overwrite your existing rule set with the archived rule set.

5 Click OK.

40

System Compliance Profiler® 1.1 Product Guide Using compliance rules and scansScheduling System Compliance Profiler on-demand scan tasks

4

Scheduling System Compliance Profiler on-demand scan tasks

You can configure, schedule, and run client-side scan tasks for the System Compliance Profiler through the ePolicy Orchestrator console just as you would create update tasks for the agent or on-demand scans for other security products installed on client computers like VirusScan Enterprise or GroupShield for Exchange servers. System Compliance Profiler includes an On-Demand Scan client task. This scan task is included in ePolicy Orchestrator 3.5 and 3.6 by default. In ePolicy Orchestrator 3.0, it is added when you install the System Compliance Profiler NAP file.

System Compliance Profiler uses the on-demand scan to collect compliance information about the computer on which it is installed. This is the only way that System Compliance Profiler collects this information, so it is important to schedule these scans to run frequently and regularly. At the next agent-to-server communication (ASCI) after a successful scan completes, the agent communicates the scan results back to the ePolicy Orchestrator server. These results are stored in the database, where you can view task results by generating System Compliance Profiler reports.

You can set up scan tasks for a single computer, or for all the computers that belong to a group or site.

What’s in this sectionThis section covers the basics on how use the ePolicy Orchestrator console to create, configure, and schedule an on-demand scan for System Compliance Profiler. Many aspects of creating and scheduling this scan are similar to other client tasks in ePolicy Orchestrator. For more information about running client tasks through ePolicy Orchestrator, see the ePolicy Orchestrator Product Guide.

How to set up a System Compliance Profiler on-demand scan1 Create a new System Compliance Profiler on-demand scan.

2 Enable and schedule the new on-demand scan task.

The rest of this section covers these steps in more detail.

Create a new System Compliance Profiler on-demand scan1 In the console tree, right-click the site, group, or node for which you want to create

a new task, then select Schedule Task.

2 In the Schedule Task dialog box, enter a descriptive name for the task, such as Daily SCP on-demand scan, in the New Task Name text box.

41

System Compliance Profiler® 1.1 Product Guide Using compliance rules and scansScheduling System Compliance Profiler on-demand scan tasks

4

3 Select System Compliance Profiler 1.1 On-Demand Scan from the software tasks list.

4 Click OK.

5 Press F-5 to refresh the console and make the new task appear in the list in the Task tab.

Note that it is scheduled to run daily at the current day and time. Also note that the Enabled flag is set to False—we now need to set this to True and schedule it.

Enable and schedule the new on-demand scan taskAfter you’ve created a new task, enable and schedule it so that it runs at regular intervals that you specify. How often you schedule the task is up to you. The example in these instructions shows how to schedule it to run once a day. See the ePolicy Orchestrator Product Guide for more information on scheduling client tasks.

To enable and schedule the new task you just created.

Figure 4-5 Create a System Compliance Profiler on-demand scan

42

System Compliance Profiler® 1.1 Product Guide Using compliance rules and scansUpdate pre-defined System Compliance Profiler rules from McAfee

4

1 Right-click the new task in the task list and select Edit Task.

2 Deselect Inherit under the Schedule Settings section of the ePolicy Orchestrator Scheduler dialog box.

3 Select Enable. This is very important—the scan does not run unless you enable it!

4 Click the Schedule tab and deselect Inherit.

5 Set the Schedule Task options as desired. For example, you might want to schedule it to run Daily at a specified local time on the machine. See the ePolicy Orchestrator Product Guide for more detailed information on scheduling client tasks.

6 When you have finished scheduling the task, click OK.

The task is now listed in the Tasks list with its Enabled property set to True. The task will run at the next scheduled time that you have configured.

Note that the task will be passed to System Compliance Profiler clients deployed on computers the next time the agent for each computer calls into the server as part of its regular ASCI. If you want clients to pick up the new scan task immediately (for example, if you have scheduled the task to Run Immediately), you can initiate a manual agent wakeup call. See Performing an agent wakeup call on page 51 or the ePolicy Orchestrator Product Guide for more information on agent wakeup calls.

Update pre-defined System Compliance Profiler rules from McAfee

McAfee may release new templates for System Compliance Profiler from time to time. To obtain the latest software and template releases, you must update the software.

System Compliance Profiler 1.1 allows you to automatically update pre-defined McAfee rules by using the same update procedure that you’re already using for updating anti-virus DAT and engine files used by your anti-virus software, such as VirusScan Enterprise. You should be already using regularly scheduled repository pull and replication tasks to update your software repositories with new DATs and engines, and then using scheduled client update tasks to deploy these updates to client computers on your network. You can use these same update tasks to also update your System Compliance Profiler rules.

Figure 4-6 Edit the newly created scan task

43


4

Overview of update process: same as for DATsBasically, update your System Compliance Profiler rules as follows:

1 Pull pre-defined rules from the McAfee web site to your master software repository on your ePolicy Orchestrator server using a repository pull task.

This can either be a manual Pull Now server task, or you can create a scheduled pull task to pull updates from the McAfee source repository at regularly scheduled intervals.

2 Replicate the updates in the master repository to any distributed repositories, if you have them.

3 Schedule an ePolicy Orchestrator Agent Update client task to have your client computers update their System Compliance Profiler rules from the nearest repository.

See the ePolicy Orchestrator Product Guide for details on how to create and schedule all these to update both DATs and System Compliance Profiler Rules.

Be sure to configure selective updating appropriately if you’re using ePolicy Orchestrator 3.5 or 3.6If you’re using ePolicy Orchestrator 3.5 or 3.6, remember that the selective updating feature doesn’t update all signatures automatically. You can selectively choose which individual updates (DATs, engine files, ePolicy Orchestrator agent or anti-virus software patches, etc) are updated each time an update task runs. By default, all updates except DATs and anti-virus engines are disabled in all client tasks.

The selective updating feature allows you to save bandwidth by scheduling different updates for different software exactly when you need them. For example, DATs are updated frequently, so you will want to have one scan task to update them, probably at least once per day. On the other hand, service packs for security products such as VirusScan Enterprise are released much less often. You can create a separate client update task to only update VirusScan Enterprise patches and schedule it to run less frequently, perhaps once a week. Or, you can limit network traffic generated by ePolicy Orchestrator even more by not scheduling this task at all, but rather run it manually when patches are released.

To configure an existing client update task to also update your pre-defined McAfee System Compliance Profiler rules:

1 In the ePolicy Orchestrator console tree, select the Directory node for which you want to configure the task (either the Directory root, or a site, group, or individual computer).

2 In the upper details pane, select Tasks tab.

Tip

McAfee updates System Compliance Profiler rules about once per month, much less frequently than anti-virus DATs, which are updated weekly or several times per week. To conserve network bandwidth, especially if you are deploying ePolicy Orchestrator to a large network, consider creating a separate client update task for updating compliance scan rules. Schedule it to run less frequently than your DAT update task.

For example, while you might want to schedule your DAT client update task to run several times per day, try scheduling your System Compliance Profiler rules update task for once a week. Alternatively, you could schedule it to run immediately and leave it disabled, only running it manually when McAfee posts updated rules.

44


4

3 Double-click your ePolicy Orchestrator Agent Update task by double-clicking it.

4 In the ePolicy Orchestrator Scheduler dialog box, select the Task tab and click Settings.

5 In the Task Settings dialog box, select System Compliance Profiler Rules from the list of Signatures and Engines.

6 Click Apply to save the changes.

ePolicy Orchestrator will push the changes to the client update task to each client the next time that computer’s agent calls into the ePolicy Orchestrator server. The update task will run on the client at the next scheduled time.

Figure 4-7 Task Settings dialog box

Tip

The global updating functionality of ePolicy Orchestrator uses the same selective updating feature as the agent update client task. In global updating, selective updating allows you to control what kinds of updates trigger a global update. By default, a global update is triggered only if DAT or engine files are checked into the master repository.

Configure global updating on the Settings tab of the ePolicy Orchestrator console. To enable compliance rules for global updating, select the System Compliance Profiler rules option. See the ePolicy Orchestrator Product Guide for more information on how to do this and for using the global updating feature.

45

5 Working with Scan ResultsRun reports in ePolicy Orchestrator to display scan results

When you scan network computers using System Compliance Profiler, the ePolicy Orchestrator agent on these computers sends the scan results to the ePolicy Orchestrator server. To review their results, you run reports using the ePolicy Orchestrator reporting feature.

This section provides an overview of how to create System Compliance Profiler reports in ePolicy Orchestrator. Once you generate a report, you can:

Save the report in several formats, including HTML, RTF, and XLS (Microsoft Excel).

Print the report.

Refresh the report.

Search the report.

For more information on these actions and on reporting, see your ePolicy Orchestrator documentation.

What’s in this chapterSystem Compliance Profiler reports

About running System Compliance Profiler reports in ePolicy Orchestrator

Generating System Compliance Profiler reports

System Compliance Profiler reportsWhen you install the System Compliance Profiler software, you add several report templates to ePolicy Orchestrator as well. To generate a System Compliance Profiler report, you must select one of these reports and, if necessary, customize it to show only the information you want. For example, you can select the time period that you want to generate reports on.

Drilling-down for detailed report informationIn many cases you can drill down for more details on a report. When viewing reports, look for areas where your mouse pointer turns into a magnifying glass icon. This icon represents report data that you can get more information on. Double-click the report data. ePolicy Orchestrator will produce a Details report.

The following table describes the reports available for each System Compliance Profiler report, including any detailed reports.

46

System Compliance Profiler® 1.1 Product Guide Working with Scan ResultsSystem Compliance Profiler reports

5

Historical Summary by SeverityThis report displays information about all detected rule violations, broken down by severity level. This data is shown both in bar graph form, and in a summary table.

Compliance & Non-Compliance SummaryThis report shows the number of scanned computers that are:

Compliant with System Compliance Profiler rules;

Not compliant with one or more rules;

“Unknown,” either because they have not run any scan yet, or because they have not run the most recent scan.

This information is shown in both a pie chart and in a summary table.

Table 5-1 Drill-down details

Detail Description

Severity Details Provides a list of the groups that contain rule violations for a specific severity level. Also indicates how many violations each group registered.

Group Details Provides a list of rules violated within a specific group, and the number of times each rule was violated.

Rule Details Provides detailed information on a specific rule, indicating which computers violated it, and when.

Warning

Version 1.1 includes a reboot required field for computers that were not compliant when the scan ran, but who most likely would be if they were rebooted. This can happen when the System Compliance Profiler scan runs after a patch or service pack in installed but before a required reboot of that system occurs. Computers in this state will likely become compliant as soon as they are rebooted.


Detail Description

Non-Compliant Computers Provides a list of computers that contributed to the percentage of non-compliant computers.

Computer Details For a specific computer, provides system information and a list of groups containing rule violations.

Group Details For a specific group, provides a list of violated rules, the time when these were detected, and the associated severity levels.

47

System Compliance Profiler® 1.1 Product Guide Working with Scan ResultsSystem Compliance Profiler reports

5

Non-compliance by Computer NameThis report presents a table that shows how many rules each non-compliant computer violates. The table lists each scanned computer’s host name and IP address.

Non-Compliance Summary by GroupThis report shows how many rule violations System Compliance Profiler found for each of your rule groups. The information is presented in both tabular and bar graph format.

Non-Compliance Summary by SeverityThis report shows how many rule violations System Compliance Profiler found for each rule severity level. The information is presented in both tabular and bar graph format.


Detail Description

Computer Summary Provides system information for a specific computer, and a list of the groups that have rule violations.

Rule Violation Details Provides a list of the rules violated within a specific group, as well as when these violations occurred, and at what severity level.


Detail Description

Group Details Provides a list of the rules violated within a specific group, as well as when these violations occurred, and at what severity level.

Computer Summary Provides a list of computers that violated a specific rule.

Violation Time Details Provides system information for a specific computer, and the time when it violated the selected rule.


Detail Description

Severity Details Provides a list of groups that contributed to the total number of violations at a specific severity level.

Group Details Provides a list of the rules violated within a specific group, and a count of how many computers violated each rule.

Rule Details Provides detailed information on a specific rule, indicating which computers violated it, and their general system information.

48

System Compliance Profiler® 1.1 Product Guide Working with Scan ResultsAbout running System Compliance Profiler reports in ePolicy Orchestrator

5

About running System Compliance Profiler reports in ePolicy Orchestrator

Before running reports on System Compliance Profiler scan results for the first time, follow the instructions in this section to enable new System Compliance Profiler reports. You may need to do these even if you are running ePolicy Orchestrator 3.5 or 3.6, and the System Compliance Profiler reports were added automatically when you installed the ePolicy Orchestrator server.

This section covers the following topics:

Enable System Compliance Profiler reports before running them the first time.

Make sure latest scan results are in the database before running reports.

If you only want to run a report on one site or group.

Enable System Compliance Profiler reports before running them the first time

This section covers a few things you may need to do to enable new System Compliance Profiler reports with ePolicy Orchestrator.

Deploy System Compliance Profiler to the ePolicy Orchestrator server if using ePolicy Orchestrator 3.0.xIf you are running System Compliance Profiler 1.1 with ePolicy Orchestrator version 3.0.x, you must deploy System Compliance Profiler to your ePolicy Orchestrator server in order for reports to work properly.

Install the System Compliance Profiler on your ePolicy Orchestrator server as you would install it on any computer in your network. You can install it manually or use the ePolicy Orchestrator deployment task. See Chapter 3, Deploying the System Compliance Profiler client scanner for more details on how to install System Compliance Profiler on client computers, including the ePolicy Orchestrator server.

Log into database with ePolicy Orchestrator admin credentials the first timeThe first time you access your System Compliance Profiler reports after installing or upgrading the software, you may need to log in to the ePolicy Orchestrator Reporting feature using your ePolicy Orchestrator credentials. Afterward, you can log in using any credentials, such as SQL credentials to your database server.

To do this:

1 Start ePolicy Orchestrator and log on to your server.

2 In the console tree, expand Reporting.

3 Expand ePO Databases.

Your ePolicy Orchestrator server name should appear below this node.

4 Select your server name to open the ePO Database Login dialog box.

49

System Compliance Profiler® 1.1 Product Guide Working with Scan ResultsAbout running System Compliance Profiler reports in ePolicy Orchestrator

5

5 Enter the user name and password for your ePolicy Orchestrator admin account.

6 Make sure the Authentication type is set to ePO authentication.

7 Click OK.

Wait while the ePolicy Orchestrator downloads the new reports for System Compliance Profiler. You can now generate System Compliance Profiler reports using the event data stored on this ePolicy Orchestrator server.

Make sure latest scan results are in the database before running reports

You cannot create System Compliance Profiler reports unless you have data to base them on. This data comes from computers running System Compliance Profiler. These computers collect data during the scans that you set up. They then send this data to the server each time the ePolicy Orchestrator agent communicates with the server. At each agent ASCI, the data is stored in the ePolicy Orchestrator database for use in your reports.

There is always a delay between when a computer finishes a scan and when you can run reports based on its results in ePolicy Orchestrator. Two major factors influence this delay:

The completeness of a scan. If a scan fails to finish, System Compliance Profiler may not pass along complete results to ePolicy Orchestrator.

The agent-to-server communication interval (ASCI). Your System Compliance Profiler computers communicate with ePolicy Orchestrator at specific intervals, via ePolicy Orchestrator agents. If a scan finishes shortly after an agent/server update, the agent does not pass on the scan results until its next agent/server communication. By default the agent ASCI is set to 60 minutes.

The agent-to-server communication interval is determined by your ePolicy Orchestrator Agent policy settings. You can lower the default values to reduce the communication lag between System Compliance Profiler and ePolicy Orchestrator. The key settings are the Agent to Server communication interval on the General tab, and the Event Forwarding settings on the Events tab on the ePolicy Orchestrator Agent | Configuration policy pages. See the ePolicy Orchestrator documentation for more information.

Figure 5-1 Log into the database using ePolicy Orchestrator admin credentials

50

System Compliance Profiler® 1.1 Product Guide Working with Scan ResultsGenerating System Compliance Profiler reports

5

Performing an agent wakeup callYou can also force ePolicy Orchestrator to collect agent information between communication intervals by performing an Agent Wakeup Call.

1 In ePolicy Orchestrator’s Directory, right-click the name of the site, group, or computer that you want to update.

2 Select Agent Wakeup Call.

The Agent Wakeup Call dialog box appears.

3 Under Type, select Send Agent wakeup call.

4 Change the Agent randomization interval to 0.

This forces ePolicy Orchestrator to update the ePO agent(s) immediately.

5 Select Get full product properties.

6 Click OK to send the agent wakeup call.

If you only want to run a report on one site or groupePolicy Orchestrator allows you to run reports for computers in specific sites or groups in the console tree Directory. To do this:

1 In ePolicy Orchestrator’s console tree, expand Reporting, then ePO Databases.

2 Right-click the name of your ePolicy Orchestrator server.

3 Select Set Directory Filter to open the Directory Filtering dialog box.

4 Select any ePolicy Orchestrator groups that you want your System Compliance Profiler reports to cover.

5 Click OK.

Generating System Compliance Profiler reportsWhen you generate a System Compliance Profiler report, you have the option of customizing it. This means that you can specify what information you want included in the report, what filters you want to apply, and how you want the report displayed.

To generate a report for System Compliance Profiler:

1 In the ePolicy Orchestrator console tree, expand Reporting, then ePO Databases.

2 Double-click the name of your ePolicy Orchestrator server to expand it.

Reports, Queries, and Events should appear below the server name.

Tip

As a best practice, McAfee recommends that you perform an Agent Wakeup Call for all System Compliance Profiler computers before generating any reports. This guarantees that your reports will include all the latest scan results. See Performing an agent wakeup call on page 51 for instructions.

51


5

3 Expand Reports, then System Compliance Profiler.

ePolicy Orchestrator displays a list of all System Compliance Profiler reports. If the reports don’t appear in the expanded list, see Enable System Compliance Profiler reports before running them the first time on page 49.

4 Select the report that you want to run. See System Compliance Profiler reports on page 46 for a list.

ePolicy Orchestrator asks whether you want to customize the report.

5 Do one of the following:

6 In the customization dialog box, set up any filters that you want to apply.

Figure 5-2 System Compliance Profiler reports in ePolicy Orchestrator

Table 5-6

To Do

Generate the report immediately

Click No.

Skip the rest of this procedure.

Customize the report Click Yes.

Table 5-7

Tab Use to

Rule Description Filter the results based on rule description criteria.

IP Address Identify which IP addresses you want to see results from.

Severity Identify which levels of rule violations you want to see results from.

Event Time Filter based on when rule violations occurred.

Domain Name Identify which network domain(s) you want to see results from.

Directory Identify which ePolicy Orchestrator site(s) you want to see results from.

52


5

7 Click OK.

ePolicy Orchestrator generates the report and displays it in the details pane.

OS Type Filter based on a specific operating system version (for example, Windows 2000).

OS Platform Filter based on a specific operating system type (for example, Server or Workstation).

Computer Name Identify which computers you want to see results from.

Table 5-7

Tab Use to

53

6 Frequently Asked QuestionsAnswers to common questions around installing and using

System Compliance Profiler with ePolicy Orchestrator

This section provides answers to common situations that you might encounter when installing or using the System Compliance Profiler software.

This section answers common questions concerning:

Installations

Policies

Scans

Reports

Installations

How can I verify that System Compliance Profiler deployed properly?There are two ways to check whether the System Compliance Profiler software is deployed on a remote computer:

In the ePolicy Orchestrator console: In the console tree, select the name of the remote computer. Select the Properties tab from the Details pane. System Compliance Profiler should appear in the list of installed applications.

On the client computer: Find the ePolicy Orchestrator agent icon in the system tray. Right-click it, and select About. System Compliance Profiler should appear in the Version Information list.

Can I deploy System Compliance Profiler using third-party software?Yes. To deploy System Compliance Profiler using a third-party tool, configure your deployment software to distribute and execute PatchScanInstaller.exe on target computers.

Note

To access the agent About dialog box from the client computer, you must enable the user interface for the ePolicy Orchestrator agent. This option is disabled by default. To enable the interface on the client, use the agent policy pages in the ePolicy Orchestrator console to select the Show agent tray icon option. See the ePolicy Orchestrator documentation for details.

54

System Compliance Profiler® 1.1 Product Guide Frequently Asked QuestionsPolicies

6

If you are using ePolicy Orchestrator 3.0.x, you must deploy the software to your ePolicy Orchestrator server in order for compliance reporting to work (this is not required with ePolicy Orchestrator 3.5 or 3.6). Also, be sure to deploy ePolicy Orchestrator agents to all computers to which you deploy the System Compliance Profiler.

Furthermore, before you can use the deployed software, you must:

Manually install the System Compliance Profiler NAP on your ePolicy Orchestrator server (see Chapter 2, Adding System Compliance Profiler to ePolicy Orchestrator).

Set up rules and scan tasks in ePolicy Orchestrator (see Using compliance rules and scans on page 29).

ePolicy Orchestrator will then detect the deployed System Compliance Profiler software and send out rules and scan tasks.

To remove the System Compliance Profiler software, configure your deployment tool to run PatchScanInstaller.exe /u from either the target computer’s system32 or system directory.

Policies

Can I share rules with other System Compliance Profiler administrators?Yes. You can copy a System Compliance Profiler rule, group, or archived rule set, and send the data to other users in plain text format. You can also take data that they send you and paste the plain text version directly into a System Compliance Profiler rule group. For more information, see Importing and exporting rules to and from plain text on page 39.

Can I export and import policies using ePolicy Orchestrator?Yes, you can use ePolicy Orchestrator’s policy export feature to create a copy of a System Compliance Profiler rule set. See your ePolicy Orchestrator documentation for details.

Note, however, that when you import the policy, it overwrites all custom, predefined, and archived rules. To avoid affecting a user’s templates and archived rule sets, use the System Compliance Profiler text export and import features. See Importing and exporting rules to and from plain text on page 39.

Scans

How do I determine whether a scan finished properly?Generate a System Compliance Profiler report and look for results.

Check the ePolicy Orchestrator agent log on the scanned computer.

When a scan runs successfully, the following entry appears in the ePolicy Orchestrator agent log:

The task <TaskName> is successful.

55

System Compliance Profiler® 1.1 Product Guide Frequently Asked QuestionsReports

6

<TaskName> is the name you assigned to the System Compliance Profiler on-demand scan task in ePolicy Orchestrator. See Scheduling System Compliance Profiler on-demand scan tasks on page 41.

Can I run a System Compliance Profiler scan from a remote computer?No, you cannot start a System Compliance Profiler task manually on a remote computer. The System Compliance Profiler software is entirely managed by ePolicy Orchestrator.

Reports

Why don't I see any System Compliance Profiler reports in ePolicy Orchestrator?If you are using ePolicy Orchestrator 3.0.x, make certain that you added the Patch_Reports.nap file to the ePolicy Orchestrator Repository. The reporting NAP is added automatically with ePolicy Orchestrator 3.5 and 3.6. (See Adding System Compliance Profiler to the ePolicy Orchestrator server on page 20).

Try logging into the ePolicy Orchestrator Reporting feature using your ePolicy Orchestrator admin credentials instead of an NT or SQL account. You only need to do this the first time you access reports. Afterward, you can log in using any credentials. (See If you only want to run a report on one site or group on page 51.)

Why don't I see scan results in my reports?If you are using ePolicy Orchestrator 3.0.x, make certain that you deployed the System Compliance Profiler software to your ePolicy Orchestrator server as well as to your remote computers. If you do not deploy the software to the ePolicy Orchestrator server, your reports will not work properly. (See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22.)

Make certain that you created and scheduled a System Compliance Profiler scan task in ePolicy Orchestrator. (See Scheduling System Compliance Profiler on-demand scan tasks on page 41.)

Make certain that System Compliance Profiler had enough time to report its scan results to ePolicy Orchestrator. There is a time delay between when a scan runs and when the scan results become available to ePolicy Orchestrator, depending on your ASCI. (See About running System Compliance Profiler reports in ePolicy Orchestrator on page 49.)

Make certain that System Compliance Profiler should be reporting results. If a computer complies with all your System Compliance Profiler rules, and has never violated them, then you will not see results for that computer in most reports. Only the Compliance/Non-Compliance Summary report shows compliant computers; all other reports show only rule violations.

56

System Compliance Profiler® 1.1 Product Guide Frequently Asked QuestionsReports

6

Why do I get the following error message in my report: “Please verify that the System Compliance Profiler is deployed to your ePolicy Orchestrator server and that you have received data from the deployed System Compliance Profilers.”This message appears in your reports if:

If you are using ePolicy Orchestrator 3.0.x, you did not deploy the System Compliance Profiler software to your ePolicy Orchestrator server. (See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22.)

Your deployed System Compliance Profilers have not yet returned the results from scans that you set up. (See About running System Compliance Profiler reports in ePolicy Orchestrator on page 49.)

What does “Unknown Scan Results” mean?This message appears in your reports to indicate that System Compliance Profiler does not have the most up-to-date scan results for specific computers or groups.

This occurs each time you set up new rules for your System Compliance Profiler scans. When you do this, the software changes the status of all your existing System Compliance Profiler computers to Unknown. They remain in that state until they finish a scan using the new rules, and return those scan results to ePolicy Orchestrator. Once computers return results using the latest set of System Compliance Profiler rules, their status in reports changes to something more informative.

To apply your latest System Compliance Profiler rules and get scan results faster, perform an Agent Wakeup Call in ePolicy Orchestrator. See Performing an agent wakeup call on page 51.

57

A System Compliance Profiler metrics

This section provides metrics for the amount of bandwidth that System Compliance Profiler uses during scans, and the amount of space it uses in ePolicy Orchestrator tables.

Client memory useThe deployed System Compliance Profiler software uses 630,977 bytes of memory on all remote computers.

Network bandwidthSystem Compliance Profiler scans do not require many local or network resources. While the exact amount of network traffic will vary based on how many rules a given computer receives, the average bandwidth requirement is approximately 200 bytes per rule.

Sample data

ePolicy Orchestrator impactSystem Compliance Profiler stores data in the ePolicy Orchestrator event table. The amount of space used varies depending on the scan results that System Compliance Profiler receives.

Table A-1

Policy file contains Policy file size

Five patch-based rules 661 bytes

Sixty rules (fifteen of each rule type) 20,327 bytes

58

System Compliance Profiler® 1.1 Product Guide System Compliance Profiler metricsePolicy Orchestrator impact

A

Sample dataTable A-2

Scan details Table space used

Five rules, failed 5,248 bytes

Five rules, passed 6,148 bytes

Twenty rules, failed 19,544 bytes

Twenty rules, passed 22,944 bytes

Sixty rules, failed 35,744 bytes

Sixty rules, passed 44,564 bytes

59

Index

Aaccessing reports, 51

agents, 11

agents, ePolicy Orchestrator

wakeup calls, 51

audience for this manual, 14

AVERT

Anti-Virus & Vulnerability Emergency Response Team, contacting, 18

DAT notification service, 18

WebImmune, 18

Bbandwidth requirements, 11

beta program, contacting, 17

Cconsulting services, 18

contacting McAfee, 17

customer service, contacting, 18

DDAT file

updates via AVERT notification service, 18

updates, web site, 18

default rule groups, 31

delays, report, 49

documentation for the product, 15

download web site, 18

EePolicy Orchestrator

and System Compliance Profiler, 11

interface, 12

reports, 51

ePolicy Orchestrator agents

wakeup calls, 51

ePolicy Orchestrator Reports

introduction, 46

exporting rules, 31, 39

Ffrequently asked questions, troubleshooting, 54

Ggenerating reports, 51

getting information, 15

list of contacts, 17

Iimporting rules, 31, 39

installation

deploying System Compliance Profiler agents, 25

Mmanuals, 15

McAfee University, contacting, 18

Nnew features, 5

notification service, DAT updates, 18

Oon-site training, 18

Ppolicy settings, Windows, 25

PrimeSupport, 17

product documentation, 15

product information, resources, 15

product overview, 11

product training, in-house, 18

Rreports

accessing, 51

generating, 51

overview, 46

requirements

bandwidth, 11

server and console, 19

system, 19, 24

resources for information, 15

rule groups

default, 31

rules

exporting, 31, 39

groups, 31

importing, 31, 39

structure, 30

templates, 31

Sscan results

retrieving, 49

scan tasks, 11

security headquarters, contacting AVERT, 18

service portal, PrimeSupport, 17

sharing rules, 39

submitting a sample virus, 18

System Compliance Profiler

and ePolicy Orchestrator, 11

reports, 51

system requirements, 19, 24

Ttasks, scan, 11

technical support

accessing from the product, 16

contact information, 17

templates, 31

training web site, 18

training, on-site, 18

troubleshooting

FAQs, 54

Uupgrade web site, 18

using this guide, 14

typeface conventions and symbols, 14

VVirus Information Library, 16, 18

virus, submitting a sample

web site, 18

Wwakeup call, ePolicy Orchestrator agent, 51

WebImmune, 18

what’s new in this release, 5

Windows policy settings, 25

60

McAfee ePolicy 3, 3.5, 3.6 System Compliance Profiler

Documents

Transcript of McAfee ePolicy 3, 3.5, 3.6 System Compliance Profiler