Configuration Guide

revision 1.0

System Compliance Profiler
version 1.1

®

For use with ePolicy Orchestrator 3.0.x, 3.5, or 3.6 Beta

McAfee System Protection
®

Industry-leading intrusion prevention solutions

COPYRIGHT
Copyright © 2005 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP DESIGN (STYLIZED E), DESIGN (STYLIZED , N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NA NETWORK ASSOCIATES, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NETWORK ASSOCIATES, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA), YOUR NETWORK. OUR BUSINESS. are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Attributions
This product includes or may include: Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public Young and software written by Tim J. Hudson. License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader Software originally written by than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software written by Douglas W. Sauder. Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license International Components for Unicode (“ICU”) Copyright agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. Software developed by CrystalClear Software, Inc., Copyright © 2000 © 1995-2002 International Business Machines Corporation and others. ® ® ® FEAD Optimizer technology, Copyright Netopsystems AG, Berlin, Germany. Outside In Viewer Technology CrystalClear Software, Inc. ® Software copyrighted by Thai Open Source Software © 1992-2001 Stellent Chicago, Inc. and/or Outside In HTML Export, © 2001 Stellent Chicago, Inc. Software copyrighted by Expat maintainers. Software copyrighted by The Regents of the Center Ltd. and Clark Cooper, © 1998, 1999, 2000. ® Software copyrighted by Gunnar Ritter. Software copyrighted by Sun Microsystems , Inc. © 2003. Software University of California, © 1989. copyrighted by Gisle Aas. © 1995-2003. Software copyrighted by Michael A. Chase, © 1999-2000. Software copyrighted by Neil Winton, Software copyrighted by RSA Data Security, Inc., © 1990-1992. Software copyrighted by Sean M. Burke, © 1999, 2000. Software © 1995-1996. Software copyrighted by Brad Appleton, © 1996-1999. Software copyrighted by Michael G. Schwern, copyrighted by Martijn Koster, © 1995. © 2001. Software copyrighted by Graham Barr, © 1998. Software copyrighted by Larry Wall and Clark Cooper, © 1998-2000. Software Software copyrighted by the Python Software Foundation, Copyright © 2001, 2002, 2003. A copy of the license copyrighted by Frodo Looijaard, © 1997 . Software copyrighted by Beman Dawes, © 1994-1999, 2002. Software written by agreement for this software can be found at www.python.org. Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek © 1997-2000 University of Notre Dame. Software copyrighted by Simone Bordet & Marco Cravero, Software copyrighted by Stephen Purcell, © 2001. Software developed by the Indiana University Extreme! Lab © 2002. Software (http://www.extreme.indiana.edu/). Software copyrighted by International Business Machines Corporation and others, © 1995-2003. developed by the University of California, Berkeley and its contributors. Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in Software copyrighted by Kevlin Henney, © 2000-2002. Software copyrighted by Peter Dimov and the mod_ssl project (http://www.modssl.org/). Software copyrighted by David Abrahams, © 2001, 2002. See http://www.boost.org/libs/bind/bind.html for Multi Media Ltd. © 2001, 2002. documentation. Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, © 2000. Software copyrighted by Software copyrighted by Nicolai M. Josuttis, © 1999. Software copyrighted by Jeremy Siek, © 1999-2001. Software Boost.org, © 1999-2002. copyrighted by Daryle Walker, © 2001. Software copyrighted by Chuck Allison and Jeremy Siek, © 2001, 2002. Software copyrighted by Samuel Krempp, © 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted by Doug Gregor Software copyrighted by Cadenza New Zealand Ltd., © 2000. Software copyrighted by Jens Maurer, © 2000, (gregod@cs.rpi.edu), © 2001, 2002. Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), © 1999, 2000. Software copyrighted by Ronald Garcia, © 2002. Software 2001. copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, © 1999-2001. Software copyrighted by Stephen Cleary (shammah@voyager.net), Software copyrighted by Housemarque Oy <http://www.housemarque.com>, © 2001. Software copyrighted by Paul Moore, © 1999. © 2000. Software copyrighted by Dr. John Maddock, © 1998-2002. Software copyrighted by Greg Colvin and Beman Dawes, © 1998, 1999. Software copyrighted by Peter Dimov, © 2001, 2002. Software copyrighted by Jeremy Siek and John R. Bandela, © 2001. Software copyrighted by Joerg Walter and Mathias Koch, © 2000-2002.

Issued June 2005 / McAfee System Compliance Profiler software version 1.1
DOCUMENT BUILD 005.1-<EN>

®

Contents

1

Introducing System Compliance Profiler

4

System Compliance Profiler overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 How System Compliance Profiler works with ePolicy Orchestrator . . . . . . . . . 11 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2

Adding System Compliance Profiler to ePolicy Orchestrator 19
ePolicy Orchestrator 3.0.x requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Adding System Compliance Profiler to the ePolicy Orchestrator server . . . . 20 Upgrading System Compliance Profiler from version 1.0 . . . . . . . . . . . . . . . . 21 Removing System Compliance Profiler from the ePolicy Orchestrator server 22

3

Deploying the System Compliance Profiler client scanner 24
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using ePolicy Orchestrator to deploy System Compliance Profiler . . . . . . . . Installing System Compliance Profiler manually on clients . . . . . . . . . . . . . . Removing System Compliance Profiler from clients . . . . . . . . . . . . . . . . . . . . 24 24 27 27

4

Using compliance rules and scans

29
29 30 33 37 41 43

Overview of using compliance rules in on-demand scans . . . . . . . . . . . . . . . About System Compliance Profiler rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and editing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using rules and rule groups for scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scheduling System Compliance Profiler on-demand scan tasks . . . . . . . . . . Update pre-defined System Compliance Profiler rules from McAfee . . . . . .

5

Working with Scan Results

46

System Compliance Profiler reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 About running System Compliance Profiler reports in ePolicy Orchestrator. 49 Generating System Compliance Profiler reports . . . . . . . . . . . . . . . . . . . . . . . 51

A

Frequently Asked Questions

54
54 55 55 56

Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

B

System Compliance Profiler metrics

58

Client memory use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Network bandwidth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 ePolicy Orchestrator impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

iii

for centralized administration and host-based compliance reporting. how it works with ePolicy Orchestrator. registry entries. each of which tells the software to look for a specific file.1 is client scanner that scans computers on your network to determine whether they comply with policies that you set up in ePolicy Orchestrator®. patch. What’s covered in this chapter System Compliance Profiler overview What’s new in this release How System Compliance Profiler works with ePolicy Orchestrator Using this guide Resources System Compliance Profiler overview System Compliance Profiler’s features include: Microsoft patch compliance reporting. and new features in this release System Compliance Profiler® 1. You can use System Compliance Profiler to create graphical and tabular reports that show which network computers do and do not comply with company policies. Computers that meet all of your rule criteria are in compliance with your policies. or service on scanned computers. 4 . File and patch integrity verification (with MD5 “fingerprinting”). services and Microsoft patches. Complete integration with McAfee ePolicy Orchestrator. The System Compliance Profiler software scans remote computers to determine whether they comply with policies that you set up. registry key. Graphical compliance reports with drill-down paths. Policies consist of rules. Customizable compliance assessment based on scans for specific files. Downloadable rule templates.1 Introducing System Compliance Profiler Overview of the product. Computers that do not meet rule criteria have rule violations.

Use ePolicy Orchestrator pull tasks to update predefined McAfee rules automatically. they will continue to show up as non-compliant in your System Compliance Profiler reports. If the file being checked is in violation of the rule. you can use System Compliance Profiler and ePolicy Orchestrator to run reports based on the collected data. and services. Benefits After applying a patch on your managed machines. patches. Using registry keys to dynamically resolve file paths. registry keys. For details on the ePolicy Orchestrator and System Compliance Profiler interfaces. Each of these new features is detailed in the sections that follow. Running rules only when specific applications are present. This information will be displayed in the rule violation reports. they may require a reboot. see Accessing System Compliance Profiler through the ePolicy Orchestrator console on page 12. Reboot state awareness Current release The goal of this feature is to determine if a system is in violation of a rule only because the machine has not been rebooted yet. then the violation event contains extra data to indicate that a reboot is needed. It then relays the information it collects back to the ePolicy Orchestrator server. What’s new in this release This release of System Compliance Profiler includes the following new features or enhancements: Reboot state awareness. This scanning software periodically scans for files. This feature is an indication that rebooting the machines may make them compliant in the next System Compliance Profiler scan. Once the software finishes its scans and reports back. Improved rules interface and features. 5 . Filtering and sorting for security patch templates. This means that you use ePolicy Orchestrator to configure and deploy the software. System Compliance Profiler works by installing remote scanning software on each computer that you want to monitor.1 Configuration Guide Introducing System Compliance Profiler What’s new in this release 1 System Compliance Profiler integrates into the McAfee ePolicy Orchestrator management software. Until they are rebooted. and it is scheduled to be replaced at the next reboot. and gives a more accurate snapshot of system status. More flexibility and granularity for defining rules.System Compliance Profiler® 1.

you can specify the registry key location for the registry key that contains the file path of the file being searched for. rather than having to hardcode the file paths into your rules. Note that this registry path will also contain the registry value being examined. The graph has a new pie container for systems that need rebooting. If you choose this.System Compliance Profiler® 1. In the Edit Rule page. For more information See Compliance & Non-Compliance Summary on page 47 for more information on how computer compliance data is reflected in reports. Using registry keys to dynamically resolve file paths Current release Use registry key values when specifying file path locations for file based rules. For more information About System Compliance Profiler rules on page 30 6 . Benefits Use registry keys to reference file paths dynamically. Where to find The Edit Rule page of the System Compliance Profiler Rules policy page.1 Configuration Guide Introducing System Compliance Profiler What’s new in this release 1 Where to find The Compliant/Non-Compliant Summary report will include the reboot state awareness category. the File path drop-down list contains a new option for HKEY_LOCAL_MACHINE to specify a registry key containing a file path. the drop-down box for the file path contains an additional choice labeled HKEY_LOCAL_MACHINE.

System Compliance Profiler® 1. 3 Click Filter to open the Filtering and Sorting page. Using filtering and sorting can make the list more manageable.1 Configuration Guide Introducing System Compliance Profiler What’s new in this release 1 Filtering and sorting for security patch templates Current release Group and filter the predefined McAfee security patch rules to show only the rules you are interested in viewing. Specify a filter criteria as needed. For more information Creating and editing rules on page 33 7 . When you select the Security Patch Rules group. Where to find To access this feature: 1 Open the Rules page of the System Compliance Profiler policy pages. or any rules under this group. 2 Select the Security Patch Rules group or any patch rules group or rules within Security Patch Rules to enable the new Filter button. you can click a Filter button to filter and sort based on the following criteria: Microsoft Security Bulletin # Microsoft patch release date Microsoft severity rating Microsoft identifier (K or QB number) Affected operating systems Affected applications Benefits The list of security patches can become quite long.

you can set a condition to evaluate these rules only if Exchange Server 2000 is actually installed on the computer. For more information Creating and editing rules on page 33 Improved rules interface and features Current release This release contains several new features to improve the usability and interface of the policy pages: All user-defined custom rules are stored in a Custom Rules group in the Rules list. It also eliminates the false positive violations that are generated when a scan does not find a patch on that computer because the relevant software is not installed.1 Configuration Guide Introducing System Compliance Profiler What’s new in this release 1 Running rules only when specific applications are present Current release Set conditions to evaluate certain rules only if a specified application is present on the computer. New Description text box in the Edit Group page allows you to modify rule group descriptions to suit your needs. Benefits Improved usability and interface make it easier to work with rules. Where to find The Edit Group page contains an Application rule drop-down list. Select an application from this list to test for on the computer before running the rule or rule group. if you have a group of rules that scan for Microsoft Exchange Server 2000 patches. Benefits Improves performance by running only those rules that are relevant for the software installed on a given computer. For example.System Compliance Profiler® 1. For more information Chapter 4. Where to find The main System Compliance Profiler | Rules policy page. Right-click copy feature has a new Copy to Custom Rules feature to allow you to easily copy any pre-defined rule to the custom rules folder so you can customize it. Using compliance rules and scans 8 . Summary View and Advanced View buttons to toggle Rules list between showing and hiding rule details.

To get here: 1 In the ePolicy Orchestrator console. 3 Click Edit. Benefits Define more focused and flexible rules. File size File version can be less than or equal to or greater than or equal to a specified value Registry key values can be less than or equal to or greater than or equal to a specified value. Where to find The Edit Rule page. 2 Select any rule in one of your Custom Rules list.System Compliance Profiler® 1. For more information Chapter 4. Registry key is in HKEY_LOCAL_MACHINE. Using compliance rules and scans 9 .1 Configuration Guide Introducing System Compliance Profiler What’s new in this release 1 More flexibility and granularity for defining rules Current release This release includes additional criteria for using file matching rules: File age by the time it was last modified. go to System Compliance Profiler | Rules policy page.

Update pre-defined System Compliance Profiler rules from McAfee on page 43 See the ePolicy Orchestrator Product Guide for more information on pull tasks and agent update client tasks. Using the ? wildcard matches a single character. Benefits Using regularly scheduled Repository Pull tasks to update pre-defined rules means System Compliance Profiler is scanning for the most up-to-date rules. anti-virus engines. Where to find In the ePolicy Orchestrator console.System Compliance Profiler® 1. and Desktop Firewall IDS signatures. The * wildcard matches any number of characters. then run an ePolicy Orchestrator Agent Update client task to update client rules. This uses the same automated update architecture that ePolicy Orchestrator uses to update DAT anti-virus signatures. Benefits Using wildcards in your rules can help make sure the rule can account for small variations in file names or registry keys. select Repository from the console tree to find the Pull Now or New Pull Task features. 10 . use a replication task to copy the rule updates to any distributed repositories.1 Configuration Guide Introducing System Compliance Profiler What’s new in this release 1 Use ePolicy Orchestrator pull tasks to update predefined McAfee rules automatically Current release ePolicy Orchestrator updates the pre-defined McAfee rules automatically with source repository pull tasks. For more information Use wildcards when matching filenames and registry keys in compliance rules Current release You may use wildcards to match a file name or registry key. Once the repository has been updated.

see Adding System Compliance Profiler to the ePolicy Orchestrator server on page 20.6. The System Compliance Profiler NAP deployment package. go to System Compliance Profiler | Rules policy page. 3 Click Edit. The basic steps involved are: 1 Add System Compliance Profiler to your ePolicy Orchestrator server repository if you are using ePolicy Orchestrator 3. How System Compliance Profiler works with ePolicy Orchestrator This section provides a brief overview of how System Compliance Profiler works within ePolicy Orchestrator. You must deploy the software to each computer that you want to scan. This step is only required if you are running ePolicy Orchestrator 3.x.0.x. Use the ePolicy Orchestrator console to deploy System Compliance Profiler to computers in your Directory console tree. This section includes the following topics: At a glance: System Compliance Profiler and ePolicy Orchestrator Accessing System Compliance Profiler through the ePolicy Orchestrator console Accessing System Compliance Profiler through the ePolicy Orchestrator console At a glance: System Compliance Profiler and ePolicy Orchestrator Use ePolicy Orchestrator to configure and manage the System Compliance Profiler software. you must add the System Compliance Profiler NAP.System Compliance Profiler® 1. 11 . To get here: 1 In the ePolicy Orchestrator console.5 and 3. Before you can use the two products together. For details.0. Refer to other chapters of this guide for more details on each of these aspects.1 Configuration Guide Introducing System Compliance Profiler How System Compliance Profiler works with ePolicy Orchestrator 1 Where to find The Edit Rule page. and reports are installed by default . deployment packages and reports to the ePolicy Orchestrator Repository. 2 Select any rule in one of your Custom Rules. For more information Defining criteria for rules on page 34 See the ePolicy Orchestrator Product Guide for more information on pull tasks and agent update client tasks. Note 2 Deploy System Compliance Profiler to client computers. with ePolicy Orchestrator 3.

See Chapter 2. you can start scanning computers for files. 12 . The System Compliance Profiler policy pages Manage policies for System Compliance Profiler just as you would for any other security product managed by ePolicy Orchestrator. where you create your System Compliance Profiler rules. To do this. Once you finish defining policies for different users. At the scheduled time. these computers run the scans that you specified. Once ePolicy Orchestrator receives scan results from System Compliance Profiler. System Compliance Profiler scans do not require many local or network resources. and registry keys. You can also schedule scans to occur at specific times. Accessing System Compliance Profiler through the ePolicy Orchestrator console You use the ePolicy Orchestrator console to access and configure System Compliance Profiler. or groups of computers. ePolicy Orchestrator sends the scan tasks to computers running System Compliance Profiler. collect the scan results. 5 Run reports in ePolicy Orchestrator to view scan results. The Reports area. You use the ePolicy Orchestrator console to configure the policies for how you want to scan selected computers using System Compliance Profiler rules. you set up System Compliance Profiler scan tasks. and transmit them to ePolicy Orchestrator. the average bandwidth requirement is approximately 200 bytes per rule.1 Configuration Guide Introducing System Compliance Profiler How System Compliance Profiler works with ePolicy Orchestrator 1 3 Configure System Compliance Profiler policies and scans. Scan tasks are instructions that ePolicy Orchestrator sends to computers running System Compliance Profiler. Adding System Compliance Profiler to ePolicy Orchestrator. you first set up rules in ePolicy Orchestrator. After the results are stored. where you generate reports based on System Compliance Profiler scan results. The Tasks tab. To accomplish this. presented as tabs on the details pane: The Policies tab. If you are using ePolicy Orchestrator 3. You can scan individual computers. where you create and schedule System Compliance Profiler on-demand scan tasks.0. it adds the information to its database.x. The ePolicy Orchestrator agent on the client computer where System Compliance Profiler is installed collects these policy updates at regular intervals.1 are not installed by default. the console includes three areas. Once your System Compliance Profiler system is set up.System Compliance Profiler® 1. the policy pages for System Compliance Profiler 1. These rules make up your policies. services. You then configure scan tasks to run on the clients using the policies you specify. While the exact amount of network traffic will vary based on how many rules a given computer receives. patches. you can use the ePolicy Orchestrator console to run reports that list any vulnerabilities that System Compliance Profiler found. Note Policies are the rules that you define for each computer scanned by System Compliance Profiler. 4 System Compliance Profiler runs scans on client computers.

4 From the Schedule Task page. click the Policies tab. 13 . create and edit customized rules. group. or a site.1 | Rules. and update pre-defined McAfee rules from the McAfee web site. 4 View the policy pages in the lower details pane.1 On-Demand Scan. or computer node in the console tree. the System Compliance Profiler on-demand scan task is available in the list of available client scan tasks. 3 Right-click the details pane and select Schedule Task. 2 In the details pane. Figure 1-1 The System Compliance Profiler Rules policy page The Rules page lets you enable and disable configured rules. or computer node in the Directory tree. or a site.System Compliance Profiler® 1. group. Use client tasks to configure on-demand scans on client computers The System Compliance Profiler policy pages (NAP file) includes an on-demand scan task for creating and scheduling scan tasks on client computers. 2 In the details pane. select System Compliance Profiler 1. click the Tasks tab. To access the System Compliance Profiler on-demand scan task: 1 Select the Directory. When you check the NAP file into the master repository on the ePolicy Orchestrator server. 3 Expand the policy list to System Compliance Profiler 1. then click the policy name.1 Configuration Guide Introducing System Compliance Profiler How System Compliance Profiler works with ePolicy Orchestrator 1 To access the System Compliance Profiler policy pages: 1 Select the Directory.

14 . Tip Tip: Suggestions for best practices and recommendations from McAfee Security for threat prevention. <TERM> Angle brackets enclose a generic term. right-click <SERVER>. a web address (URL). Example: In the console tree under ePolicy Orchestrator. Examples: The default location for the program is: C:\Program Files\Network Associates\VirusScan Visit the McAfee Security web site at: http://www. a command at the system prompt). Example: Refer to the VirusScan Enterprise Product Guide for more information. Conventions This guide uses the following conventions: Bold Serif All words from the user interface. for names of product documentation and topics (headings) within the material.com Run this command on the client computer: C:\SETUP. buttons. performance and efficiency.mcafeesecurity. Note Note: Supplemental information. and dialog box names. For more information on these reports.System Compliance Profiler® 1.EXE Italic For emphasis or when introducing a new term. generate reports in ePolicy Orchestrator. Using this guide This guide provides information on configuring and using your product. an alternate method of executing the same command. Audience This information is intended primarily for network administrators who are responsible for their company’s anti-virus and security program. see Working with Scan Results on page 46. Example: Type the User name and Password of the desired account. Courier The path of a folder or program. menus. for example. System Compliance Profiler automatically adds its custom reports to the Reporting area of the ePolicy Orchestrator console when you install the software. including options. text that represents something the user types exactly (for example.1 Configuration Guide Introducing System Compliance Profiler Using this guide 1 Run System Compliance Profiler reports To see the results of your System Compliance Profiler scans.

and managing your McAfee Security product through ePolicy Orchestrator management software. and last-minute additions or changes to the product or its documentation. * An Adobe Acrobat . ePolicy Orchestrator 3. Security Headquarters (AVERT Anti-virus & Vulnerability Emergency Response Team). Warning Warning: Important advice to protect a user from bodily harm when interacting with a hardware product.6 Product Guide. Note: Some language manuals may be available only as a . ePolicy Orchestrator 3. software installation. ^ A printed manual that accompanies the product CD. recurring tasks. License* — The McAfee License Agreement booklet that includes all of the license types you can purchase for your product. Procedures for configuring.6 Installation Guide. information on deployment. detailed instructions for configuring the software.System Compliance Profiler® 1. Use the Help menu and/or Help button for page-level help. Product information.6 Reporting Guide. The License Agreement sets forth general terms and conditions for the use of the licensed product. Resources Refer to these sections for additional resources: Getting product information Links from within the ePolicy Orchestrator console Product services Contact information Getting product information ePolicy Orchestrator documentation — Product introduction and features. Contacts‡ — Contact information for McAfee Security services and resources: technical support. Configuration Guide* — For use with ePolicy Orchestrator®. deploying. 15 . street addresses. and training. and fax numbers for company offices in the United States and around the world. web addresses.PDF file. resolved issues.6 Walkthrough Guide. Help — High-level and detailed information accessed from the ePolicy Orchestrator console. ‡ Text files included with the software application and on the product CD. enterprise. or data. This file also includes phone numbers. and operating procedures. ePolicy Orchestrator 3. beta program.PDF file on the product CD or the McAfee Security download site. customer service. Release Notes‡ — ReadMe.1 Configuration Guide Introducing System Compliance Profiler Resources 1 Caution Caution: Important advice to protect your computer system. ePolicy Orchestrator 3. any known issues.

such as those virus warning that you receive via e-mail.1 Configuration Guide Introducing System Compliance Profiler Resources 1 Links from within the ePolicy Orchestrator console The Start Page of the ePolicy Orchestrator console provides links to some useful resources: Help Topics Virus Information Library Technical Support Help Topics Use this link to access the online Help topics for the product. view our hoax page before you pass the message on to your friends. The console opens to the Start Page in the details pane. but there are many others. Next time you receive a well-meaning virus warning. how they infect your system. 2 Select Technical Support for ePolicy Orchestrator. 3 Follow the directions on the web site. In addition to genuine viruses. If the product’s built-in help system (accessed from within the software by clicking the Help menu) displays incorrectly on your system. 16 . Make sure that you install the latest version of Internet Explorer. A Virtual Card For You and SULFNBK are two of the best-known hoaxes. The console opens to the Start Page in the details pane. These controls are required to display the help file. Tip Virus Information Library Use the Virus Information link to access the McAfee Anti-Virus & Vulnerability Emergency Response Team (AVERT) Virus Information Library. This web site has detailed information on where viruses come from. and how to remove them.System Compliance Profiler® 1. Browse this site to view frequently asked questions (FAQs). Technical Support Use the Technical Support for ePolicy Orchestrator link to access the McAfee PrimeSupport KnowledgeCenter Service Portal web site. and perform a guided knowledge search. your version of Microsoft® Internet Explorer may not be using ActiveX controls properly. To access the Virus Information Library: 1 Open the ePolicy Orchestrator console. the Virus Information Library contains useful information on virus hoaxes. 2 Select Virus Information. documentation. To access McAfee technical support: 1 Open the ePolicy Orchestrator console.

System Compliance Profiler® 1.1 Configuration Guide

Introducing System Compliance Profiler
Resources

1

Product services
The following services are available to help you get the most from your McAfee products: Beta program HotFixes and Patches Product “end-of-life” support Beta program The McAfee beta program enables you to try our products before full release to the public — you can learn about and test new features for existing products, as well as try out entirely new products. This program can help you test and implement updated and new features earlier, and in a safe environment. You get the chance to suggest new product features, as well as deal directly with McAfee engineering staff. To find out more, visit: http://www/mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm HotFixes and Patches HotFixes and Patches are released with updated files, drivers, executables, etc., between the major releases of a product. To access the latest HotFixes and Patches, visit: http://www.mcafeesecurity.com/us/downloads/updates/hotfixes.asp Product “end-of-life” support Your anti-virus software must be kept up-to-date to remain effective against viruses and other potentially harmful software. It is important to update the virus definition (DAT) files regularly. To enable the software to counter the continuing threat, we often make architectural changes to the way that the DAT files and virus-scanning engine work together. It is therefore important that you update your engine when a new version is released. An older engine will not catch many of the new emerging threats. When we release a new engine, we announce the date after which the existing engine will no longer be supported. For information on our product “end-of-life” policy and for a full list of supported engines and products, visit: http://www.mcafeesecurity.com/us/products/mcafee/end_of_life.htm

Contact information
Technical Support
Home Page KnowledgeBase Search PrimeSupport Service Portal * http://www.mcafeesecurity.com/us/support/technical_support https://knowledgemap.nai.com/phpclient/homepage.aspx https://mysupport.nai.com

McAfee Beta Program
http://www.mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm

17

System Compliance Profiler® 1.1 Configuration Guide

Introducing System Compliance Profiler
Resources

1

Security Headquarters — AVERT: Anti-virus & Vulnerability Emergency Response Team
Home Page Virus Information Library AVERT WebImmune, * Submitting a Sample AVERT DAT Notification Service http://www.mcafeesecurity.com/us/security/home.asp http://vil.nai.com https://www.webimmune.net/default.asp http://vil.mcafeesecurity.com/vil/join-DAT-list.asp

Download Site
Home Page DAT File and Engine Updates http://www.mcafeesecurity.com/us/downloads/ http://www.mcafeesecurity.com/us/downloads/updates/default.asp ftp://ftp.mcafeesecurity.com/pub/antivirus/datfiles/4.x Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp

Training
On-Site Training McAfee University http://www.mcafeesecurity.com/us/services/security/home.htm http://www.mcafeesecurity.com/us/services/education/mcafee/university.htm

Customer Service
E-mail Web https://secure.nai.com/us/forms/support/request_form.asp http://www.mcafeesecurity.com/us/index.asp http://www.mcafeesecurity.com/us/support/default.asp US, Canada, and Latin America toll-free: +1-888-VIRUS NO or +1-888-847-8766

Monday – Friday, 8 a.m. – 8 p.m., Central Time

For additional information on contacting McAfee — including toll-free numbers for other geographic areas — see the Contact file that accompanies this product release. * Logon credentials required.

18

2

Adding System Compliance Profiler to ePolicy Orchestrator
Manually add the NAP file and deployment package to the repository

This section describes how to add the System Compliance Profiler 1.1 deployment package and NAP file to the ePolicy Orchestrator software repository. You must add both of these to your ePolicy Orchestrator repository to be able to deploy and manage System Compliance Profiler with ePolicy Orchestrator.
Refer to this chapter only if you are running System Compliance Profiler 1.1 with ePolicy Orchestrator 3.0.x. The System Compliance Profiler 1.1 deployment package, NAP file, and reports are installed automatically when you install the ePolicy Orchestrator 3.5 or 3.6 server and console. If you are using ePolicy Orchestrator 3.5 or 3.6, you can skip this chapter.

Note

What’s in this chapter This chapter contains the following topics: ePolicy Orchestrator 3.0.x requirements Adding System Compliance Profiler to the ePolicy Orchestrator server Upgrading System Compliance Profiler from version 1.0 Removing System Compliance Profiler from the ePolicy Orchestrator server

ePolicy Orchestrator 3.0.x requirements
This chapter assumes that you have already installed the ePolicy Orchestrator server and console. The System Compliance Profiler user interface installs and runs on an ePolicy Orchestrator server version 3.0.x or higher. You access it using the ePolicy Orchestrator console. For more information on these processes, see the ePolicy Orchestrator Product Guide. If you are running ePolicy Orchestrator 3.0.2, install patch 6 You must install patch 6 for ePolicy Orchestrator 3.0.2 to be able to run System Compliance Profiler 1.1. If you are running ePolicy Orchestrator 3.0.0 or 3.0.1, System Compliance Profiler 1.1 works without requiring any patches or other updates.

19

You find these installation files either on your product CD or on the McAfee web site. When prompted: a Select Products or updates as the package type. 20 . 3 In the details pane under AutoUpdate tasks.1 Product Guide Adding System Compliance Profiler to ePolicy Orchestrator Adding System Compliance Profiler to the ePolicy Orchestrator server 2 Configure firewall ports for System Compliance Profiler communication If you intend to communicate through a firewall with computers running System Compliance Profiler.NAP policy files are included in the System Compliance Profiler 1. It does not cover deploying the System Compliance Profiler to client computers in your network. For details on how to do that. wait while the deployment package is added to the repository. click Check in package.Z deployment package and PATCH1100. Retrieve the PKGCATALOG. To add System Compliance Profiler to your ePolicy Orchestrator server: 1 Retrieve the PKGCATALOG.NAP files. and save them to a temporary folder on your ePolicy Orchestrator server. 5 After finishing the check-in wizard. NAP file policy pages. and under AutoUpdate tasks click Check in NAP .1 installation files from McAfee. 2 Select Repository from the console tree. see Chapter 3. and reports to the ePolicy Orchestrator server. either from the product CD or McAfee web site. Add the NAP policy pages to the server 1 Select Repository from the console tree.NAP files The PKGCATALOG. You must perform these steps to deploy and manage System Compliance Profiler with ePolicy Orchestrator. configure your firewall to allow those ports instead. 3 Add the NAP policy pages to the server.System Compliance Profiler® 1.Z and PATCH1100. you must also configure ports 80 and 8081 to allow traffic between your ePO agents and your server. If you selected different ports during your ePolicy Orchestrator installation. 4 Follow the ePolicy Orchestrator wizard instructions. 2 Add the deployment package to the master repository. b Navigate to the System Compliance Profiler/Product directory and select PkgCatalog. These are the default ports for those components. Retrieve the files. Add the deployment package to the master repository 1 Log on to the ePolicy Orchestrator console. Deploying the System Compliance Profiler client scanner.Z and PATCH1100.z as the package name. Adding System Compliance Profiler to the ePolicy Orchestrator server This section covers adding the System Compliance Profiler deployment package.

To check in the extended reporting NAP: 1 Select Repository from the console tree. 2 Follow the wizard instructions.0.1 without losing any of your custom rules created in version 1. You can verify that the System Compliance Profiler software is in ePolicy Orchestrator’s Repository by selecting any computer.1 when you install the 1. When prompted: a Select Add new reports as the task type. You must also deploy the System Compliance Profiler software to your ePolicy Orchestrator server before running any scans. custom rules you have created. you won’t lose any . Add System Compliance Profiler reports to the database Check in the extended reporting NAP file to add System Compliance Profiler reports to the ePolicy Orchestrator reporting database. or site from the console tree.0 will be automatically copied to version 1.nap as the file name.x. Click the Policies tab to make it active.1 NAP and deployment package following the instructions in this chapter.1 NAP This way.1 over an existing 1. b Select Patch_Reports. either from your product CD or McAfee download site.0 with ePolicy Orchestrator 3.nap as the file name. This will allow you to run reports in ePolicy Orchestrator on the System Compliance Profiler scan results.0 NAP from the ePolicy Orchestrator server! Any custom rules you have defined in System Compliance Profiler 1. Upgrading System Compliance Profiler from version 1. b Select Patch1100. When prompted: a Select Add new software to be managed as the task type. you can easily upgrade to version 1. and click Check in NAP .0 NAP from the repository. Tip 21 . wait while the NAP is added to the repository.1. 2 Check in the System Compliance Profiler 1.0 version: 1 Retrieve the 1. To upgrade System Compliance Profiler 1. System Compliance Profiler should appear in the list of available software. See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22 for details. System Compliance Profiler is now stored in the Repository.System Compliance Profiler® 1. you can remove the 1. 3 After finishing the check-in wizard. Do not first remove the 1.1 Product Guide Adding System Compliance Profiler to ePolicy Orchestrator Upgrading System Compliance Profiler from version 1. 3 After finishing the check-in wizard. After you have completed the upgrade to version 1.1 installation files.0 2 2 Follow the wizard instructions.0.0 If you are already using System Compliance Profiler 1. group. wait while the NAP is added to the repository.

1. be sure to make additional policy changes only in the System Compliance Profiler 1. 2 If necessary. 6 Click Yes when ePolicy Orchestrator asks whether to remove the software. In fact. For details on how to do that. expand this server’s icon in the console tree to see the Repository icon. see Removing System Compliance Profiler from clients on page 27.0 installations to SCP 1.System Compliance Profiler® 1. 2 In the console tree. after you have fully installed and deployed version 1. Removing the System Compliance Profiler NAP from the ePolicy Orchestrator server 1 Start the ePolicy Orchestrator console and log on to your server. If you are using distributed repositories.1. Note when you are finished that there will be two entries in the Policy tab on the ePolicy Orchestrator console for both versions 1. and reports from the ePolicy Orchestrator master repository. 22 . go to Repository | Software Repositories | Master to view the contents of the master repository. It does not cover removing System Compliance Profiler from any client computers to which you have deployed it. As you begin working with System Compliance Profiler 1. The installer for SCP 1. This is similar to the way ePolicy Orchestrator can contain NAP files for multiple versions of other products. 5 Right-click System Compliance Profiler and select Remove.1. 3 In the details pane of the console. Removing the System Compliance Profiler deployment package from the ePolicy Orchestrator repository 1 Start the ePolicy Orchestrator console and log on to your server. NAP file.0 to Ignore. 4 Expand Managed Products.1 policy pages.1 Product Guide Adding System Compliance Profiler to ePolicy Orchestrator Removing System Compliance Profiler from the ePolicy Orchestrator server 2 3 Edit the default deployment task to Install the System Compliance Profiler 1. and set the action for System Compliance Profiler 1. 4 Select the deployment package and select Delete.1 on client computers in your network. 3 Expand Repository to see its contents. such as VirusScan Enterprise. The Name is System Compliance Profiler and the Type is Install.0 and 1.1 on clients. scroll through the Packages table to locate the System Compliance Profiler deployment package. to have ePolicy Orchestrator install version 1. you may want to remove the 1.1 will automatically upgrade SCP 1.0 NAP file from the ePolicy Orchestrator repository to avoid confusion. 7 Click OK. be sure to replicate the change to your distributed repositories so ePolicy Orchestrator can delete the package from them as well.1. Removing System Compliance Profiler from the ePolicy Orchestrator server This section covers removing the System Compliance Profiler deployment package. then Windows.

4 Locate and right-click System Compliance Profiler.1 Product Guide Adding System Compliance Profiler to ePolicy Orchestrator Removing System Compliance Profiler from the ePolicy Orchestrator server 2 Removing System Compliance Profiler reports 1 Start ePolicy Orchestrator.System Compliance Profiler® 1. 23 . 5 Click Remove. 3 Expand Report Repository. 6 Click Yes when ePolicy Orchestrator asks whether to remove the reports. 2 Expand Reporting to see its contents.

You must deploy System Compliance Profiler to any computer that you want to scan for patch compliance—the software can only scan locally on the same computer on which it is installed. and therefore will only be installed on computers running an ePolicy Orchestrator agent. Computers running an agent already meet the minimum system requirements for the System Compliance Profiler client scanner.3 Deploying the System Compliance Profiler client scanner Use the ePolicy Orchestrator deployment task to install System Compliance Profiler on client computers This chapter describes the process for deploying System Compliance Profiler 1. If you selected different ports during your ePolicy Orchestrator installation.1 to client computers. Note 24 . Using ePolicy Orchestrator to deploy System Compliance Profiler Deploying System Compliance Profiler involves installing scanning software on remote computers. This software receives the rules and policy information that you set up in ePolicy Orchestrator. What’s in this chapter System requirements Using ePolicy Orchestrator to deploy System Compliance Profiler Installing System Compliance Profiler manually on clients Removing System Compliance Profiler from clients System requirements The System Compliance Profiler client scanner only functions as part of an ePolicy Orchestrator deployment. and reports back with any results. you must also configure ports 80 and 8081 to allow traffic between your ePO agents and your server. These are the default ports for those components. Refer to the ePolicy Orchestrator documentation for details on the system requirements for the agent. runs the tasks that you schedule. configure your firewall to allow those instead. If you intend to communicate through a firewall with computers running System Compliance Profiler.

The following System Compliance Profiler deployment instructions assume that you have: Installed ePolicy Orchestrator server and console. or System Compliance Profiler on computers in your network. groups. 4 Double-click the Deployment task to open the ePolicy Orchestrator Scheduler dialog box. and computers that it currently manages. you must deploy System Compliance Profiler scanner to the ePolicy Orchestrator itself. 25 . This is not required for ePolicy Orchestrator 3. select Directory from the console tree.System Compliance Profiler® 1.x.0. For more information on these processes. Populated the ePolicy Orchestrator Directory with all of the sites.6. ePolicy Orchestrator lists all the tasks for this site. or install. or computer to which you want to deploy System Compliance Profiler. reporting does not function properly. groups. ePolicy Orchestrator expands the Directory to show all the sites. group. click Tasks to display that tab. If you do not. click Settings to open the Task Settings dialog box.1 Product Guide Deploying the System Compliance Profiler client scanner Using ePolicy Orchestrator to deploy System Compliance Profiler 3 About using the ePolicy Orchestrator Deployment task The ePolicy Orchestrator agent uses the default deployment task to deploy. client software such as VirusScan Enterprise. 6 If necessary. 5 On the Task tab. If you are using System Compliance Profiler with ePolicy Orchestrator 3. deselect the Inherit checkbox. 3 In the upper details pane. group. Caution Enabling System Compliance Profiler deployment 1 In your ePolicy Orchestrator console. see the ePolicy Orchestrator Product Guide. Desktop Firewall. 2 Select a site. or computer. Deployed ePolicy Orchestrator agents to any computers where you plan to install System Compliance Profiler. and computers to which you plan to deploy System Compliance Profiler. although you will most likely want to install System Compliance Profiler on your server anyway.5 or 3.

click Task to display that tab. deselect Inherit. 26 . 5 Deselect the Inherit checkbox. create a schedule for the task.1 Product Guide Deploying the System Compliance Profiler client scanner Using ePolicy Orchestrator to deploy System Compliance Profiler 3 7 In the Product deployment options list. 4 Click the Schedule tab. Creating a schedule for the Deployment task 1 In the ePolicy Orchestrator Scheduler dialog box. The deployment task will then run at the next ePO policy enforcement interval. For instructions.System Compliance Profiler® 1. ePolicy Orchestrator deploys the System Compliance Profiler software to this site. 2 In the Schedule Settings area. 6 Click OK. locate System Compliance Profiler. select Run Immediately from the Schedule Task list. see the ePolicy Orchestrator Product Guide. 3 Select Enable to make the task active. Figure 3-1 Configure the deployment task to install System Compliance Profiler 8 Select Install from the Action list. or when you perform an agent wakeup call. or computer at the time you specified. To deploy the software immediately. Set any products that you do not want to deploy to Ignore. group. then set up the time when you want the System Compliance Profiler software deployed. Now that you have configured this task to deploy System Compliance Profiler. 9 Click OK to return to the ePolicy Orchestrator Scheduler dialog box.

By default. such as installing it manually.0. select the name of the remote computer from the console tree.0\DB\Software\Current\PATCH__1100\Install\0000 Running the System Compliance Profiler installer When you execute PATCHSCANINSTALLER.System Compliance Profiler® 1.1 Product Guide Deploying the System Compliance Profiler client scanner Installing System Compliance Profiler manually on clients 3 To verify that the System Compliance Profiler software deployed properly. To do this. run the executable with the /u command line. Using the deployment task to remove System Compliance Profiler To use the ePolicy Orchestrator deployment task to remove System Compliance Profiler: 27 . There is no installation interface or options to configure. you can run the PATCHSCANINSTALLER. To do this. System Compliance Profiler installs in silent mode. If you choose. or you can run the installer from the command line on the client system.EXE installer on your ePolicy Orchestrator server. or using another third-party deployment tool.EXE installer. If you are running ePolicy Orchestrator 3.6 C:\Program Files\McAfee\ePO\3.x. or you can distribute the installer for inclusion in login scripts or software deployment using other methods.5.5 or 3. it is installed in the following folder for 3.EXE /u Removing System Compliance Profiler from clients You can use the deployment task in the ePolicy Orchestrator console to remove System Compliance Profiler from client computers. Where can I find the System Compliance Profiler installer? If you downloaded System Compliance Profiler from the McAfee web site to run with ePolicy Orchestrator 3. you can find the PATCHSCANINSTALLER.EXE. You can run PATCHSCANINSTALLER. you can find the PATCHSCANINSTALLER.EXE from the command line to uninstall System Compliance Profiler. System Compliance Profiler should appear in the list of installed applications. you can use another method.0\DB\Software\Current\PATCH__1100\Install\0000 And the following folder in 3. like this: PATCHSCANINSTALLER.5: C:\Program Files\Network Associates\ePO\3. (Allow enough time for the deployment task to run first.6.EXE in the product download ZIP file.6.) Installing System Compliance Profiler manually on clients You don’t need to use ePolicy Orchestrator to deploy System Compliance Profiler to client computers. Select the Properties tab from the details pane. You can either run this manually from the client computer where you want it to install. installing it with a network login script.

ePolicy Orchestrator will remove the System Compliance Profiler clients at the time specified in the task. 9 Click OK to return to the ePolicy Orchestrator Scheduler dialog box. 3 In the ePolicy Orchestrator details pane.System Compliance Profiler® 1. Remove System Compliance Profiler with a command line. then select Edit Task to open the ePolicy Orchestrator Scheduler dialog box. 10 Click OK to save your changes. locate System Compliance Profiler. click the Tasks tab. deselect the Inherit checkbox.EXE must be on the client computer. expand the Directory and select the site. group. or computer from which you want to remove System Compliance Profiler.EXE from the command line to uninstall System Compliance Profiler. 8 Select Remove from the Action list. 2 In the console tree. To do this. use the procedure outlined in Creating a schedule for the Deployment task on page 26.1 Product Guide Deploying the System Compliance Profiler client scanner Removing System Compliance Profiler from clients 3 1 Start the ePolicy Orchestrator console and log on to your server. PATCHSCANINSTALLER. click Settings to open the Task Settings dialog box. like this: PATCHSCANINSTALLER. 6 If necessary. Run the executable with the /u command line. 4 Right-click the Deployment task.EXE /u 28 . You can run PATCHSCANINSTALLER. 5 On the Task tab. 7 In the Product deployment options list. To change the task’s schedule.

that the compliance scanner should use when it scans each computer. 29 . What’s in this chapter Overview of using compliance rules in on-demand scans About System Compliance Profiler rules Creating and editing rules Using rules and rule groups for scanning Scheduling System Compliance Profiler on-demand scan tasks Update pre-defined System Compliance Profiler rules from McAfee Overview of using compliance rules in on-demand scans Once you have installed and deployed System Compliance Profiler. Then you can configure scans to run at scheduled times that scan computers for compliance or violation of the rules you specify. the process involves: 1 Creating and editing rules that specify what you want System Compliance Profiler to scan for. to make it enforce your System Compliance Profiler rules. See Working with Scan Results on page 46 for more information. After you set up rules and run scans. Basically. you can configure the policies.4 Using compliance rules and scans Create rules and client on-demand scans to check compliance on client computers This section describes how to use the ePolicy Orchestrator console to configure the System Compliance Profiler software to scan your network for system compliance. you can run reports in ePolicy Orchestrator to see the results. 2 Scheduling System Compliance Profiler on-demand scan tasks in ePolicy Orchestrator. or rules.

you may need to scan files to verify that they have not been tampered with on target computers. ePolicy Orchestrator would list the group’s severity level as Critical in your reports. For example. you must have an existing hash for the file you want to verify. In order to create an MD5-based rule. ePolicy Orchestrator assigns the group a severity level when it generates a report. Major. A rule is a set of conditions that the scanner looks for on client machines. ePolicy Orchestrator uses the highest severity level of the failed rules. and alert you if it finds any inconsistencies in the signatures. Minor. For example. You do not specify this level when you create a group. You can use commonly available utilities to generate this digital signature (for example. you can use System Compliance Profiler rules to search for specific patches that have been released by Microsoft to see how many computers on your network have the latest and most important security patches installed.1 Product Guide Using compliance rules and scans About System Compliance Profiler rules 4 About System Compliance Profiler rules System Compliance Profiler uses rules to determine what it should scan for on target computers. services. System Compliance Profiler lets you do this by specifying an MD5 hash for scanned files. an application is not installed where it should be — it considers this situation a rule violation. Non-compliant rule groups have a severity level associated with them in System Compliance Profiler reports. Warning . or Microsoft patches. In some cases you can specify a value that items need to match in some way. registry keys. For example. and at what version number. you select Critical. Computers that meet these rules are compliant. Severity of rule violations To help you distinguish between critical and less critical rule violations.fourmilab.0. When you create a new rule. Copies of a file should have identical digital signatures. it attaches your chosen severity level to the violation data and relays this to ePolicy Orchestrator. or Informational. In some cases. If System Compliance Profiler finds a computer that doesn’t meet the criteria in your rule.System Compliance Profiler® 1. Once you have the hash. however. available from http://www. if both a Minor rule and a Critical rule failed. For example.ch/md5). Instead. An MD5 hash is a file’s digital signature. you could check an application’s version number to make certain it is higher than 1. those that do not are in violation of the rules. You can create rules that scan for specific files. you could create a rule to tell System Compliance Profiler that the file sample. The software will compare it to copies of the file on scanned computers. rules have severity levels associated with them. you can view and filter the results based on these severity levels. If anyone tampers with or changes the file. Rules describe what a target computer should have installed.exe should not exist on a specific computer. When you create compliance reports to see your System Compliance Profiler scan results. Command Line Message Digest Utility. its digital signature changes. If more than one rule in the group failed. paste it into your file-based System Compliance Profiler rule. How System Compliance Profiler on-demand scans use rules In most cases you can specify whether the item should or should not exist on a target computer. If System Compliance Profiler finds that one of your rules does not apply — for example. 30 . Note File-based scanning and MD5 hashes File-based System Compliance Profiler rules are useful for checking whether specific files exist.

either custom or pre-defined. Pre-defined rules from McAfee System Compliance Profiler 1. simply by selecting it in the Rules list. You must only copy a pre-defined rule to your Custom Rules group if you want to edit it to create a custom rule from it. These include such things as all recent Windows security patches from Microsoft and common applications you may not want to allow on workstations in your network.1 Product Guide Using compliance rules and scans About System Compliance Profiler rules 4 Types of rules used by System Compliance Profiler The main Rules page of the System Compliance Profiler NAP file contains the list of rules available. Pre-defined rules from McAfee Custom rules you create yourself Archived rules Each of these are described below. In System Compliance Profiler 1.1. You can enable any rule.System Compliance Profiler® 1. 31 . You can enable any combination of pre-defined rules and custom rules in this way.1 ships with a set of pre-defined rules for common types of patches and files that you will likely want to scan for on computers in your network. This is no longer necessary in version 1. you could only enable pre-defined rules if you first copy them from the rule templates list to your active rules list. Warning There are several different types of rules in this list. Figure 4-1 The main Rules page Enable or disable any rule to include it in your scans Including your rules in your on-demand compliance scans is easy—just enable any rules or rule groups you want to use in your scan by clicking in the appropriate checkbox.0.

When you do this. in text-only format. You can also copy templates sent to you from other users. you can either create a rule from scratch or copy a pre-defined rule into your Custom Rules folder and edit it. This places all of the template’s data on your Windows Clipboard. You can then paste the template into another group. This group contains templates that do not fit any of the other default template groups. Custom rules you create yourself If none of the pre-defined rules meet your needs. You can replace your current rule set with an archived rule set by clicking Activate. dedicated anti-virus software. Saved rule sets are called archives. this group contains archived copies of any custom rules that you have created rule sets you have saved. and import them into your existing Templates and Rules Archive list. but do not replace. These templates provide guides for detecting viruses and similar malicious applications. you can create custom rules yourself. While you can edit copies of the pre-defined rules in your Custom Folder.System Compliance Profiler® 1. Templates in this group provide guides for detecting software that should. or should not. you can copy any rule group or rule from any of the pre-defined rule groups into your Custom Rules folder and modify it as needed. right-click its name and select Copy from the menu. or share the template with other users by sending them the template data. These compliment. To do this. Archived rules You can archive your custom rules in this group. be allowed on network computers. or into the System Compliance Profiler Rules list (which makes it an active rule).1 Product Guide Using compliance rules and scans About System Compliance Profiler rules 4 You can enable these rules to include them in your client on-demand scans. hotfixes. Table 4-1 Pre-defined Rule Groups Group name Security Patch Rules Infection Rules Purpose Rules in this group test for the presence of recent Microsoft security patches. 32 . To do this. and service packs. Application Rules Misc Rules To copy a template. you cannot edit or delete any of the original pre-defined rules. You can also use them as templates for creating your own custom rules.

You can enable rule groups to enable all the child rules within that group. 33 . Creating and editing rules You can create new custom rules in your Custom Rules folder. When you create custom rules. you must first create a rule group container for them. Figure 4-2 Rules are organized into groups (folders) Rules You configure a rule group so that all child rules must match for the system to be compliant with the rule group. Rule groups are logical collections of rules that System Compliance Profiler can test for together. you can create a rule where any of the child rules must match for the system to be compliant with that rule.1 Product Guide Using compliance rules and scans Creating and editing rules 4 About rule groups All rules are organized in rule groups.System Compliance Profiler® 1. Figure 4-3 Create groups for similar rules Use the All rules are true or Any rules are true options to specify which child rules of the group must be true for the system to be compliant with the rule group. or you can open any custom rule you have already created and edit it. Or.

Edit an existing rule 1 On the System Compliance Profiler Rules page. right click a group in the Custom Rules group and select Add Rule. you can create new rules. editing and deleting rules From the list of rules on the main Rules policy page. 4 Click Apply at the top of the page to save your policy changes. 3 Click Apply at the top of the page to save the policy change. but much of this explanation also holds for editing existing rules in the Edit Rule page. 2 Click Delete button. 3 Click OK.System Compliance Profiler® 1. Defining criteria for rules Use the Add Rule page. or edit and delete existing ones. 4 Click Apply at the top of the page to save your policy changes. or Edit Rule page for editing existing rules. editing and deleting rules Defining criteria for rules Creating. 34 . 3 Click OK to save the changes to the rule. Creating a new rule 1 On the System Compliance Profiler Rules page. You can only do this for rules in your Custom Rules folder. to specify the criteria for the rule.1 Product Guide Using compliance rules and scans Creating and editing rules 4 Creating. You cannot create or edit rules in any of the pre-defined rule groups. The interface of the Add Rule and Edit Rule page are very similar. right click an existing rule in the Custom Rules group and select Edit. 2 Make changes to the rule criteria in the Edit Rule page. Delete an existing rule 1 On the System Compliance Profiler Rules page. 2 Enter rule criteria in the Add Rule page. This section discusses the Add Rule page for adding rules. highlight an existing rule in the Custom Rules group by clicking on it once.

1 Product Guide Using compliance rules and scans Creating and editing rules 4 This can be what versions of Windows to test for. In addition. and whether to test for specific files in specific folders. and operating system. Figure 4-4 Enter rule criteria in the Add Rule or Edit Rule page All rules have the basic criteria of name. 35 . severity.System Compliance Profiler® 1. specific registry keys and registry key values. or the presence of a specific Microsoft patch. you can specify that the rule test for the existence (or nonexistence) of one of the following: A file A registry key A Microsoft patch An NT service Each of these is covered in greater detail in the sections that follow.

Warning . You cannot enter characters (e. Severity level is a mechanism for determining how and when events.System Compliance Profiler® 1. These severity levels are the same as for other ePolicy Orchestrator events: Critical. Minor. use “MS Outlook RegKey” for a rule that scans for Microsoft Outlook registry keys. “1a”). By default. you can deselect the Windows versions that don’t apply. Some scans only work on certain operating systems. Enter the name of the key value you want to scan for in the Value name text box. The the * wildcard match any number of characters. This is how the rule displays in the rule list. Major. and Informational. if you select Match a Microsoft patch or Match a service. enter an appropriate value in the associated text field. When matching a version number. the agent forwards Critical events immediately to the server. From the remaining list. it may take some time for non-critical scan results to be sent back to the server.. Unless you change your default settings. For example.0.1 Product Guide Using compliance rules and scans Creating and editing rules 4 Basic Criteria: severity and operating system Table 4-2 Field Name of rule Description Type a descriptive name for the rule in this field. are sent by the ePolicy Orchestrator agent back to the server.. As a result. Matching a registry key Select a basic key root from the Registry key list. Matching a file Select a basic root directory from the File path list. assume a certain registry key or Microsoft patch only exists with certain versions of Windows. File exists or Version is equal to). Note: Consider how you have your ePolicy Orchestrator agent policies configured for sending events back to the ePolicy Orchestrator server. You can also use severity to filter your compliance reports. For example. 36 .g. Enter the file name you want to scan for in the File name text box. Creating a meaningful name that describes what the rule is designed to scan for makes reading your System Compliance Profiler reports easier. and enter any additional subdirectory names in the text box to complete the path. Severity Specify a severity for the event that will be generated when a computer is found to be non-compliant with the rule. then System Compliance Profiler automatically deselects Windows 98 and Windows ME. select a matching strategy for the rule (for example. in this case scan results of rule violations. Operating System Specify which operating systems the current rule pertains to. the software only accepts numbers and points (e. If necessary.g. You may use wildcards to match a file name. events of all other severity types are saved by the agent and sent to the server at the agents regular ASCI. “1.1”). Using the ? wildcard matches a single character. and enter any additional key names in the text box to complete the path.

Using the ? wildcard matches a single character. You first have to enable the rules you want the on-demand client scan task to test for. Registry key exists or Data is equal to). and you must enable those rules that you want your System Compliance Profiler scan task to scan for.. enter an appropriate value in the associated text field. KB824141). When matching using “less than.. or “equal to” operators. or KB. select a matching strategy for the rule (for example. “greater than. (for example. If necessary.System Compliance Profiler® 1. in the rule list so that System Compliance Profiler only applies the rules that you consider appropriate at a given time. doesn’t mean that an SCP on-demand scan on a client computer. Match a Microsoft patch Enter the patch’s unique Microsoft identifier in the Patch name text box. Some common services that you might want to search for include: IIS Admin Service Internet Connection Sharing Telnet WWW Publishing Service From the remaining list. Just because they’re in this list. You can enable and disable individual rules. you can only ” ” match DWORD and String values.. 37 . Match a service Enter the name of the service in the Service name text box. Service is running). You may use wildcards for the value if you use the “equal to” operator. can use them. select a matching strategy for the rule (for example.1 Product Guide Using compliance rules and scans Using rules and rule groups for scanning 4 From the remaining list. however. All rules are disabled by default. This value should begin with either Q.. Using rules and rule groups for scanning Topics covered in this section are: Enabling and Disabling rules and rule groups Using pre-defined rules as templates for custom rules Copying rules or groups from one custom group to another Importing and exporting rules to and from plain text Archiving your custom rules for later use Enabling and Disabling rules and rule groups The Rules page lists all of the custom and pre-defined rules that exist for your installation of System Compliance Profiler. The the * wildcard match any number of characters. or rule groups.

2 Right-click the rule or group you want to copy and select Copy to | Clipboard. To enable every rule in a group. Use the Copy to Clipboard feature to copy and paste rules from one group to another. 5 Click Apply to save the policy changes. 4 Click Apply to save the policy changes. you may want to move a rule from one group to another. 3 Open the copy of the rule in your Custom Rules folder and edit it as needed. Using pre-defined rules as templates for custom rules You can copy any existing pre-defined rule or rule group into your Custom Rules group and edit it there. deselect Inherit if necessary. deselect Inherit if necessary. 2 In the list of pre-defined rules. This can save you time over creating a rule from scratch. Enable and disable rules by selecting them in the list To enable a rule: 1 From the Rules page of the System Compliance Profiler policy page. To do this: 1 On the System Compliance Profiler Rules tab. select a rule or group in the list so that its checkbox shows as checked. The rule or rule group is added to your Custom Rules group. To do this: 1 On the System Compliance Profiler Rules tab. select the rule group.System Compliance Profiler® 1. select Copy to | Custom Rules. which enables all the child rules. 3 Select a target group to which to add the copied rule or group. 4 Right-click the target group and select Paste. 2 Click Apply to save your policy changes. 38 . either custom or pre-defined. The newly enabled rules are used by the on-demand scan the next time that scan is scheduled to run. Copying rules or groups from one custom group to another You can also move rules and groups around in your Custom Rules folder. you can enable or disable any rule or rule group. The changes to enabled rules will be passed to the System Compliance Profiler scanner on each client computer when the ePolicy Orchestrator agent for that computer calls into the server at its next ASCI. For example.1 Product Guide Using compliance rules and scans Using rules and rule groups for scanning 4 Enable both pre-defined or custom rules While you can only edit or delete your own custom rules and rule groups.

System Compliance Profiler does not support editing them in text form. and paste text versions of your rules and templates.BEGIN COPIED RULES --RuleLabel_0=MS02-055 Unchecked buffer in Windows RuleEnabled_0=true RuleGroup_0=false RuleType_0=2 . Valid data starts with “--.0 -. To import a plain text rule: 1 Obtain a text version of the rule or template that you wish to use..0. This allows you share your System Compliance Profiler rules and rule groups with other users. paste its text into System Compliance Profiler. 39 .END COPIED RULES ---” Make certain that you include these lines when you import or . exported rules look something like this.3790. In text format. deselect Inherit if necessary. copy. 4 Paste the rule from the clipboard by using Ctrl-V or other Windows paste command. and then modify the resulting rule or template using the software’s Edit Rule page.END COPIED RULES --While you can view. 2 Right-click the rule or group you want to export and select Copy to | Clipboard. To export a rule or group to a text file 1 On the System Compliance Profiler Rules tab. you can also paste the rules into text files or e-mail messages. for example another ePolicy Orchestrator administrator. 3 Open a text editor or e-mail message (or any Windows application field that accepts pasted text from the Windows Clipboard). RulePath_1_1=Internet Explorer RuleName_1_1=iexplore.1 Product Guide Using compliance rules and scans Using rules and rule groups for scanning 4 Importing and exporting rules to and from plain text In addition to using the Copy to Clipboard feature to paste copied rules or groups into other rule groups in your Custom Rules folder. beginning with a BEGIN COPIED RULES header and ending with END COPIED RULES: -.System Compliance Profiler® 1. or your selected rules or templates will not work properly. You can also import other rules by pasting text rules into your System Compliance Profiler rule list in the ePolicy Orchestrator console. export data.exe RuleCompare_1_1=1 RuleValue_1_1=6.BEGIN COPIED RULES ---” and finishes with “--. Note Import a text-based rule or group into System Compliance Profiler You can also view your copied rule or template text in any application that accepts plain text.. To edit a rule or template.

4 Click Activate.END COPIED RULES ---” lines. open your Archives group. It uses the name of the current rule set by default. 40 . select your rule set. then click OK. 3 Click Archive. Archiving a rule set 1 On the System Compliance Profiler Rules tab. 5 Right-click the group name.BEGIN COPIED RULES ---” and “--. 3 On the System Compliance Profiler Rules tab in the ePolicy Orchestrator console. deselect the Inherit checkbox. Archiving your custom rules for later use The Archive button saves a snapshot of all groups and rules in your Custom Rules folder. 2 In the System Compliance Profiler Rules list. System Compliance Profiler asks for a name for the archived rule set. and click Paste. You can use this feature to save the rules and rule groups that are currently in your Custom Rules group as a rule set.System Compliance Profiler® 1. 4 Enter an archive name.1 Product Guide Using compliance rules and scans Using rules and rule groups for scanning 4 2 Select and copy the rule text. 2 In the Archive list. System Compliance Profiler uses the imported data as a new rule or group. 3 Select the name of the rule set that you want to use. 4 Navigate to the group where you want to import the data. 6 Click Apply to save your changes. System Compliance Profiler adds the archived rule set to the Archives group in the Templates and Rules Archive list. System Compliance Profiler asks you to verify that you want to overwrite your existing rule set with the archived rule set. Restoring an archived rule set 1 On the System Compliance Profiler Rules tab. deselect the Inherit checkbox. 5 Click OK. including the “--.

This scan task is included in ePolicy Orchestrator 3. configure. the agent communicates the scan results back to the ePolicy Orchestrator server. enter a descriptive name for the task. or node for which you want to create a new task. At the next agent-to-server communication (ASCI) after a successful scan completes. System Compliance Profiler includes an On-Demand Scan client task. You can set up scan tasks for a single computer. 2 In the Schedule Task dialog box. Create a new System Compliance Profiler on-demand scan 1 In the console tree. For more information about running client tasks through ePolicy Orchestrator. System Compliance Profiler uses the on-demand scan to collect compliance information about the computer on which it is installed. 41 . where you can view task results by generating System Compliance Profiler reports. or for all the computers that belong to a group or site. What’s in this section This section covers the basics on how use the ePolicy Orchestrator console to create. see the ePolicy Orchestrator Product Guide.System Compliance Profiler® 1. it is added when you install the System Compliance Profiler NAP file. right-click the site. This is the only way that System Compliance Profiler collects this information. Many aspects of creating and scheduling this scan are similar to other client tasks in ePolicy Orchestrator. and schedule an on-demand scan for System Compliance Profiler. The rest of this section covers these steps in more detail. in the New Task Name text box.0. and run client-side scan tasks for the System Compliance Profiler through the ePolicy Orchestrator console just as you would create update tasks for the agent or on-demand scans for other security products installed on client computers like VirusScan Enterprise or GroupShield for Exchange servers. How to set up a System Compliance Profiler on-demand scan 1 Create a new System Compliance Profiler on-demand scan. 2 Enable and schedule the new on-demand scan task. such as Daily SCP on-demand scan.5 and 3. schedule.6 by default. group. so it is important to schedule these scans to run frequently and regularly. then select Schedule Task.1 Product Guide Using compliance rules and scans Scheduling System Compliance Profiler on-demand scan tasks 4 Scheduling System Compliance Profiler on-demand scan tasks You can configure. In ePolicy Orchestrator 3. These results are stored in the database.

42 . Also note that the Enabled flag is set to False—we now need to set this to True and schedule it. How often you schedule the task is up to you. enable and schedule it so that it runs at regular intervals that you specify. To enable and schedule the new task you just created. Note that it is scheduled to run daily at the current day and time. Enable and schedule the new on-demand scan task After you’ve created a new task. See the ePolicy Orchestrator Product Guide for more information on scheduling client tasks. Figure 4-5 Create a System Compliance Profiler on-demand scan 4 Click OK.1 On-Demand Scan from the software tasks list. The example in these instructions shows how to schedule it to run once a day.System Compliance Profiler® 1.1 Product Guide Using compliance rules and scans Scheduling System Compliance Profiler on-demand scan tasks 4 3 Select System Compliance Profiler 1. 5 Press F-5 to refresh the console and make the new task appear in the list in the Task tab.

See Performing an agent wakeup call on page 51 or the ePolicy Orchestrator Product Guide for more information on agent wakeup calls. 5 Set the Schedule Task options as desired.1 allows you to automatically update pre-defined McAfee rules by using the same update procedure that you’re already using for updating anti-virus DAT and engine files used by your anti-virus software. such as VirusScan Enterprise. You can use these same update tasks to also update your System Compliance Profiler rules. Update pre-defined System Compliance Profiler rules from McAfee McAfee may release new templates for System Compliance Profiler from time to time. This is very important—the scan does not run unless you enable it! 4 Click the Schedule tab and deselect Inherit. 43 . Note that the task will be passed to System Compliance Profiler clients deployed on computers the next time the agent for each computer calls into the server as part of its regular ASCI. 3 Select Enable. The task is now listed in the Tasks list with its Enabled property set to True. If you want clients to pick up the new scan task immediately (for example. See the ePolicy Orchestrator Product Guide for more detailed information on scheduling client tasks.System Compliance Profiler® 1. you must update the software.1 Product Guide Using compliance rules and scans Update pre-defined System Compliance Profiler rules from McAfee 4 1 Right-click the new task in the task list and select Edit Task. You should be already using regularly scheduled repository pull and replication tasks to update your software repositories with new DATs and engines. Figure 4-6 Edit the newly created scan task 2 Deselect Inherit under the Schedule Settings section of the ePolicy Orchestrator Scheduler dialog box. click OK. To obtain the latest software and template releases. 6 When you have finished scheduling the task. and then using scheduled client update tasks to deploy these updates to client computers on your network. you might want to schedule it to run Daily at a specified local time on the machine. The task will run at the next scheduled time that you have configured. System Compliance Profiler 1. if you have scheduled the task to Run Immediately). you can initiate a manual agent wakeup call. For example.

group. or individual computer). To conserve network bandwidth. 44 . which are updated weekly or several times per week. 2 In the upper details pane. Alternatively. update your System Compliance Profiler rules as follows: 1 Pull pre-defined rules from the McAfee web site to your master software repository on your ePolicy Orchestrator server using a repository pull task. much less frequently than anti-virus DATs. See the ePolicy Orchestrator Product Guide for details on how to create and schedule all these to update both DATs and System Compliance Profiler Rules. all updates except DATs and anti-virus engines are disabled in all client tasks. so you will want to have one scan task to update them. you can limit network traffic generated by ePolicy Orchestrator even more by not scheduling this task at all. 3 Schedule an ePolicy Orchestrator Agent Update client task to have your client computers update their System Compliance Profiler rules from the nearest repository. but rather run it manually when patches are released. or a site. while you might want to schedule your DAT client update task to run several times per day. select the Directory node for which you want to configure the task (either the Directory root.System Compliance Profiler® 1. McAfee updates System Compliance Profiler rules about once per month. probably at least once per day. ePolicy Orchestrator agent or anti-virus software patches. perhaps once a week. you could schedule it to run immediately and leave it disabled. For example. or you can create a scheduled pull task to pull updates from the McAfee source repository at regularly scheduled intervals.1 Product Guide Using compliance rules and scans Update pre-defined System Compliance Profiler rules from McAfee 4 Overview of update process: same as for DATs Basically.5 or 3. try scheduling your System Compliance Profiler rules update task for once a week. engine files. On the other hand. consider creating a separate client update task for updating compliance scan rules. select Tasks tab. remember that the selective updating feature doesn’t update all signatures automatically. You can create a separate client update task to only update VirusScan Enterprise patches and schedule it to run less frequently. Be sure to configure selective updating appropriately if you’re using ePolicy Orchestrator 3. By default. if you have them.6. etc) are updated each time an update task runs. You can selectively choose which individual updates (DATs. only running it manually when McAfee posts updated rules. 2 Replicate the updates in the master repository to any distributed repositories. Or. especially if you are deploying ePolicy Orchestrator to a large network. This can either be a manual Pull Now server task. The selective updating feature allows you to save bandwidth by scheduling different updates for different software exactly when you need them. DATs are updated frequently. For example. service packs for security products such as VirusScan Enterprise are released much less often.5 or 3.6 If you’re using ePolicy Orchestrator 3. Schedule it to run less frequently than your DAT update task. Tip To configure an existing client update task to also update your pre-defined McAfee System Compliance Profiler rules: 1 In the ePolicy Orchestrator console tree.

Figure 4-7 Task Settings dialog box 6 Click Apply to save the changes. select System Compliance Profiler Rules from the list of Signatures and Engines. selective updating allows you to control what kinds of updates trigger a global update. The global updating functionality of ePolicy Orchestrator uses the same selective updating feature as the agent update client task. 5 In the Task Settings dialog box. The update task will run on the client at the next scheduled time.System Compliance Profiler® 1. 4 In the ePolicy Orchestrator Scheduler dialog box. To enable compliance rules for global updating. See the ePolicy Orchestrator Product Guide for more information on how to do this and for using the global updating feature. select the Task tab and click Settings. ePolicy Orchestrator will push the changes to the client update task to each client the next time that computer’s agent calls into the ePolicy Orchestrator server. By default. Tip 45 . In global updating.1 Product Guide Using compliance rules and scans Update pre-defined System Compliance Profiler rules from McAfee 4 3 Double-click your ePolicy Orchestrator Agent Update task by double-clicking it. Configure global updating on the Settings tab of the ePolicy Orchestrator console. a global update is triggered only if DAT or engine files are checked into the master repository. select the System Compliance Profiler rules option.

see your ePolicy Orchestrator documentation. The following table describes the reports available for each System Compliance Profiler report. Print the report. 46 . including any detailed reports. you can select the time period that you want to generate reports on. including HTML. the ePolicy Orchestrator agent on these computers sends the scan results to the ePolicy Orchestrator server. you run reports using the ePolicy Orchestrator reporting feature. Drilling-down for detailed report information In many cases you can drill down for more details on a report. For more information on these actions and on reporting. customize it to show only the information you want. This section provides an overview of how to create System Compliance Profiler reports in ePolicy Orchestrator. ePolicy Orchestrator will produce a Details report. you can: Save the report in several formats. Search the report. To generate a System Compliance Profiler report. To review their results. you add several report templates to ePolicy Orchestrator as well. Double-click the report data. . look for areas where your mouse pointer turns into a magnifying glass icon. Once you generate a report. if necessary. For example. When viewing reports. This icon represents report data that you can get more information on. RTF and XLS (Microsoft Excel). Refresh the report.5 Working with Scan Results Run reports in ePolicy Orchestrator to display scan results When you scan network computers using System Compliance Profiler. you must select one of these reports and. What’s in this chapter System Compliance Profiler reports About running System Compliance Profiler reports in ePolicy Orchestrator Generating System Compliance Profiler reports System Compliance Profiler reports When you install the System Compliance Profiler software.

System Compliance Profiler® 1.1 includes a reboot required field for computers that were not compliant when the scan ran. and when.1 Product Guide Working with Scan Results System Compliance Profiler reports 5 Historical Summary by Severity This report displays information about all detected rule violations. Not compliant with one or more rules. Table 5-1 Drill-down details Detail Severity Details Description Provides a list of the groups that contain rule violations for a specific severity level. and the number of times each rule was violated. Group Details Rule Details Compliance & Non-Compliance Summary This report shows the number of scanned computers that are: Compliant with System Compliance Profiler rules. Computers in this state will likely become compliant as soon as they are rebooted. and in a summary table. Provides a list of rules violated within a specific group. Version 1. This data is shown both in bar graph form. or because they have ” not run the most recent scan. and the associated severity levels. “Unknown. Warning This information is shown in both a pie chart and in a summary table. Provides detailed information on a specific rule. 47 . but who most likely would be if they were rebooted. the time when these were detected. This can happen when the System Compliance Profiler scan runs after a patch or service pack in installed but before a required reboot of that system occurs. either because they have not run any scan yet. Table 5-2 Drill-down details Detail Non-Compliant Computers Computer Details Group Details Description Provides a list of computers that contributed to the percentage of non-compliant computers. For a specific group. provides a list of violated rules. broken down by severity level. For a specific computer. Also indicates how many violations each group registered. indicating which computers violated it. provides system information and a list of groups containing rule violations.

The information is presented in both tabular and bar graph format. Table 5-3 Drill-down details Detail Computer Summary Rule Violation Details Description Provides system information for a specific computer. Provides a list of the rules violated within a specific group. Provides system information for a specific computer. indicating which computers violated it. Computer Summary Violation Time Details Non-Compliance Summary by Severity This report shows how many rule violations System Compliance Profiler found for each rule severity level. Provides a list of the rules violated within a specific group.1 Product Guide Working with Scan Results System Compliance Profiler reports 5 Non-compliance by Computer Name This report presents a table that shows how many rules each non-compliant computer violates. and at what severity level. The information is presented in both tabular and bar graph format. Table 5-4 Drill-down details Detail Group Details Description Provides a list of the rules violated within a specific group. Provides a list of computers that violated a specific rule. The table lists each scanned computer’s host name and IP address. as well as when these violations occurred. and a list of the groups that have rule violations. and their general system information. Table 5-5 Drill-down details Detail Description Provides a list of groups that contributed to the total number of violations at a specific severity level. Provides detailed information on a specific rule. Non-Compliance Summary by Group This report shows how many rule violations System Compliance Profiler found for each of your rule groups. Severity Details Group Details Rule Details 48 . as well as when these violations occurred. and a count of how many computers violated each rule. and at what severity level. and the time when it violated the selected rule.System Compliance Profiler® 1.

1 Product Guide Working with Scan Results About running System Compliance Profiler reports in ePolicy Orchestrator 5 About running System Compliance Profiler reports in ePolicy Orchestrator Before running reports on System Compliance Profiler scan results for the first time.1 with ePolicy Orchestrator version 3. and the System Compliance Profiler reports were added automatically when you installed the ePolicy Orchestrator server. such as SQL credentials to your database server. Deploying the System Compliance Profiler client scanner for more details on how to install System Compliance Profiler on client computers. Install the System Compliance Profiler on your ePolicy Orchestrator server as you would install it on any computer in your network.5 or 3.x If you are running System Compliance Profiler 1. You may need to do these even if you are running ePolicy Orchestrator 3. You can install it manually or use the ePolicy Orchestrator deployment task. If you only want to run a report on one site or group. including the ePolicy Orchestrator server. 4 Select your server name to open the ePO Database Login dialog box. Afterward. you can log in using any credentials. follow the instructions in this section to enable new System Compliance Profiler reports.x. 2 In the console tree. expand Reporting . Your ePolicy Orchestrator server name should appear below this node. See Chapter 3. you must deploy System Compliance Profiler to your ePolicy Orchestrator server in order for reports to work properly.System Compliance Profiler® 1.0. Make sure latest scan results are in the database before running reports. This section covers the following topics: Enable System Compliance Profiler reports before running them the first time.6. 3 Expand ePO Databases.0. Deploy System Compliance Profiler to the ePolicy Orchestrator server if using ePolicy Orchestrator 3. you may need to log in to the ePolicy Orchestrator Reporting feature using your ePolicy Orchestrator credentials. Enable System Compliance Profiler reports before running them the first time This section covers a few things you may need to do to enable new System Compliance Profiler reports with ePolicy Orchestrator. 49 . To do this: 1 Start ePolicy Orchestrator and log on to your server. Log into database with ePolicy Orchestrator admin credentials the first time The first time you access your System Compliance Profiler reports after installing or upgrading the software.

You can lower the default values to reduce the communication lag between System Compliance Profiler and ePolicy Orchestrator. The key settings are the Agent to Server communication interval on the General tab. You can now generate System Compliance Profiler reports using the event data stored on this ePolicy Orchestrator server. At each agent ASCI. If a scan fails to finish. Figure 5-1 Log into the database using ePolicy Orchestrator admin credentials 6 Make sure the Authentication type is set to ePO authentication. and the Event Forwarding settings on the Events tab on the ePolicy Orchestrator Agent | Configuration policy pages. Two major factors influence this delay: The completeness of a scan. Your System Compliance Profiler computers communicate with ePolicy Orchestrator at specific intervals. System Compliance Profiler may not pass along complete results to ePolicy Orchestrator.System Compliance Profiler® 1. See the ePolicy Orchestrator documentation for more information. There is always a delay between when a computer finishes a scan and when you can run reports based on its results in ePolicy Orchestrator. 50 . By default the agent ASCI is set to 60 minutes. the agent does not pass on the scan results until its next agent/server communication. Make sure latest scan results are in the database before running reports You cannot create System Compliance Profiler reports unless you have data to base them on. If a scan finishes shortly after an agent/server update. This data comes from computers running System Compliance Profiler. The agent-to-server communication interval is determined by your ePolicy Orchestrator Agent policy settings. 7 Click OK. the data is stored in the ePolicy Orchestrator database for use in your reports. Wait while the ePolicy Orchestrator downloads the new reports for System Compliance Profiler. The agent-to-server communication interval (ASCI). These computers collect data during the scans that you set up. They then send this data to the server each time the ePolicy Orchestrator agent communicates with the server. via ePolicy Orchestrator agents.1 Product Guide Working with Scan Results About running System Compliance Profiler reports in ePolicy Orchestrator 5 5 Enter the user name and password for your ePolicy Orchestrator admin account.

4 Change the Agent randomization interval to 0. group. 4 Select any ePolicy Orchestrator groups that you want your System Compliance Profiler reports to cover. or computer that you want to update. 3 Select Set Directory Filter to open the Directory Filtering dialog box.1 Product Guide Working with Scan Results Generating System Compliance Profiler reports 5 Performing an agent wakeup call You can also force ePolicy Orchestrator to collect agent information between communication intervals by performing an Agent Wakeup Call. McAfee recommends that you perform an Agent Wakeup Call for all System Compliance Profiler computers before generating any reports. To do this: 1 In ePolicy Orchestrator’s console tree. See Performing an agent wakeup call on page 51 for instructions. expand Reporting. Generating System Compliance Profiler reports When you generate a System Compliance Profiler report. Tip To generate a report for System Compliance Profiler: 1 In the ePolicy Orchestrator console tree.System Compliance Profiler® 1. The Agent Wakeup Call dialog box appears. 2 Select Agent Wakeup Call. 51 . 2 Double-click the name of your ePolicy Orchestrator server to expand it. 5 Click OK. right-click the name of the site. As a best practice. Queries. 3 Under Type. you have the option of customizing it. and Events should appear below the server name. This forces ePolicy Orchestrator to update the ePO agent(s) immediately. Reports. This means that you can specify what information you want included in the report. then ePO Databases. what filters you want to apply. expand Reporting. 1 In ePolicy Orchestrator’s Directory. This guarantees that your reports will include all the latest scan results. select Send Agent wakeup call. 2 Right-click the name of your ePolicy Orchestrator server. 6 Click OK to send the agent wakeup call. 5 Select Get full product properties. and how you want the report displayed. If you only want to run a report on one site or group ePolicy Orchestrator allows you to run reports for computers in specific sites or groups in the console tree Directory. then ePO Databases.

Identify which levels of rule violations you want to see results from. then System Compliance Profiler. 4 Select the report that you want to run. If the reports don’t appear in the expanded list. Skip the rest of this procedure. 5 Do one of the following: Table 5-6 To Generate the report immediately Customize the report Do Click No.1 Product Guide Working with Scan Results Generating System Compliance Profiler reports 5 3 Expand Reports. Identify which network domain(s) you want to see results from. Table 5-7 Tab Use to Filter the results based on rule description criteria.System Compliance Profiler® 1. Click Yes. Figure 5-2 System Compliance Profiler reports in ePolicy Orchestrator ePolicy Orchestrator displays a list of all System Compliance Profiler reports. 6 In the customization dialog box. Identify which ePolicy Orchestrator site(s) you want to see results from. Filter based on when rule violations occurred. ePolicy Orchestrator asks whether you want to customize the report. Identify which IP addresses you want to see results from. see Enable System Compliance Profiler reports before running them the first time on page 49. See System Compliance Profiler reports on page 46 for a list. Rule Description IP Address Severity Event Time Domain Name Directory 52 . set up any filters that you want to apply.

ePolicy Orchestrator generates the report and displays it in the details pane. Identify which computers you want to see results from. Server or Workstation). OS Type OS Platform Computer Name 7 Click OK.1 Product Guide Working with Scan Results Generating System Compliance Profiler reports 5 Table 5-7 Tab Use to Filter based on a specific operating system version (for example. Filter based on a specific operating system type (for example. Windows 2000). 53 .System Compliance Profiler® 1.

and select About. System Compliance Profiler should appear in the Version Information list. This option is disabled by default. See the ePolicy Orchestrator documentation for details. 54 . Note Can I deploy System Compliance Profiler using third-party software? Yes. On the client computer: Find the ePolicy Orchestrator agent icon in the system tray. you must enable the user interface for the ePolicy Orchestrator agent. To enable the interface on the client. System Compliance Profiler should appear in the list of installed applications. Right-click it. select the name of the remote computer. To deploy System Compliance Profiler using a third-party tool.6 Frequently Asked Questions Answers to common questions around installing and using System Compliance Profiler with ePolicy Orchestrator This section provides answers to common situations that you might encounter when installing or using the System Compliance Profiler software. use the agent policy pages in the ePolicy Orchestrator console to select the Show agent tray icon option.exe on target computers. Select the Properties tab from the Details pane. To access the agent About dialog box from the client computer. This section answers common questions concerning: Installations Policies Scans Reports Installations How can I verify that System Compliance Profiler deployed properly? There are two ways to check whether the System Compliance Profiler software is deployed on a remote computer: In the ePolicy Orchestrator console: In the console tree. configure your deployment software to distribute and execute PatchScanInstaller.

5 or 3. See Importing and exporting rules to and from plain text on page 39. or archived rule set.1 Product Guide Frequently Asked Questions Policies 6 If you are using ePolicy Orchestrator 3. You can copy a System Compliance Profiler rule. To avoid affecting a user’s templates and archived rule sets. Policies Can I share rules with other System Compliance Profiler administrators? Yes.x. To remove the System Compliance Profiler software. Furthermore. before you can use the deployed software.6). use the System Compliance Profiler text export and import features. see Importing and exporting rules to and from plain text on page 39.0. See your ePolicy Orchestrator documentation for details. and send the data to other users in plain text format. you must: Manually install the System Compliance Profiler NAP on your ePolicy Orchestrator server (see Chapter 2. configure your deployment tool to run PatchScanInstaller. however. it overwrites all custom. 55 . For more information.System Compliance Profiler® 1. Note. Can I export and import policies using ePolicy Orchestrator? Yes. you can use ePolicy Orchestrator’s policy export feature to create a copy of a System Compliance Profiler rule set. ePolicy Orchestrator will then detect the deployed System Compliance Profiler software and send out rules and scan tasks. be sure to deploy ePolicy Orchestrator agents to all computers to which you deploy the System Compliance Profiler. group. predefined. Adding System Compliance Profiler to ePolicy Orchestrator). You can also take data that they send you and paste the plain text version directly into a System Compliance Profiler rule group. you must deploy the software to your ePolicy Orchestrator server in order for compliance reporting to work (this is not required with ePolicy Orchestrator 3. When a scan runs successfully. that when you import the policy. Also. Set up rules and scan tasks in ePolicy Orchestrator (see Using compliance rules and scans on page 29). the following entry appears in the ePolicy Orchestrator agent log: The task <TaskName> is successful.exe /u from either the target computer’s system32 or system directory. Scans How do I determine whether a scan finished properly? Generate a System Compliance Profiler report and look for results. Check the ePolicy Orchestrator agent log on the scanned computer. and archived rules.

(See Adding System Compliance Profiler to the ePolicy Orchestrator server on page 20).x.0.6.) Make certain that you created and scheduled a System Compliance Profiler scan task in ePolicy Orchestrator. If you do not deploy the software to the ePolicy Orchestrator server. Try logging into the ePolicy Orchestrator Reporting feature using your ePolicy Orchestrator admin credentials instead of an NT or SQL account. If a computer complies with all your System Compliance Profiler rules.System Compliance Profiler® 1.) Make certain that System Compliance Profiler had enough time to report its scan results to ePolicy Orchestrator. There is a time delay between when a scan runs and when the scan results become available to ePolicy Orchestrator.) Why don't I see scan results in my reports? If you are using ePolicy Orchestrator 3.x. Reports Why don't I see any System Compliance Profiler reports in ePolicy Orchestrator? If you are using ePolicy Orchestrator 3.) Make certain that System Compliance Profiler should be reporting results. (See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22. (See Scheduling System Compliance Profiler on-demand scan tasks on page 41. Can I run a System Compliance Profiler scan from a remote computer? No. make certain that you deployed the System Compliance Profiler software to your ePolicy Orchestrator server as well as to your remote computers. Afterward. your reports will not work properly. The System Compliance Profiler software is entirely managed by ePolicy Orchestrator.nap file to the ePolicy Orchestrator Repository. 56 . You only need to do this the first time you access reports. make certain that you added the Patch_Reports. all other reports show only rule violations.0. and has never violated them. depending on your ASCI.1 Product Guide Frequently Asked Questions Reports 6 <TaskName> is the name you assigned to the System Compliance Profiler on-demand scan task in ePolicy Orchestrator.5 and 3. See Scheduling System Compliance Profiler on-demand scan tasks on page 41. (See If you only want to run a report on one site or group on page 51. you can log in using any credentials. you cannot start a System Compliance Profiler task manually on a remote computer. then you will not see results for that computer in most reports. Only the Compliance/Non-Compliance Summary report shows compliant computers. (See About running System Compliance Profiler reports in ePolicy Orchestrator on page 49. The reporting NAP is added automatically with ePolicy Orchestrator 3.

This occurs each time you set up new rules for your System Compliance Profiler scans.System Compliance Profiler® 1.” This message appears in your reports if: If you are using ePolicy Orchestrator 3. (See Removing System Compliance Profiler from the ePolicy Orchestrator server on page 22. Once computers return results using the latest set of System Compliance Profiler rules.1 Product Guide Frequently Asked Questions Reports 6 Why do I get the following error message in my report: “Please verify that the System Compliance Profiler is deployed to your ePolicy Orchestrator server and that you have received data from the deployed System Compliance Profilers. To apply your latest System Compliance Profiler rules and get scan results faster.) What does “Unknown Scan Results” mean? This message appears in your reports to indicate that System Compliance Profiler does not have the most up-to-date scan results for specific computers or groups. perform an Agent Wakeup Call in ePolicy Orchestrator. See Performing an agent wakeup call on page 51. They remain in that state until they finish a scan using the new rules. 57 . (See About running System Compliance Profiler reports in ePolicy Orchestrator on page 49. their status in reports changes to something more informative.) Your deployed System Compliance Profilers have not yet returned the results from scans that you set up.0. you did not deploy the System Compliance Profiler software to your ePolicy Orchestrator server. and return those scan results to ePolicy Orchestrator. the software changes the status of all your existing System Compliance Profiler computers to Unknown. When you do this.x.

327 bytes ePolicy Orchestrator impact System Compliance Profiler stores data in the ePolicy Orchestrator event table. the average bandwidth requirement is approximately 200 bytes per rule. While the exact amount of network traffic will vary based on how many rules a given computer receives.A System Compliance Profiler metrics This section provides metrics for the amount of bandwidth that System Compliance Profiler uses during scans. 58 . Sample data Table A-1 Policy file contains Five patch-based rules Sixty rules (fifteen of each rule type) Policy file size 661 bytes 20.977 bytes of memory on all remote computers. Network bandwidth System Compliance Profiler scans do not require many local or network resources. Client memory use The deployed System Compliance Profiler software uses 630. and the amount of space it uses in ePolicy Orchestrator tables. The amount of space used varies depending on the scan results that System Compliance Profiler receives.

248 bytes 6. failed Twenty rules. passed Twenty rules.1 Product Guide System Compliance Profiler metrics ePolicy Orchestrator impact A Sample data Table A-2 Scan details Five rules.944 bytes 35. passed Sixty rules.744 bytes 44. passed Table space used 5. failed Sixty rules.System Compliance Profiler® 1.148 bytes 19.544 bytes 22. failed Five rules.564 bytes 59 .

54 60 . 49 documentation for the product. 31 E ePolicy Orchestrator and System Compliance Profiler. 17 importing. 51 overview. 46 requirements bandwidth. 18 using this guide. 31. 14 typeface conventions and symbols. 18 G generating reports. 51 WebImmune. 51 system requirements. 31 training web site. 18 DAT notification service. 46 exporting rules. 15 download web site. 18 updates. 15 product overview. 18 W wakeup call. 11 server and console. 54 O on-site training. 39 installation deploying System Compliance Profiler agents. 19. 15 McAfee University. ePolicy Orchestrator wakeup calls. 31. 49 scan tasks. contacting. 11 interface. 30 templates. 24 I importing rules. 31. contacting. 16 contact information. 18 virus. 18 U upgrade web site. 25 F frequently asked questions. 15 list of contacts. 18 P policy settings. 18 T tasks. 12 reports. DAT updates. 25 M manuals. 18 default rule groups. troubleshooting. 18 C consulting services. in-house. 51 generating. 18 WebImmune. 11 security headquarters. 11 beta program. 18 contacting McAfee. 19. 14 AVERT Anti-Virus & Vulnerability Emergency Response Team. 24 resources for information. 51 ePolicy Orchestrator Reports introduction. 31 delays. 51 agents. 39 groups. 51 ePolicy Orchestrator agents wakeup calls. 5 Windows policy settings. contacting. 14 R reports accessing. 25 PrimeSupport. 11 reports. 17 customer service. 51 getting information. 16. 11 agents. 18 troubleshooting FAQs. 15 product information. 31. 18 System Compliance Profiler and ePolicy Orchestrator. 31 S scan results retrieving. report. scan. 39 V Virus Information Library. 5 notification service. 18 service portal. 51 audience for this manual. 17 product documentation. 18 what’s new in this release. resources. 18 training. submitting a sample web site. 11 technical support accessing from the product. 11 product training. ePolicy Orchestrator agent. on-site. 17 templates.Index A accessing reports. 39 structure. PrimeSupport. 18 B bandwidth requirements. 17 sharing rules. 19 system. 15 rule groups default. 39 submitting a sample virus. contacting AVERT. contacting. web site. Windows. 17 N new features. 18 D DAT file updates via AVERT notification service. 31 rules exporting.

Sign up to vote on this title
UsefulNot useful