Solved

How do I change the setting in ePolicy Orchestrator 4.6 to quarantine infected files, rather than to delete them?

Posted on 2015-01-22
6
538 Views
Last Modified: 2015-02-14
This is for the purpose of allowing recovery of "false positive" files. Please detail step-by-step, as I am not familiar with the product, and am new to it.
0
Comment
Question by:joukiejouk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 13

Expert Comment

by:Alexios
ID: 40565974
0
 
LVL 64

Expert Comment

by:btan
ID: 40568098
Typically, most may just restore files from McAfee VSE quarantine locally. If you have access to it, you can do it from the VirusScan Console, via Quarantine Manager Policy e.g. Click the Manager tab and Right-click the required item and select Restore.

However, there is instance (quarantine (.BUP) files) that can be already deleted hence need a mean to restore a quarantined file not listed in the VSE Quarantine Manager. The steps are shared in (note the utility to separately download)  https://kc.mcafee.com/corporate/index?page=content&id=KB72755

Otherwise another mean is using EPO scheduled task, pls see
https://kc.mcafee.com/corporate/index?page=content&id=KB69918

However, if scheduled task cannot restore, do also check the workaround which include local (mentioned above) or escalate to McAfee on the false positive accordingly as it is due to the installed DAT file
https://kc.mcafee.com/corporate/index?page=content&id=KB53925
0
 

Author Comment

by:joukiejouk
ID: 40568421
Since I am a novice to ePO, let's keep this simple. I am an admin who is now in charge of managing ePO. My IT security team do not have access rights to it, but they requested me to make a change in ePO. See the embedded screenshot on the request.

From ePO console, how would I make this change? Please detail step-by-step.

request
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 64

Expert Comment

by:btan
ID: 40568742
Pls see link to "How to restore from a False Positive from the VirusScan Enterprise Quarantine using an ePO scheduled task" which also depicted the steps are in https://kc.mcafee.com/corporate/index?page=content&id=KB69918 (previous post included this already). if it failed, see other workarounds https://kc.mcafee.com/corporate/index?page=content&id=KB78993
0
 

Author Comment

by:joukiejouk
ID: 40574576
I'm still very confused. In viewing my VSE Console on my computer, I see the option of actions to take when a threat is found (see screenshot). What does "Clean file automatically" do? Does it delete the threat? I do not see an option to quarantine the threat. This policy is applied from ePO. In ePO, I want to be able to change this setting to quarantine if there is an option for it. Where would I find this setting in ePO, as what is shown in the screenshot on my client computer?

2015-01-27-22-25-11.png
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40574851
I will use this guide (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22941/en_US/vse_880_product_guide_en-us.pdf) as reference and extract the information in relation to your query and for ease of further reading too. Pardon me if it has not been clear in recovery of the quarantine files. Those query is more of the onset to get it quarantine at the first place.

 1. What does "Clean file automatically" do? Does it delete the threat?
If VirusScan Enterprise is configured to clean automatically (the suggested default setting), the resulting action depends on the cleaning instruction from the DAT file. For example, if the scanner cannot clean a file, or if the file has been damaged beyond repair, the scanner might delete the file or take the secondary action, depending on the definition in the DAT file. When the scanner denies access to files with potential threats, it adds an .mcm extension to the file name when the file is saved.
2. I do not see an option to quarantine the threat. This policy is applied from ePO. In ePO, I want to be able to change this setting to quarantine if there is an option for it. Where would I find this setting in ePO, as what is shown in the screenshot on my client computer?
Items that are detected as threats, are cleaned or deleted. Plus, a copy of the item is converted to a non-executable format and saved in the Quarantine folder. This allows you to perform processes on the quarantined items after downloading a later version of the DAT, that possibly contains information that can clean the threat.
These additional processes include:
• Restore.
• Rescan.
• Delete.
• Check for false positive.
• View detection properties.
Also there are suggested ways to quarantine either via
(A) Configure the Quarantine Manager Policies using the following user interface consoles. Using the ePolicy Orchestrator 4.5 or 4.6  to configure the Quarantine Manager Policies using this user interface console. (see page 76)
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.

2 Edit an existing policy or create a new policy:
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit Setting to open the policy configuration page.
Create a new policy
a Click Actions | New Policy to open New Policy dialog box.
b From the Category list, select an existing policy.
c From the Create a new policy based on this existing policy list, select one of the
settings.
d Type a new policy name.
e Type any notes, if required.
f Click OK. The new policy appears in the list of existing policies.
g From the Actions column of the new policy, click Edit Setting to open the policy configuration page.

3 From the Settings for list, select Workstation or Server.

4 From the Quarantine page, accept the default quarantine directory, or select a different directory.

5 To configure the days the quarantined items are saved, click Automatically delete quarantined data after the specified number of days and type the Number of days to keep backed-up data in the quarantine directory.
OR
(B) Using VirusScan Console to configure the Quarantine Manager Policy using this user interface console. (see pg 77)
Task
For option definitions, click ? in the interface.
1 From the Task list, right-click Quarantine Manager Policy, then click Properties to open the Quarantine Manager Policy dialog box.

2 Accept the default quarantine directory, or select a different directory.

3 To configure the days the quarantined items are saved, click Automatically delete quarantined data after the specified number of days and type the Number of days to keep backed-up data in the quarantine directory.
0

Featured Post

Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question