Solved

How do I change the setting in ePolicy Orchestrator 4.6 to quarantine infected files, rather than to delete them?

Posted on 2015-01-22
6
415 Views
Last Modified: 2015-02-14
This is for the purpose of allowing recovery of "false positive" files. Please detail step-by-step, as I am not familiar with the product, and am new to it.
0
Comment
Question by:joukiejouk
  • 3
  • 2
6 Comments
 
LVL 13

Expert Comment

by:Alexios
Comment Utility
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Typically, most may just restore files from McAfee VSE quarantine locally. If you have access to it, you can do it from the VirusScan Console, via Quarantine Manager Policy e.g. Click the Manager tab and Right-click the required item and select Restore.

However, there is instance (quarantine (.BUP) files) that can be already deleted hence need a mean to restore a quarantined file not listed in the VSE Quarantine Manager. The steps are shared in (note the utility to separately download)  https://kc.mcafee.com/corporate/index?page=content&id=KB72755

Otherwise another mean is using EPO scheduled task, pls see
https://kc.mcafee.com/corporate/index?page=content&id=KB69918

However, if scheduled task cannot restore, do also check the workaround which include local (mentioned above) or escalate to McAfee on the false positive accordingly as it is due to the installed DAT file
https://kc.mcafee.com/corporate/index?page=content&id=KB53925
0
 

Author Comment

by:joukiejouk
Comment Utility
Since I am a novice to ePO, let's keep this simple. I am an admin who is now in charge of managing ePO. My IT security team do not have access rights to it, but they requested me to make a change in ePO. See the embedded screenshot on the request.

From ePO console, how would I make this change? Please detail step-by-step.

request
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Expert Comment

by:btan
Comment Utility
Pls see link to "How to restore from a False Positive from the VirusScan Enterprise Quarantine using an ePO scheduled task" which also depicted the steps are in https://kc.mcafee.com/corporate/index?page=content&id=KB69918 (previous post included this already). if it failed, see other workarounds https://kc.mcafee.com/corporate/index?page=content&id=KB78993
0
 

Author Comment

by:joukiejouk
Comment Utility
I'm still very confused. In viewing my VSE Console on my computer, I see the option of actions to take when a threat is found (see screenshot). What does "Clean file automatically" do? Does it delete the threat? I do not see an option to quarantine the threat. This policy is applied from ePO. In ePO, I want to be able to change this setting to quarantine if there is an option for it. Where would I find this setting in ePO, as what is shown in the screenshot on my client computer?

2015-01-27-22-25-11.png
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
I will use this guide (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22941/en_US/vse_880_product_guide_en-us.pdf) as reference and extract the information in relation to your query and for ease of further reading too. Pardon me if it has not been clear in recovery of the quarantine files. Those query is more of the onset to get it quarantine at the first place.

 1. What does "Clean file automatically" do? Does it delete the threat?
If VirusScan Enterprise is configured to clean automatically (the suggested default setting), the resulting action depends on the cleaning instruction from the DAT file. For example, if the scanner cannot clean a file, or if the file has been damaged beyond repair, the scanner might delete the file or take the secondary action, depending on the definition in the DAT file. When the scanner denies access to files with potential threats, it adds an .mcm extension to the file name when the file is saved.
2. I do not see an option to quarantine the threat. This policy is applied from ePO. In ePO, I want to be able to change this setting to quarantine if there is an option for it. Where would I find this setting in ePO, as what is shown in the screenshot on my client computer?
Items that are detected as threats, are cleaned or deleted. Plus, a copy of the item is converted to a non-executable format and saved in the Quarantine folder. This allows you to perform processes on the quarantined items after downloading a later version of the DAT, that possibly contains information that can clean the threat.
These additional processes include:
• Restore.
• Rescan.
• Delete.
• Check for false positive.
• View detection properties.
Also there are suggested ways to quarantine either via
(A) Configure the Quarantine Manager Policies using the following user interface consoles. Using the ePolicy Orchestrator 4.5 or 4.6  to configure the Quarantine Manager Policies using this user interface console. (see page 76)
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog, then from the Product list select VirusScan Enterprise 8.8.0. The Category list displays the policy categories for VirusScan Enterprise 8.8.0.

2 Edit an existing policy or create a new policy:
Edit an existing policy
a From the Category list, select the policy category.
b From the Actions column, click Edit Setting to open the policy configuration page.
Create a new policy
a Click Actions | New Policy to open New Policy dialog box.
b From the Category list, select an existing policy.
c From the Create a new policy based on this existing policy list, select one of the
settings.
d Type a new policy name.
e Type any notes, if required.
f Click OK. The new policy appears in the list of existing policies.
g From the Actions column of the new policy, click Edit Setting to open the policy configuration page.

3 From the Settings for list, select Workstation or Server.

4 From the Quarantine page, accept the default quarantine directory, or select a different directory.

5 To configure the days the quarantined items are saved, click Automatically delete quarantined data after the specified number of days and type the Number of days to keep backed-up data in the quarantine directory.
OR
(B) Using VirusScan Console to configure the Quarantine Manager Policy using this user interface console. (see pg 77)
Task
For option definitions, click ? in the interface.
1 From the Task list, right-click Quarantine Manager Policy, then click Properties to open the Quarantine Manager Policy dialog box.

2 Accept the default quarantine directory, or select a different directory.

3 To configure the days the quarantined items are saved, click Automatically delete quarantined data after the specified number of days and type the Number of days to keep backed-up data in the quarantine directory.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

There is a question posted at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html) and i…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now