Solved

How do I change the setting in ePolicy Orchestrator 4.6 to quarantine infected files, rather than to delete them?

Posted on 2015-01-22
6
489 Views
Last Modified: 2015-02-14
This is for the purpose of allowing recovery of "false positive" files. Please detail step-by-step, as I am not familiar with the product, and am new to it.
0
Comment
Question by:joukiejouk
  • 3
  • 2
6 Comments
 
LVL 13

Expert Comment

by:Alexios
ID: 40565974
0
 
LVL 63

Expert Comment

by:btan
ID: 40568098
Typically, most may just restore files from McAfee VSE quarantine locally. If you have access to it, you can do it from the VirusScan Console, via Quarantine Manager Policy e.g. Click the Manager tab and Right-click the required item and select Restore.

However, there is instance (quarantine (.BUP) files) that can be already deleted hence need a mean to restore a quarantined file not listed in the VSE Quarantine Manager. The steps are shared in (note the utility to separately download)  https://kc.mcafee.com/corporate/index?page=content&id=KB72755

Otherwise another mean is using EPO scheduled task, pls see
https://kc.mcafee.com/corporate/index?page=content&id=KB69918

However, if scheduled task cannot restore, do also check the workaround which include local (mentioned above) or escalate to McAfee on the false positive accordingly as it is due to the installed DAT file
https://kc.mcafee.com/corporate/index?page=content&id=KB53925
0
 

Author Comment

by:joukiejouk
ID: 40568421
Since I am a novice to ePO, let's keep this simple. I am an admin who is now in charge of managing ePO. My IT security team do not have access rights to it, but they requested me to make a change in ePO. See the embedded screenshot on the request.

From ePO console, how would I make this change? Please detail step-by-step.

request
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 63

Expert Comment

by:btan
ID: 40568742
Pls see link to "How to restore from a False Positive from the VirusScan Enterprise Quarantine using an ePO scheduled task" which also depicted the steps are in https://kc.mcafee.com/corporate/index?page=content&id=KB69918 (previous post included this already). if it failed, see other workarounds https://kc.mcafee.com/corporate/index?page=content&id=KB78993
0
 

Author Comment

by:joukiejouk
ID: 40574576
I'm still very confused. In viewing my VSE Console on my computer, I see the option of actions to take when a threat is found (see screenshot). What does "Clean file automatically" do? Does it delete the threat? I do not see an option to quarantine the threat. This policy is applied from ePO. In ePO, I want to be able to change this setting to quarantine if there is an option for it. Where would I find this setting in ePO, as what is shown in the screenshot on my client computer?

2015-01-27-22-25-11.png
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40574851
I will use this guide (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22941/en_US/vse_880_product_guide_en-us.pdf) as reference and extract the information in relation to your query and for ease of further reading too. Pardon me if it has not been clear in recovery of the quarantine files. Those query is more of the onset to get it quarantine at the first place.

 1. What does "Clean file automatically" do? Does it delete the threat?
If VirusScan Enterprise is configured to clean automatically (the suggested default setting), the resulting action depends on the cleaning instruction from the DAT file. For example, if the scanner cannot clean a file, or if the file has been damaged beyond repair, the scanner might delete the file or take the secondary action, depending on the definition in the DAT file. When the scanner denies access to files with potential threats, it adds an .mcm extension to the file name when the file is saved.
2. I do not see an option to quarantine the threat. This policy is applied from ePO. In ePO, I want to be able to change this setting to quarantine if there is an option for it. Where would I find this setting in ePO, as what is shown in the screenshot on my client computer?
Items that are detected as threats, are cleaned or deleted. Plus, a copy of the item is converted to a non-executable format and saved in the Quarantine folder. This allows you to perform processes on the quarantined items after downloading a later version of the DAT, that possibly contains information that can clean the threat.
These additional processes include:
• Restore.
• Rescan.
• Delete.
• Check for false positive.
• View detection properties.
Also there are suggested ways to quarantine either via
(A) Configure the Quarantine Manager Policies using the following user interface consoles. Using the ePolicy Orchestrator 4.5 or 4.6  to configure the Quarantine Manager Policies using this user interface console. (see page 76)
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.

2 Edit an existing policy or create a new policy:
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit Setting to open the policy configuration page.
Create a new policy
a Click Actions | New Policy to open New Policy dialog box.
b From the Category list, select an existing policy.
c From the Create a new policy based on this existing policy list, select one of the
settings.
d Type a new policy name.
e Type any notes, if required.
f Click OK. The new policy appears in the list of existing policies.
g From the Actions column of the new policy, click Edit Setting to open the policy configuration page.

3 From the Settings for list, select Workstation or Server.

4 From the Quarantine page, accept the default quarantine directory, or select a different directory.

5 To configure the days the quarantined items are saved, click Automatically delete quarantined data after the specified number of days and type the Number of days to keep backed-up data in the quarantine directory.
OR
(B) Using VirusScan Console to configure the Quarantine Manager Policy using this user interface console. (see pg 77)
Task
For option definitions, click ? in the interface.
1 From the Task list, right-click Quarantine Manager Policy, then click Properties to open the Quarantine Manager Policy dialog box.

2 Accept the default quarantine directory, or select a different directory.

3 To configure the days the quarantined items are saved, click Automatically delete quarantined data after the specified number of days and type the Number of days to keep backed-up data in the quarantine directory.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question