mcafee endpoint protection for mac 2.0.0 product...

Product Guide

McAfee Endpoint Protection for Mac2.0.0

COPYRIGHTCopyright © 2013 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Endpoint Protection for Mac 2.0.0 Product Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introduction 7Why you need security for Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7How McAfee Endpoint Protection for Mac protects your system . . . . . . . . . . . . . . . . 8

Anti-malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Desktop firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Application protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Installation and configuration 11System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Package contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Install the software on a standalone Mac . . . . . . . . . . . . . . . . . . . . . . . . 12

Install the software using wizard . . . . . . . . . . . . . . . . . . . . . . . . 12Install the software from the command line (silent installation) . . . . . . . . . . . . 12

Default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Recommended post installation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 14Deploy McAfee EPM from ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . 15

Check in the McAfee Endpoint Protection for Mac package . . . . . . . . . . . . . . 15Check in the McAfee Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Install the McAfee Endpoint Protection for Mac extension . . . . . . . . . . . . . . . 16Deploy McAfee Endpoint Protection for Mac from ePolicy Orchestrator . . . . . . . . . . 16

Manage policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Create or modify policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Assign policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Test the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Test the anti-malware protection feature . . . . . . . . . . . . . . . . . . . . . 18Test the application protection feature . . . . . . . . . . . . . . . . . . . . . . 18Test the desktop firewall feature . . . . . . . . . . . . . . . . . . . . . . . . . 19

Uninstall the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Uninstall the software from standalone Mac . . . . . . . . . . . . . . . . . . . . 20Remove the software using ePolicy Orchestrator . . . . . . . . . . . . . . . . . . 21

3 Using the console on a standalone Mac 23Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Recent events summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

History of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Quarantine malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Remove or restore the quarantined item . . . . . . . . . . . . . . . . . . . . . 25

McAfee Endpoint Protection for Mac 2.0.0 Product Guide 3

Update the anti-malware engine and DAT . . . . . . . . . . . . . . . . . . . . . . . . 25Perform a system scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configure custom scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Create a new scan task . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Modify an existing scan task . . . . . . . . . . . . . . . . . . . . . . . . . . 27Remove an existing scan task . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4 Configuring protection preferences on a standalone Mac 29General preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Configure general preferences . . . . . . . . . . . . . . . . . . . . . . . . . 29Anti-malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configure On-access Scan preferences . . . . . . . . . . . . . . . . . . . . . . 30Configure on-demand scan preferences . . . . . . . . . . . . . . . . . . . . . . 31Define anti-malware exclusions . . . . . . . . . . . . . . . . . . . . . . . . . 32

Application protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configure application protection preferences . . . . . . . . . . . . . . . . . . . . 33Create an application protection rule . . . . . . . . . . . . . . . . . . . . . . . 33Modify an existing application protection rule . . . . . . . . . . . . . . . . . . . 34Reapply rules for modified applications . . . . . . . . . . . . . . . . . . . . . . 34Specify application protection exclusions . . . . . . . . . . . . . . . . . . . . . 35

Desktop firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35How stateful filtering works . . . . . . . . . . . . . . . . . . . . . . . . . . 36How regular mode firewall protection works . . . . . . . . . . . . . . . . . . . . 37How adaptive mode firewall protection works . . . . . . . . . . . . . . . . . . . 38How DNS blocking works . . . . . . . . . . . . . . . . . . . . . . . . . . . 39How stateful FTP inspection works . . . . . . . . . . . . . . . . . . . . . . . . 39How desktop firewall rules work . . . . . . . . . . . . . . . . . . . . . . . . . 40How desktop firewall rules are organized . . . . . . . . . . . . . . . . . . . . . 43Configure desktop firewall protection . . . . . . . . . . . . . . . . . . . . . . . 43

Configure update schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Configure repository list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Configure proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Configure anti-malware engine update schedule . . . . . . . . . . . . . . . . . . 48

5 Managing the software from ePolicy Orchestrator 51Create anti-malware policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Schedule on-demand scan . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Create application protection policy . . . . . . . . . . . . . . . . . . . . . . . . . . 54Desktop firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Create desktop firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . 55Create new firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Create a DNS blocking policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Create trusted network policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Create location awareness policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Schedule anti-malware engine update . . . . . . . . . . . . . . . . . . . . . . . . . 59Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Run a query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Index 61

Contents


Preface

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

AbbreviationsThis table lists the abbreviations used in this document.

Term Abbreviation

DST Destination

DHCP Dynamic Host Configuration Protocol

ePO ePolicy Orchestrator

EPM Endpoint Protection for Mac


Term Abbreviation

FQDN Fully Qualified Domain Name

FTP File Transmission Protocol

IMAP Internet Message Access Protocol

ICMP Internet Control Message Protocol

IP Internet Protocol

NetBIOS Network Basic Input Output System

NTP Network Time Protocol

POP3 Post Office Protocol 3

RDP Remote Desktop Protocol

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SRC Source

TCP Transmission Control Protocol

UDP User Datagram Protocol

Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation


http://mysupport.mcafee.com

1 Introduction

McAfee® Endpoint Protection for Mac® offers scalable security solution that minimizes the risk ofexposing your Mac to vulnerabilities.

The software provides a securely configured environment that:

• Protects your Mac from viruses, spyware, Trojan horses, and other malware threats.

• Prevents unauthorized network access.

• Prevents execution of unwanted application.

• Restricts applications to run with restricted or without network access.

Contents Why you need security for Mac How McAfee Endpoint Protection for Mac protects your system Product features

Why you need security for MacSystems without protection results security compromises in many ways such as, data loss, misuse ofpersonal and business information, and system disorder.

The advent of new products and technologies broaden the opportunities for new security threats andchallenges with the motive to interrupt and espionage your system or destruct the data and thesystem functionality completely.

The targeted security threats devised by cyber criminals and hackers are evolving consistently andtaking various dimensions. The analyst reports say that the overall malware samples reached morethan a 100 million implies the importance of securing your Mac from the threats.

The list of threats and reported vulnerabilities that can harm your Mac are:

Threat category Potential threat

Malware Directs the user to access malicious items that can infect Mac.Examples: Flashback Trojan, Fake AV.

Spyware Tracks each and every key you type to access sensitive information, such asuser name and password and other personal details.Example: Keyloggers.

1


Threat category Potential threat

Botnet breakdowns Infects your system or network and controls from remotely to spread malware.

Network threat Slows down network performance and gain unauthorized access to systems.

With McAfee Endpoint Protection for Mac is enabled, your Mac is protected from these malware threatswithout compromising the needs and also provides a secured environment that would eliminate therisk to exposing to these vulnerabilities.

How McAfee Endpoint Protection for Mac protects your systemMcAfee EPM provides a comprehensive security mechanism that includes Anti‑malware, desktopfirewall, and application protection.

Anti-malwareProtects your Mac from malware threats proactively with the predefined actions to perform upondetection.

It scans files, folders on local, network mounted volumes, and removable media whenever you createor access an item. The anti‑malware engine performs complex analysis using the malware definitionfiles (DATs), decodes the contents of the item you access, and compares them with the knownsignatures stored in the DAT files to identify malware.

For more information on Anti‑malware, see Anti‑malware section.

Desktop firewallFilters incoming and outgoing network traffic, to allow or block them as defined in the rules. Each ruledefines a set of conditions that the network traffic must meet.

The stateful filtering and packet inspection identify data packets for different types of connections andhold the connection attributes in memory till the end of session. When the first data packet of a newsession arrives, desktop firewall matches the packet against the rules list. If the data packet matcheswith an existing allow rule, a new entry is added to the state table and the traffic is allowed, and itssubsequent packets are allowed without further verification for that particular session. When thesession is completed or timed out, the entry is removed from the table.

If the data packet does not match against the existing rules, firewall blocks the network traffic.

You can run the desktop firewall protection in:

• Regular protection mode

• Adaptive mode

For more information, see Desktop firewall section.

The controlled network access protection permits the Mac to access only the authorized networks, thatminimizes the risk from network threats.

Application protectionConfigure rules to prevent execution of applications or to run applications with restricted or withoutnetwork access.

You can set rules for the applications installed on Mac to:

1 IntroductionHow McAfee Endpoint Protection for Mac protects your system


• Execute with full network access

• Execute without network access

• Execute with restricted network access

• Block the application execution

For example, you can configure iTunes application to use only for recreational purposes but cannotaccess Internet for downloading music using the allow execution without network access.

For more information, see Application Protection section.

Product featuresThe main features of McAfee Endpoint Protection for Mac are:

Anti‑malware

• On‑access Scan — Scan files and folders whenever users access them

• Quarantine — Quarantine malware items (or suspected malware‑like behavior) so that theycannot be opened or executed.

• Schedule Scan — Define schedules to scan files, folders on local and mounted volumes.

Desktop firewall protection — Control unauthorized access to networks, subnets, hosts, anddomains based on the rules configured.

• Regular and adaptive firewall mode — Run the firewall protection in regular or adaptive mode.

• Stateful firewall — Track the data packet flow for the established connection until the session iscompleted or timed out.

• Domain Name System (DNS) block — Allow you to block the domains using regularexpressions.

• Stateful FTP inspection — A stateful firewall for FTP with one rule for outgoing FTP client and onerule for incoming FTP server.

• Trusted networks — Allow unrestricted traffic to and from the trusted networks.

• Location awareness — Define location specific rules to create specific rules for office and homeenvironment.

• Common ePO Extension for managing HIPS Firewall on Windows and Mac ‑ When your Macis managed by ePolicy Orchestrator, a common ePO extension (HIPS Firewall) is used for Windowsand Mac.

Application protection

• Block application execution — Prevent execution of applications installed on your Mac.

• Restricted or full network access for applications — Configure applications to run with fullnetwork or restricted network access.

• Run applications without network access — Configure applications to run without networkaccess.

Interface

IntroductionProduct features 1


• McAfee menulet for easy access — Access the McAfee menulet to launch McAfee EPMConsole, McAfee EPM Preferences, and the About dialog box.

• Dashboard — View the security status of your Mac, scheduled scan tasks, latest events, andthe Anti‑malware engine update details.

• History of events — View all anti‑malware and application protection events.

• Enhanced client user interface to manage firewall — Allows you to define firewall rulesthrough simple steps and toggle between regular protection mode and adaptive mode.

• Notifications and alerts — View malware detections (resulting from on‑access scan),prevention of application execution, and denial of network access to an application in the McAfeeNotification and get McAfee Alert for an unknown or modified application execution when you set thecorresponding application protection setting as Prompt.

1 IntroductionProduct features


2 Installation and configuration

Install McAfee EPM on a standalone Mac (unmanaged) or deploy from ePolicy Orchestrator on amanaged Mac.

Contents System requirements Package contents Install the software on a standalone Mac Default settings Recommended post installation tasks Deploy McAfee EPM from ePolicy Orchestrator Manage policies Test the installation Uninstall the software

System requirementsMake sure that your Mac meets these requirements and you have administrative rights.

Component Requirement

Operating system • Lion 10.7.0 or later

• Mountain Lion 10.8.0 or later

Hardware Mac that can run with the above operating system configuration

McAfee management software McAfee ePolicy Orchestrator 4.6 and 5.0

McAfee Agent (required for ePolicyOrchestrator deployment)

McAfee Agent for Mac 4.6 Patch 3 and 4.8.

Package contentsThe software package contains these files that are necessary for installation.

Package Description

EPM<version>‑Build_type‑<Build_number>.dmg Contains files to install the software onstandalone Mac.

EPM<version>‑Build_type‑ePO‑<Build_number>.zip Contains files to deploy the software from theePO server.

2


Install the software on a standalone MacInstall the software on a standalone Mac using either the wizard or from the command line.

Tasks

• Install the software using wizard on page 12The wizard guides you through the installation process.

• Install the software from the command line (silent installation) on page 12You can use the command line to install the software without user intervention.

Install the software using wizardThe wizard guides you through the installation process.

When the installation is complete, McAfee Endpoint Protection for Mac starts protecting your systemimmediately. Any existing network connections on your Mac will be disconnected. You need tore‑establish those connections.

Task

1 Download EPM<version>‑<release‑type>‑<build‑number>.dmg to a temporary location on your Mac anddouble‑click it to mount.

2 Double‑click EPM<version>‑<release‑type>‑<build‑number>.pkg.

The This package will run a program to determine if the software can be installed screen appears.

3 Click Continue.

The Welcome to the McAfee Endpoint Protection for Mac Installer screen appears.

4 Click Continue.

The Read Me page appears.

5 Click Continue.

The Software License Agreement page appears.

6 Click Continue.

7 To accept the terms in the license agreement, click Agree.

8 Type the administrator password when prompted, then click Install Software.

9 Once the installation is complete, The installation was completed successfully screen appears.

Install the software from the command line (silent installation)You can use the command line to install the software without user intervention.

When the installation is complete, the software starts protecting your Mac immediately. If any existingnetwork connections that are running on your Mac will be disconnected. You need to re‑establish thoseconnections.

Task

1 Download EPM<version>‑<release‑type>‑<build‑number>.dmg on your Mac.

2 Copy the .pkg file to a temporary location on your Mac.

2 Installation and configurationInstall the software on a standalone Mac


3 Open a terminal window and change the working directory to the one where you saved theEPM<version>‑<release‑type>‑<build‑number>.pkg file.

4 Type the following command then press return.

sudo installer ‑pkg EPM<version>‑<release‑type>‑<build‑number>.pkg –target /

5 Type the administrator password then press return . The following message appears.

The Install was successful.

Default settingsOnce installed, McAfee EPM starts protecting the Mac, based on the default configurations defined.Refer to these default settings, and configure the preferences based on your requirements.

Default settings

Feature Default settings

General On‑access Scan — On

Spyware Scan — On

Application Protection — On

Desktop Firewall — On

Anti‑malware On‑access Scan:• Scan files while — Write

• Maximum scan time for a file — 45 seconds for a file.

• When a virus is found — Clean

• If clean fails — Quarantine

• When a spyware is found — Clean


Also scan:• Archives & Compressed Files — Disabled

• Apple Mail messages — Disabled

• Network Volumes — Disabled

On‑demand Scan:• When a virus is found — Clean


• When a spyware is found — Clean


• Archives & Compressed Files — Enabled

• Apple Mail messages — Enabled

Exclusions — None.

Installation and configurationDefault settings 2


Feature Default settings

Application protection Rules• Allow All Apple signed binaries — Allowed

• Unknown/Modified Applications — Allow

Exclusions — None.

Desktop firewall • Regular Mode — Enabled

• Trust Local Subnet — Checked

For the default firewall rules, see Desktop Firewall section.

Update In Repository List

• Repository Name — McAfeeHttp, McAfeeFtp

In Proxy Settings

• Proxy settings — Do not use a proxy

In Schedule• Schedule — Daily at 4:45 PM (local time).

Recommended post installation tasksPerform these tasks to keep the anti‑malware engine and DAT files up to date, and ensure that thedesktop firewall protection does not deny access to business critical networks.

Task Description

Update DAT andEngine files

McAfee releases DAT files regularly to ensure that your Mac is protected from thecurrent threats. Ensure that software is using the latest released signatures (DAT)and engine version for maximum protection.

For more information on how to update the DAT and Engine files, see Perform DATand Engine update section.

Anti‑malwareprotection

McAfee Endpoint Protection for Mac comes with the default settings foranti‑malware protection that protects your Mac. Ensure that the default settingsare consistent with your organization policies for a complete protection againstmalware threats.

Configure the On‑demand Scan task to define:

• The items to scan (files, folders, and drives)

• Set frequency of scan (daily, weekly, monthly or immediately)

• Define the action when malware is found. (Delete or Quarantine)

For more information, see Anti‑malware preferences section.

Desktop firewall McAfee EPM comes with the stateful desktop firewall enabled, that protects yourMac from the moment the product is installed. The firewall comes with a set ofdefault rules that ensure, that your Mac is able to access the required services.McAfee recommends you to review the default rules to ensure that your Mac isallowed to access the necessary services as per your organization policies.

The rules are processed using a top down approach with the implicit default blockrules that denies all traffic. This rule cannot be modified.

2 Installation and configurationRecommended post installation tasks


Deploy McAfee EPM from ePolicy OrchestratorDeploy McAfee EPM remotely on to a client Mac in your network using ePolicy Orchestrator.

Tasks• Check in the McAfee Endpoint Protection for Mac package on page 15

Check in the McAfee Endpoint Protection for Mac deployment package to the ePolicyOrchestrator master repository.

• Check in the McAfee Agent on page 15McAfee Agent provides secure communication between ePolicy Orchestrator and Mac.

• Install the McAfee Endpoint Protection for Mac extension on page 16Install the McAfee EPM extensions using ePolicy Orchestrator.

• Deploy McAfee Endpoint Protection for Mac from ePolicy Orchestrator on page 16Deploy the software on the Mac that are managed in your network using ePolicyOrchestrator.

Check in the McAfee Endpoint Protection for Mac packageCheck in the McAfee Endpoint Protection for Mac deployment package to the ePolicy Orchestratormaster repository.

Task1 Download the EPM<version>‑<release‑type>‑ePO‑<build_number>.zip file to a temporary location on the

ePolicy Orchestrator server.

2 Log on to the ePolicy Orchestrator server as an administrator.

3 Click Menu | Software | Master Repository, then click Action | Check In Package. The Package page appears.

4 Select the Package type as Product or Update (.ZIP).

5 Click Choose File and select EPM<version>‑<release‑type>‑ePO‑<build_number>.zip, then click Choose. ThePackage page appears.

6 Click Next.

7 In the Package Options page, select Current, then click Save.

Check in the McAfee AgentMcAfee Agent provides secure communication between ePolicy Orchestrator and Mac.

Task1 Download the MA<version>‑<release‑type>‑ePO‑<build_number>.zip file to a temporary location on the ePolicy

Orchestrator server.

2 Log on to the ePolicy Orchestrator server as an administrator.

3 Click Menu | Software | Master Repository, then click Action | Check In Package. The package page appears.

4 Select the Package type as Product or Update (.ZIP).

5 Click Choose File and select MA<version>‑<release‑type>‑ePO‑<build‑number>.zip, then click Choose. The packagepage appears.

6 In the Package Options page, select Current, then click Save.

Installation and configurationDeploy McAfee EPM from ePolicy Orchestrator 2


Install the McAfee Endpoint Protection for Mac extensionInstall the McAfee EPM extensions using ePolicy Orchestrator.

You must install these extensions:

• Anti‑malware for Mac

• Application Protection for Mac

• Host Intrusion Prevention (When your Mac is managed by ePolicy Orchestrator, Host Intrusion Preventionextension is used to apply or configure the desktop firewall features.)

• Anti‑malware for Mac Reporter

• Application Protection for Mac Reporter

Task1 Log on to the ePolicy Orchestrator server as an administrator.

2 Click Menu | Software | Extensions, then click Install Extension.

3 Click Choose File and select the file that contains the extension, then click OK.

Deploy McAfee Endpoint Protection for Mac from ePolicyOrchestratorDeploy the software on the Mac that are managed in your network using ePolicy Orchestrator.


2 Click Menu | Systems | System Tree, then select the required group or systems.

3 Click Actions, select Assigned Client Tasks, then click New Client Task Assignment. The Client Task AssignmentBuilder screen appears.

4 In Product, select McAfee Agent.

5 In Task Type, select Product Deployment.

6 Click Create New Task. The Client Task Catalog screen appears. Type a name for the task.

7 Select Mac as target platform.

8 In Products and components, select McAfee Endpoint Protection for Mac <version_number> <build_number>, select Installas action, then click Save. The Client Task Assignment Builder page appears.

9 Select the task and click Next.

10 Schedule the task to run immediately, then click Next to view a summary of the task.

11 Click Save.

12 In the System Tree page, select the systems or groups where you assigned the task, then click Wake UpAgents.

13 In the Wake Up McAfee Agent screen, select Force complete policy and task update, then click OK.

2 Installation and configurationDeploy McAfee EPM from ePolicy Orchestrator


Manage policiesMcAfee EPM policies that provide options to configure the features, feature administration, and logdetails on managed mac.You can find these policies on the Policy Catalog page under Product:

• Application Protection for Mac 2.0

• Host Intrusion Prevention 8.0: Firewall

• Host Intrusion Prevention 8.0: General

• Anti‑malware for Mac 9.5.0

Configure these policies with your preferences, then assign them to groups of the managed Mac. Forgeneric information about policies, refer to the respective version of ePolicy Orchestrator productguide.

Tasks• Create or modify policies on page 17

You can create and edit policies to a specific group in the system tree, to affect the changeson managed Mac.

• Assign policies on page 17When you have created or modified firewall policies, assign them to the Mac that aremanaged by ePolicy Orchestrator.

Create or modify policiesYou can create and edit policies to a specific group in the system tree, to affect the changes onmanaged Mac.


2 From the Policy Catalog, select the required policy as the category.

3 Perform this step as required:

To create a policy To modify a policy

1 Click New Policy.

2 Type the policy name.

3 Click OK.

4 Configure the settings.

1 Click the policy name you want to modify.

2 Modify the settings.

4 Click Save.

Assign policiesWhen you have created or modified firewall policies, assign them to the Mac that are managed byePolicy Orchestrator.


2 Navigate to System Tree, select the required group or systems, then click the Assigned Policies tab onthe right side pane.

Installation and configurationManage policies 2


3 Select the required product from the product list, select the required policy, then click EditAssignment.

4 Select the policy to assign, select appropriate inheritance options, then click Save.

The policy enforcement occurs in the next agent‑server communication. Click Wake Up Agents toenforce the policy immediately.

Test the installationWhen you have completed the installation, we recommend that you test it, to ensure that the softwareis installed properly and can protect the Mac.

Tasks• Test the anti-malware protection feature on page 18

You can test the Anti‑malware protection feature by accessing the European Institute ofComputer Anti‑Virus Research (EICAR) standard anti‑virus test file.

• Test the application protection feature on page 18You can test the application protection feature by creating a rule to deny applicationexecution.

• Test the desktop firewall feature on page 19Test the desktop firewall feature by creating a new rule. Consider a scenario where youwant to create an allow rule for www.abcwebsite.com.

Test the anti-malware protection featureYou can test the Anti‑malware protection feature by accessing the European Institute of ComputerAnti‑Virus Research (EICAR) standard anti‑virus test file.This file is an outcome of a combined effort by anti‑virus vendors throughout the world to implementone standard by which customers can validate the anti‑virus software.

Task1 Go to the EICAR website http://www.eicar.org

2 Click DOWNLOAD ANTI MALWARE TESTFILE then click DOWNLOAD.

3 Click one of the Anti‑malware test file. For example, click eicar.com.txt.

For the test to be successful, McAfee EPM should display a Notification 1 detection(s) found on yoursystem with the relevant details.

Test the application protection featureYou can test the application protection feature by creating a rule to deny application execution.Consider a scenario where you want to block the iTunes execution on your Mac.

Task1 Click the McAfee menulet on the status bar, then select McAfee Endpoint Protection for Mac Preferences.

Alternatively, you can launch the McAfee Endpoint Protection for Mac console, by clicking McAfeeEndpoint Protection for Mac on the status bar, then select Preferences.

2 Click Application Protection.

3Click , type the administrator password, then click OK.

2 Installation and configurationTest the installation


http://www.eicar.org

4 In Rules, click + at the bottom left corner of the console.

5 In Application Name, browse and add iTunes.

6 In Action, select Deny Execution, then click OK.

7Click .

8 From the Dock, click Finder | Go | Applications | then double‑click iTunes.

The following message appears in McAfee Notification screen.

For more information on Application Protection, see Configuring protection preferences on astandalone Mac chapter.

Test the desktop firewall featureTest the desktop firewall feature by creating a new rule. Consider a scenario where you want to createan allow rule for www.abcwebsite.com.


Alternatively, you can launch the McAfee Endpoint Protection for Mac Preferences by clicking McAfeeEndpoint Protection for Mac on the status bar, then select Preferences.

2 Click Desktop Firewall.


4 Select Regular Mode.

5 Click + at the bottom left corner of the console to create a new firewall rule.

6 Type a name of the rule in the Rule Name text box.

7 Select Enabled from the Status drop‑down.

8 Select Allow from the Action drop‑down.

Installation and configurationTest the installation 2


9 Select Outgoing from the Direction drop‑down.

10 In the Network Protocol (IPv4), section:

a Select Local then select Any Local IP Address.

b Click .

c Select Remote, then select Full Qualified Domain Name, then type name in the Domain Name field.

11 In the Transport Protocol section, select All Protocols.

12 Open the browser, type the website name, then press return.

Make sure that there is no ePO rule that allows access to this domain.

Uninstall the softwareRemove the software from the standalone Mac and remove the software and its related extensionsfrom the Mac that is managed from ePolicy Orchestrator.

Tasks• Uninstall the software from standalone Mac on page 20

You can uninstall the software from Mac either using the command line or Finder.• Remove the software using ePolicy Orchestrator on page 21

Remove McAfee EPM from the managed Mac and remove the extensions from the ePolicyOrchestrator server.

Uninstall the software from standalone MacYou can uninstall the software from Mac either using the command line or Finder.

Before you beginYou must have administrator rights to uninstall the software.

Tasks• Uninstall the software using command line on page 20

Use this task to uninstall the software using the command line.

Uninstall the software using command lineUse this task to uninstall the software using the command line.

Task1 Open a Terminal window.

2 Type the following command, then press return.

/usr/local/McAfee/uninstallMSC

3 Type the administrator password when prompted.

On uninstallation, the following message appears:

McAfee Endpoint Protection for Mac 2.0.0 has been uninstalled Successfully.

2 Installation and configurationUninstall the software


Remove the software using ePolicy OrchestratorRemove McAfee EPM from the managed Mac and remove the extensions from the ePolicy Orchestratorserver.

Tasks• Remove the software on page 21

Create a client task to remove McAfee EPM software from the managed Mac.

• Remove the software extension on page 21Use this task to remove McAfee EPM extensions from the ePolicy Orchestrator server.

Remove the softwareCreate a client task to remove McAfee EPM software from the managed Mac.

Task1 Log on to ePolicy Orchestrator server as an administrator.


3 Click the Assigned Client Tasks tab, then click New Client Task Assignment.

4 In Product, select McAfee Agent.

5 In Task Type, select Product Deployment.

6 Click Create New Task and type a name for the task.

7 Select Mac as target platform.

8 In Products and components, select McAfee Endpoint Protection for Mac 2.0, select Remove as action, then clickSave. The Client Task Assignment Builder page appears.

9 Select the task from Task Name, then click Next.

10 Schedule the task to run immediately, then click Next to view a summary.

11 Check the task summary, then click Save.

12 In System Tree page, select the systems or groups for which you assigned the task, then click Wake UpAgents.

13 In the Wake Up McAfee Agent screen, select Force complete policy and task update, then click OK.

Remove the software extensionUse this task to remove McAfee EPM extensions from the ePolicy Orchestrator server.

Remove only the product specific extensions and do not remove any common extensions that are usedby other product or system.

Refer to this extension list to understand the policies you can assign before proceeding with theremoval task:

• Anti‑malware for Mac 9.5.0 — Exclusive extension used to configure anti‑malware preferences.

• Application Protection for Mac 2.0.0 — Exclusive extension used to configure execution permission andnetwork access for applications.

Installation and configurationUninstall the software 2


• Host Intrusion Prevention 8.0:Firewall — Common extension used to configure firewall rules, firewalloptions, and DNS blocking for Mac and Windows operating system.

• Host Intrusion Prevention 8.0:General — Common extension used to configure trusted networks and clientuser interface options for Mac and Windows operating system.

Remove only the Anti‑malware for Mac 9.5.0 and Application Protection for Mac 2.0.0 extensions and do not removeeither of the Host Intrusion Prevention because they are used as common extensions.


2 To remove the extension, click Menu | Software | Extensions.

3 From the left pane, select the required extension.

4 Click Remove.

5 Select Force removal, bypassing any checks or errors, then click OK.

2 Installation and configurationUninstall the software


3 Using the console on a standalone Mac

Use McAfee Endpoint Protection for Mac console to view dashboard, events details, history of allevents, quarantined items and to configure scan schedules.

Contents Dashboard History of events Quarantine malware Update the anti-malware engine and DAT Perform a system scan Configure custom scan tasks

DashboardDashboard presents the security status of your Mac, malware detection statistics, version details ofengine and DAT files, and recent events summary.

To view the dashboard, click | McAfee Endpoint Protection for Mac Console | Dashboard. The events that arelisted in the dashboard are read only.

Security statusView the security status of your Mac and the protection features that are enabled or disabled, such as:

• On‑access Scan

• Spyware Scan

• Application Protection

• Desktop Firewall

Recent events summaryView the summary of recent five events in Dashboard for:

• Status of scan task with number of malware detected from on‑access scan and on‑demand scan..

• Anti‑malware engine update status with DAT version details.

• Prevention of application execution details.

Recent events displays only the summary of events. To view the complete details of events, navigate toHistory screen, then double‑click the particular event.

3


History of eventsHistory screen displays all events with details, for virus and spyware scanning, anti‑malware update,and blocked applications.

To view History, click the McAfee menulet | McAfee Endpoint Protection for Mac Console.Twenty events are listed per page and you can use arrows to navigate through pages.

To.. Do this..

Viewevents

Double‑click the event you want to view.• Anti‑malware Update — displays the DAT version, engine version, and the status of the

update.

• Blocked — displays the blocked application path.

• On‑access Scan — displays the application that accessed the malware, status of detectionfound, and total number of detections with the details.

• On‑demand Scan — displays number of files scanned, name and location of infected files,if found, and action taken.

Sortevents

Click the column header, to sort events based on title, type, or date and time.

Removeevents


2 Select the event, then click Delete.

To select multiple events:

• Hold shift key and select series of events from the list.

• Hold command key and select multiple events from the list.

3 The Are you sure you want to remove 1 item permanently? dialog box appears.

4 Click OK to remove the events.

You cannot restore the events, once you removed from the list.

5Click to prevent further changes.

Quarantine malwareThe quarantine feature isolates dangerous or suspicious malware that could harm your Mac otherwise.

To view the quarantined items, click the McAfee menulet | McAfee Endpoint Protection for Mac Console |Quarantine. The quarantine screen displays the original path of items quarantined with date and time ofthe event. You can either remove or restore the quarantined item.

3 Using the console on a standalone MacHistory of events


Remove or restore the quarantined itemBefore you beginYou must have administrator rights to remove or restore the quarantined item from the list.

Before restoring, make sure that these quarantined items are not malicious.

Task1 Launch the McAfee Endpoint Protection for Mac Console. The dashboard page appears.

2 Click Quarantine.

3Click , then type the administrator password.

4 Click OK.

To restore To remove

1 Select the quarantined item, then clickRestore.The message Are you sure you want to restore 1item? appears.

2 Click OK.

1 Select the quarantined item you want to delete,then click Delete.The message Are you sure you want to remove 1 itempermanently? appears.

2 Click OK.

To select multiple events:

• Hold shift key and select series of events from the list.

• Hold command key and select multiple events from the list.

5Click to prevent further changes.

Update the anti-malware engine and DATAlways keep anti‑malware DAT file and engine up‑to‑date to protect the Mac from the latest threats.


2 Click Update Now on the left pane of the console.

3 Click Start Update to initiate the anti‑malware update task.

Alternatively, you can click | McAfee Endpoint Protection for Mac | Activity | Start Anti‑malware Update from themenu bar.

Upon completion, the update summary appears with the engine version, DAT version, updatestatus, and DAT creation date in the Anti‑malware Update section. You can view the status and detailsof Anti‑malware update event in the History screen.

To schedule an automatic update, see McAfee Security Preferences section.

Using the console on a standalone MacUpdate the anti-malware engine and DAT 3


Perform a system scanPerform an on‑demand scan immediately to scan specific files, folders, local or network mountedvolumes.


2 Click Scan Now.

3 Select location from the What to scan drop‑down.

4 Click Start Scan.

Configure custom scan tasksSchedule and customize scan tasks based on your requirements, to scan specific files, folders, andvolumes periodically. You can also modify or remove the existing schedule.For example, if you consider that the files you download to the Download folder, and the music filesyou save in music library folder should be scanned more frequently, you can define a scan scheduleonly for these two folders.

Tasks• Create a new scan task on page 26

Create scan tasks that automatically runs at scheduled periods with the definedparameters.

• Modify an existing scan task on page 27Modify an existing scan schedule to add or remove locations or change the date and time.

• Remove an existing scan task on page 28Remove the scheduled scan task when you find it is no longer required.

Create a new scan taskCreate scan tasks that automatically runs at scheduled periods with the defined parameters.


2 Click Scan Now.

3Click on the bottom left corner.

Alternatively, you can press command + N or you can click Activity | New Activity on the McAfee EndpointProtection for Mac menu bar.

4 Type a Scan Name, then click Create. The scan task name appears on the left pane.

3 Using the console on a standalone MacPerform a system scan


5 Select the items from the What to scan drop‑down.

Table 3-1 Scan options

Scan Option Description

Documents Scans the user documents folder.

Desktop Scans files and folders in desktop.

Users Scans the user directory.

Applications Scans the applications folders.

Localhost Scans the local host.

Choose Allows you to select folder or file location to scan.

You can add more files, folders and locations in a scan. For example, you can include the

Documents, Desktop, and Users location in one scan schedule using . You can also remove

locations from the schedule using .

6 In the When to scan section, select an appropriate schedule for the scan task.

Table 3-2 Scan frequency

Scan frequency Description

Immediately Starts a scan task immediately.

If you select to scan items immediately, click Start Scan.

Once Scans the defined locations once at the scheduled date and time.

Daily Scans the defined locations every day at the scheduled time. You can define theduration to run the daily scan task or select No End Date to run the schedulewithout any limit.

Weekly Scans the defined locations on a scheduled day and time of every week. Youcan define the duration to run the weekly scan task or select No End Date to runthe schedule without any limit.

Monthly Scans the defined locations on a scheduled date and time of every month. Youcan define the duration or select No End Date to continue the schedule withoutany limit.

7 Click Schedule Scan. A message appears stating that the scan task is scheduled.

8 Click OK.

Modify an existing scan taskModify an existing scan schedule to add or remove locations or change the date and time.

Task1 Launch the McAfee Endpoint Protection for Mac Console.

2 Click the schedule you want to modify from the Activity section on the left side. The scheduleappears with the Last Scan Time and Next Scan Schedule.

3 Click Modify Scan. Make the required changes, then click Schedule Scan.

If the scan you select to modify is scheduled to run immediately, select the scan, make the requiredchanges, then click Schedule Scan.

Using the console on a standalone MacConfigure custom scan tasks 3


Remove an existing scan taskRemove the scheduled scan task when you find it is no longer required.


2Click an existing scan schedule on the left pane then click on the left bottom corner of theconsole.

Alternatively, click Activity | Delete Activity from the McAfee Endpoint Protection for Mac menu bar.

3 Using the console on a standalone MacConfigure custom scan tasks


4 Configuring protection preferences on astandalone Mac

Use McAfee Endpoint Protection for Mac preferences to enable or disable the anti‑malware, applicationprotection, desktop firewall, and anti‑malware engine update and configure the protection parameters.

Contents General preferences Anti-malware Application protection Desktop firewall Configure update schedule

General preferencesEnable or disable the anti‑malware, anti‑spyware, application protection, and desktop firewallprotection features that you want to run on your Mac.

Configure general preferencesEnable or disable the security features you want to configure for your Mac.

Before you beginYou must have administrator rights to configure these protection preferences.


Alternatively, you can click McAfee Endpoint Protection for Mac on the menu bar, then select Preferences.

The General tab screen appears.

2 Click , type the administrator password, then click OK.

3 Click ON or OFF to enable or disable these features:

• On‑access Scan — Scan to detect malware threats, whenever a file is read from or written to thehard disk.

• Spyware Scan — Scan to detect spyware and take preventive actions.

4


• Application Protection — Define rules for applications, to run with full network access, restrictednetwork access, or deny application execution.

• Desktop Firewall — Define rules that controls the incoming and outgoing network traffic.

When you enable On‑access Scan and Spyware Scan, it cleans or quarantines the infected items basedon the preferences you have configured. For more information on setting preferences, seeAnti‑malware section.

4 Click to prevent further changes.

Anti-malwareConfigure anti‑malware preferences to define what actions should be for on‑access scan or on‑demandscan, and exclude specific paths from scanning.

Configure On-access Scan preferencesOn‑access Scan protects your Mac from threats in real time. It scans for malware, whenever an item isread from or written to the hard disk, and cleans or quarantines them as per the configuration.


Alternatively, click McAfee Endpoint Protection for Mac on the menu bar, then select Preferences.

2 Click Anti‑malware tab.


4 From the Scan files while drop‑down menu, select one of these options:

• Read — To scan items that are currently read from the hard disk.

• Write — To scan items when they are written to the hard disk.

• Read & Write — To scan items when they are read from or written to the hard disk.

5 In Maximum scan time (in seconds), specify the duration allowed to scan each file. You can specify a valuebetween 10 and 999. The default value is 45.

6 From the When a virus is found drop‑down, select one of these options:

• Clean — To clean the item that contains virus. If you select this option, the If clean fails drop‑downmenu appears, that provides option to quarantine, delete, or notify the item.

• Quarantine — To quarantine the item that contains virus. If you select this option, the If quarantinefails drop‑down menu appears, that provides option delete or notify the virus detection.

• Delete — To delete the item that contains virus.

• Notify — To notify you when a virus is detected. (No other action is taken, such as clean,quarantine, or delete).

4 Configuring protection preferences on a standalone MacAnti-malware


7 From the When a spyware is found drop‑down, select one of these options:

• Clean — To clean the item that contains virus. If you select this option, the If clean fails drop‑downmenu appears, that provides option to quarantine, delete, or notify the item.

• Quarantine — To quarantine the item that contains virus. If you select this option, the If quarantinefails drop‑down menu appears, that provides option delete or notify the spyware detection.

• Delete — To delete the item that contains spyware.

• Notify — To notify you when a spyware is detected.

The virus still resides on the Mac. Notify option does not clean, quarantine, or delete thespyware.)

8 From the Also scan, drop‑down list, you can enable scanning for:

• Archives & Compressed Files

• Apple Mail Messages

• Network Volumes

For network volumes, McAfee Endpoint Protection for Mac cleans or notifies when a malware isfound.


Configure on-demand scan preferencesSchedule an On‑demand Scan to run immediately, at a scheduled time, or at regular intervals.

For information on creating scan task, see Create a new scan task section.



2 Click Anti‑malware.

3 Click On‑demand Scan.

4 Click , type the administrator password, then click OK. The on‑demand scan appears.

5 From the When a virus is found drop‑down, select one of these options:

• Clean — To clean the virus. If you select this option, the If clean fails drop‑down menu appears, thatprovides option to quarantine or delete the item.

• Quarantine — To quarantine the item that contains virus or spyware. If you select this option, theIf quarantine fails drop‑down menu appears, that provides option delete or notify the virusdetection.

• Delete — To delete the item that contains virus.

• Notify — To notify you when a virus is detected. (No other action is taken).

Configuring protection preferences on a standalone MacAnti-malware 4


6 From the When a spyware is found drop‑down, select one of these options:

• Clean — To clean the spyware. If you select this option, the If clean fails drop‑down menu appears,that provides option to quarantine or delete the item.

• Quarantine — To quarantine the item that contains spyware. If you select this option, the Ifquarantine fails drop‑down menu appears, that provides option delete or notify the spywaredetection.

• Delete — To delete the item that contains spyware.

• Notify — To notify you when a spyware is detected. (No other action is taken).

7 From the Also scan, you can enable scanning for:

• Archives & Compressed Files

• Apple Mail Messages


Define anti-malware exclusionsExclude files and folders paths from on‑access scan or on‑demand scan.



2 Click Anti‑malware then click Exclusions.


4Click at the bottom left corner of the console. The dialog box appears that allows you to additems to the exclusion list.

5 Select the required files and folders paths then click Open.

6 By default, both options are enabled to exclude the items from scanning. Select or deselect theOn‑access Scan, On‑demand Scan options as required.

• Modify the file name, folder name, or the path location that are listed in the exclusionlist. Double‑click the item to make the changes.

• Use regular expression to exclude items from scanning. For example, to exclude allfiles from scanning in the desktop, specify the path as /Users/user/Desktop/*.*

• Remove the item from the exclusions list, select it, then click at the bottom leftcorner of the screen (or press fn + delete).


4 Configuring protection preferences on a standalone MacAnti-malware


Application protectionAllows you to define rules to run applications without restrictions, with restrictions, or block theexecution.

Configure application protection preferencesDefine the permission preferences for Apple signed binaries and unknown or modified applicationsexecution.

Task1 Click the McAfee menulet on the status bar, select McAfee Endpoint Protection for Mac Preferences.

Alternatively, you can click McAfee Endpoint Protection for Mac on the menu bar, then select Preferences, thenclick Application Protection.


3 In Rules tab, you can:

• Select or deselect the Allow All Apple Signed Binaries as required.

• Select Allow, Deny, or Prompt from the Unknown/Modified Applications drop‑down menuto configure application execution and network access settings for the unknown and modifiedapplications.

If you select Prompt, type the <n> seconds (where 'n' value 10 being minimum and 300 maximum).The McAfee Alert screen appears for <n> seconds prompting you to select an action for theapplication as Always or Once, with these options:

• Allow Execution with Full Network Access — Executes the application with full network access.

• Allow Execution without Network Access — Executes the application without network access.

• Deny Execution — Blocks the application execution.

If you do not respond to the McAfee Alert, the execution is denied for the selected application.


Create an application protection ruleRules determine whether the application can be executed or blocked, if executed, they should run withfull network access, with restricted network access, or without network access.

Task1 Click the McAfee menulet on the status bar, select McAfee Endpoint Protection for Mac Preferences.

Alternatively, you can click McAfee Endpoint Protection for Mac on the menu bar, then select Preferences, thenclick Application Protection.


3 Click at the bottom left corner of the console.

4 In Application Name, browse and select the application.

Configuring protection preferences on a standalone MacApplication protection 4


5 In Action, select one of these options as required:

• Allow Execution With Full Network Access.

• Allow Execution Without Network Access.

• Allow Execution With Restricted Network Access.

• Deny Execution.

6 If you select Allow Execution With Restricted Network Access, you must define these protocols. Click atthe bottom left corner of the console to add:

• Protocol • Direction

• IP Address/Subnet • Action

• Port/Range

7 Click OK to return to the Rules screen.

To add more conditions for the same rule, repeat steps 6 and 7.


Modify an existing application protection ruleUse this task to modify the application protection rule that is in force.

Task1 Click the McAfee menulet on the status bar, then select McAfee Endpoint Protection for Mac then

Preferences.

Alternatively, you can click McAfee Endpoint Protection for Mac on the menu bar, then select Preferences,then click Application Protection.

2 Click the lock, type the administrator password, then click OK.

3 Double‑click the rule you want to modify. The rule box appears. Make the required modifications.

4 Click OK to return to the Rules screen.

To delete a rule, select it then click or press fn +delete key.


Reapply rules for modified applicationsReapply the existing protection rules for applications that are modified or updated.

Whenever there is a change in the application or binary due to updates, the corresponding applicationprotection rules become invalid.

Consider a scenario where you have set a rule as Allow Application to Run with Restricted Network Access for Safariapplication. When you run the updates for Safari either manually or automatically, the defined rulebecomes invalid. You must reapply the rules again after completing the update.

4 Configuring protection preferences on a standalone MacApplication protection



Alternatively, you can click McAfee Endpoint Protection for Mac on the menu bar, click Preferences, then clickApplication Protection.


By default, the √ option is disabled.

3 Select the rules from the list, then click √.

The rules for modified binaries/applications are reinstated.


Specify application protection exclusionsExclude the trusted applications from the application protection rules. This option overrides theapplication protection rules, if you created already.



2 Click Application Protection, then click Exclusions.


4 Click + at the bottom left corner of the screen.

5 From the list, add the path of the application(s) you want to exclude, then click Open.


To delete an exclusion, select the item, press fn +delete.

Desktop firewallThe desktop firewall component provides a scalable solution to protect your Mac from unauthorizednetwork traffic.

The firewall comes with a stateful engine that provides you additional flexibility in defining allowednetwork traffic for your Mac. You can define rules based on various traffic parameters and group themfor easier management. Here is the list of features of desktop firewall protection:

• Stateful filtering — The stateful filtering and network packet inspection validates each packet fordifferent connections against predefined rules, holds the connection attributes in memory fromstart‑to‑end.

• Regular mode — When the network packet adheres to a rule’s condition from the rules list, theassociated action defined in the rule is executed. If no matching rule is found, the network packetis blocked.

Configuring protection preferences on a standalone MacDesktop firewall 4


• Adaptive mode — When the network packet matches with rule’s conditions, it executes theassociated action defined in the rule. If no matching rule is found, a new allow rule is added to therules list to allow the traffic.

In both these modes, the status of the TCP/UDP/ICMP connection is tracked to identify, whether theincoming packet is part of the existing connection.

• ePolicy Orchestrator management — Desktop Firewall feature is fully integrated with ePolicyOrchestrator and uses its framework to define and enforce policies. This single managementsolution allows mass deployment of policies for multiple managed Mac across the organization.

• DNS blocking — Blocks access to domains that prevents accessing malicious domains.

• Location awareness — Creates separate rules for locations such as office or home network.

• FTP inspection — A stateful firewall setting that allows FTP connections to be tracked so that theyrequire only one firewall rule for outgoing FTP client traffic, and one for incoming FTP server traffic.If this option is not selected, FTP connections require an additional rule for incoming FTP clienttraffic and outgoing FTP server traffic. This should always be selected.

• Trusted networks — Define networks that can include subnets, ranges, or single IP Address thatcan be used while creating firewall rules.

Location awareness, and trusted networks features can be configured from ePolicy Orchestratormanagement only.

Contents How stateful filtering works How regular mode firewall protection works How adaptive mode firewall protection works How DNS blocking works How stateful FTP inspection works How desktop firewall rules work How desktop firewall rules are organized Configure desktop firewall protection

How stateful filtering worksStateful filtering handles network packets against two rule sets namely a configurable firewall rule setand a dynamic firewall rule set (state table).

The state table entry is a result of network activity, reflects the state of the network stack. Each rulein the state table has only one action, Allow, so that any network packet matches to a rule in the statetable is automatically permitted.

You can configure rules for two possible actions:

• Allow — The packet is permitted and an entry is made in the state table.

• Block — The packet is blocked and no entry is made in the state table.

When the network packet finds an allow rule, the packet is allowed and a new entry is added to thestate table and its subsequent packets are allowed without further verification for that session. Whenthe session is completed or timed out, the entry is removed from the state table. The state tabledynamically tracks connections that match with the rules earlier and reflects the current connectionstate of the TCP/UDP/ICMP protocols.

4 Configuring protection preferences on a standalone MacDesktop firewall


How regular mode firewall protection worksEach rule contains a set of conditions that the network traffic must meet and the associatedparameters of that rule determine whether to allow or block the network traffic.

In regular mode, desktop firewall uses precedence to apply rules. The rule at the top of the rules list isapplied first. If the network packet meets the conditions, desktop firewall allows or blocks the packetas defined. If the packet does not meet the first rule's condition, the next rule is verified. It movesdown through the rules list until a rule is satisfied. If no rule is met from the rules list, then desktopfirewall blocks the traffic.

When the traffic matches with the rule condition at any point, it does not try to apply any further rulesfrom the list. If the intercepted traffic matches more than one rule in the list, only the first matchingrule in the list is applied.



To turn on the desktop firewall protection from Regular Mode, to Adaptive Mode, click | McAfee EndpointProtection for Mac Preferences | Desktop Firewall | Adaptive Mode.

How adaptive mode firewall protection worksIn adaptive mode also the precedence method is followed but with a difference.

In regular mode, desktop firewall uses precedence to apply rules. The rule at the top of the rules list isapplied first. When the network packet does not match with the defined rules from the list, a newallow rule is created to allow the non‑matching packet.

For security reasons, when adaptive mode is enabled, incoming pings are blocked unless an explicitallow rule is created for the incoming ICMP traffic.

Refer to this diagram how network packets are handled in Adaptive Mode.



To turn on the desktop firewall protection from Adaptive Mode, to Regular Mode, click | McAfee EndpointProtection for Mac Preferences | Desktop Firewall | Regular Mode.

How DNS blocking worksTo precise the firewall protection, you can create a list of domain name servers that must be blocked.

Specify the domain names that should be blocked, You can use ? and * wildcards to define the domainnames. If you want to block the fully qualified domain name, you can use the FQDN remote addressoption in desktop firewall

If the firewall host has not initiated any DNS queries for the blocked domains or FQDN, the DNSblocking and FQDN based rules will not work.

How stateful FTP inspection worksStateful packet inspection combines stateful filtering with access to application‑level commands, whichsecures protocols such as FTP.

FTP involves two connections:

• control for commands

• data for the information

When a client connects to an FTP server, the control channel is established, arriving on FTP destinationport 21, and an entry is made in the state table. If the option for FTP inspection has been set with theFirewall Options policy, when the firewall encounters a connection opened on port 21, it knows toperform stateful packet inspection on the packets coming through the FTP control channel.

With the control channel open, the client communicates with the FTP server. The firewall parses thePORT command in the packet and creates a second entry in the state table to allow the dataconnection.



When the FTP server is in active mode, it opens the data connection; in passive mode, the clientinitiates the connection. When the FTP server receives the first data transfer command (LIST), itopens the data connection toward the client and transfers the data. The data channel is closed afterthe transmission is completed.

The combination of the control connection and one or more data connections is called a session, andFTP dynamic rules are sometimes referred to as session rules. The session remains established untilits control channel entry is deleted from the state table. During the periodic cleanup of the table, if asession’s control channel has been deleted, all data connections are subsequently deleted.

How desktop firewall rules workEach rule contains a set of conditions that the network traffic must meet and the associatedparameters of that rule determine whether to allow or block the network traffic.

This diagram explains how the network packet filtering works.



This diagram explains how the process rule table flow works for each network packet.



How desktop firewall rules are organizedRules are categorized as ePO Rules, Client Rules, and Adaptive rules. These rules are arranged and displayedin an organized manner.

Rules are displayed in tree view with the serial order from the top in the respective rule groups. TheePO Rules group appears at the top with the list of rules, followed by the Client Rules then the AdaptiveRules.

To view the desktop firewall rules, click | McAfee Endpoint Protection for Mac Preferences | Desktop Firewall.

• ePO Rules — Defined and enforced by administrators, if your Mac is managed from ePolicyOrchestrator.

• Client Rules — Created locally to allow or block specific network access.

• Adaptive Rules — Created automatically to allow the packet whenever a non‑matching data packet isreceived.

• The ePO Rules are displayed and applied only when the Mac is in managed environment.

• The local user cannot modify the ePO Rules.

• User cannot add rules above or in between ePO Rules.

• Always new rules are added after the existing rules in the respective group.

Configure desktop firewall protectionCreate rule groups and specific rules to control the incoming and outgoing network traffic.

Tasks• Create a firewall rule on page 43

Add more specific rules at the top of the list, and the generic rules at the bottom to filterthe traffic at ease.

Create a firewall ruleAdd more specific rules at the top of the list, and the generic rules at the bottom to filter the traffic atease.



2 Click Desktop Firewall.


4 Select Regular Mode.



5 Click at the bottom left corner of the console.

The rule box screen appears.

6 Type a name for Rule Name.

7 Define the following parameters as required:

From thesefields..

Configure these options..

Rule Name Type a name for the rule.

Status Select:• Enabled — To enable the firewall rule.

• Disabled — To disable the firewall rule.

Actions Select:• Block — To block the network traffic.

• Allow — To allow the network traffic.

Direction Select:• Incoming — To apply the rules for incoming network traffic.

• Outgoing — To apply the rules for outgoing network traffic.

Logging Select:• Enabled — To create an event log.

• Disabled — To avoid creating an event log.



From thesefields..

Configure these options..

Interface(s) Select:• Wired

• Wireless

• Virtual

Network ProtocolIPv4

Define the configuration for Local Mac using:• Single • Full Qualified Domain Name

• Subnet • Any Local IP

• Local Subnet • Any IPv4 Address

• Range (of IP Address)

Local Mac is the system on which you are adding rules.

Select the configuration for Remote Mac using:• Single • Full Qualified Domain Name

• Subnet • Any Local IP

• Local Subnet • Any IPv4 Address

• Range (of IP Address)

You can add more criteria using and remove existing criteria using


Transport Protocol Select All Protocols to apply the rule for all protocols.

If you select Select Protocol, then define the parameters for:• TCP

• UDP

• ICMP.


8 Click OK.


To edit an existing firewall rule, select the rule then click . The rule box screen appears.

Desktop firewall rules examplesRefer to these common scenario based firewall rules examples to create new firewall rules.

To create a firewall rule that should allow you to get an IP Address on an interface, youshould create two rules. First create a rule to allow DHCP outgoing on UDP local port 68 anremote port 67, then create a rule to allow DNS queries.



Create a rule to allow DHCP outgoing on UDP local port 68 to remote port 67• Rule Name — Type a name for the rule • Network Protocol (IPv4) — Not Applicable

• Status — Enabled • Transport Protocol — Select Protocol

• Action — Allow • Select UDP, Local, then type the Port Noas 68

• Direction — Outgoing • Select UDP, Remote, then type the PortNo as 67

Create a rule to allow DNS queries• Rule Name — Type a name for the rule • Network Protocol (IPv4) — Not Applicable


• Action — Allow • Select UDP, Remote, then type the PortNo as 53

• Direction — Outgoing

Create a rule to allow access to websites• Rule Name — Type a name for the rule • Network Protocol (IPv4) — Not Applicable.


• Action — Allow • Select TCP, Remote, then type the PortNo as 80


Allow specific remote IP Address and port access• Rule Name — Type a name for the rule

• Status — Enabled

• Action — Allow


• In Network Protocol (IPv4), select Remote, Subnet, then type the Subnet Mask value

• Transport Protocol — Select Protocol

• Select TCP, Remote, then type the Port No

You can type single port number, or series of port numbers using comma, or range of portsusing hyphen.

Recommended firewall rules

We recommend you configure these rules, in addition to the default rules:



• Allow bi‑directional NTP port 123 to 123

• Allow bi‑directional NetBIOS name service port 137 to 137

• Allow outgoing FTP client port 1024‑65535 to 21

• Allow bi‑directional for POP3, IMAP, SMTP

• Allow RDP and SNMP

• Add rules for ldap and afp/smb

Configure update scheduleConfigure the repository list that needs to be accessed to update the anti‑malware engine, the proxyconnection settings, and the engine update schedule.

Tasks

• Configure repository list on page 47Always keep your DAT files and anti‑malware engine up‑to‑date to secure your Mac fromlatest threats.

• Configure proxy settings on page 48Configure Proxy settings, if you use proxy servers to connect to the internet for retrievingpackages.

• Configure anti-malware engine update schedule on page 48Periodic update of anti‑malware engine and DAT files secure your Mac from latest threats.

Configure repository listAlways keep your DAT files and anti‑malware engine up‑to‑date to secure your Mac from latest threats.

The software is shipped with the configuration that allows to access the McAfee FTP server, HTTPserver and the local repository to download the latest DAT files while your Mac is connected toInternet.

Task

1 Click the McAfee menulet on the status bar, then select McAfee Endpoint Protection for Mac Preferences.


2 Click Update.


The Repository List tab appears.

4 In Repository Name list box, you can use:

• — to add a new repository.

• — to delete an existing repository.

• — to prioritize repositories.

5 In Repository Type, select FTP, HTTP, or a Local repository from where the latest DATs can bedownloaded.

Configuring protection preferences on a standalone MacConfigure update schedule 4


6 Specify a Repository URL, Port, User Name, and Password for the repository.

7 Click the Schedule tab and schedule the task.

8 Click Apply.


Configure proxy settingsConfigure Proxy settings, if you use proxy servers to connect to the internet for retrieving packages.



2 Click Update, then click Proxy Settings tab.


4 Click Do not use a proxy, if you do not want to use a proxy server for connecting to the Internet.

5 To use a proxy server, click Configure proxy settings manually.

6 Select Use these settings for all proxy types option, if you want to specify the same IP Address and portnumber for all the proxy types.

7 Select FTP or HTTP server, type the IP Address and Port number of the selected server.

8 Select Use authentication, type username and password for FTP, HTTP, or a local repository.

9 To bypass a proxy server for specific domain(s), select the Specify exceptions, then type the proxyserver name.


Configure anti-malware engine update schedulePeriodic update of anti‑malware engine and DAT files secure your Mac from latest threats.



2 Click Update.


4 Click the drop‑down then select:

• Never — to never update the engine.

• Hourly — To update anti‑malware engine and DAT files on hourly basis, then select the hours.

4 Configuring protection preferences on a standalone MacConfigure update schedule


• Daily — To update anti‑malware engine and DAT files daily, then type the time.

• Weekly — To update anti‑malware engine and DAT files weekly, select weekdays, then type thetime.

Monthly — To update anti‑malware engine and DAT files monthly, select day of the month, thentype the time.

5 Click Apply.


Configuring protection preferences on a standalone MacConfigure update schedule 4


4 Configuring protection preferences on a standalone MacConfigure update schedule


5 Managing the software from ePolicyOrchestrator

Integrate and manage McAfee Endpoint Protection for Mac using ePolicy Orchestrator managementsoftware.

McAfee ePolicy Orchestrator provides a scalable platform for centralized policy management andenforcement on your McAfee security products and systems on which they reside. It also providescomprehensive reporting and product deployment capabilities through a single point of control.

For instructions about setting up and using ePolicy Orchestrator, see product guide of your version ofthe product.

Contents Create anti-malware policy Create application protection policy Desktop firewall policy Create a DNS blocking policy Create trusted network policy Create location awareness policy Schedule anti-malware engine update Queries and reports

Create anti-malware policyCreate anti‑malware policies to define parameters for on‑access scan and on‑demand scan from thePolicy Catalog.

Alternatively, you can create or modify these policies from the System Tree, while assigning policies toselected systems. See the product guide for your version of the ePolicy Orchestrator software for moreinformation.


2 From the Policy Catalog, select Anti‑malware for Mac 9.5.0 as the product then select Anti‑malware as thecategory.

3 Click New Policy, type a name for the policy then click OK. The policy page General tab appears.

4 Select the required options from General policies controlling overall functioning of Anti‑malware.

5 Click On‑access Scan tab and define these settings:

5


In.. Define..

On‑access Scanpolicies

• Scan contents of Archives and compressed files – To scan the archived and compressedfiles.

• Scan Apple Mail Messages – To scan the Apple mail messages.

• Scan file on Network Volumes – To scan the files on the mounted network volumes.

• In Maximum scan time (seconds), type the value between 10 and 999.

Scan files • On Read – To scan the files when you access the file to read.

• On Write – To scan the file when they are written to the hard disk.

• Read & Write – To scan the files when they are read from or written to the harddisk.

When a virus isfound

• Clean – To clean the item that contains malware.

• Quarantine – To isolate the item that contains malware.

• Delete – To delete the item that contains malware.

• Notify — To notify when a malware is detected.

If the above actionfails




When a spyware isfound









6 Click On‑demand Scan tab then define these settings:

In.. Define..

On‑demand Scanpolicies

• Scan contents of Archives and compressed files – To scan the archived and compressedfiles.

• Scan Apple Mail Messages – To scan the Apple mail messages.

• Scan file on Network Volumes – To scan the files on the mounted network volumes.

• In Maximum scan time (seconds), type the value between 10 and 999.

When a virus is found • Clean – To clean the item that contains malware.




5 Managing the software from ePolicy OrchestratorCreate anti-malware policy


In.. Define..





When a spyware isfound









7 Click Exclusions tab.

a In the Exclude specific disks, files and folders text box, type the path you want to exclude fromscanning.

To exclude the file excludethis.docx, that is located in the desktop, type /desktop/excludethis.docx

b Select the On‑access‑Scan and or On‑demand Scan check boxes to exclude these items.

8 Click Save.

Tasks• Schedule on-demand scan on page 53

Schedule an on‑demand scan to scan the managed Mac to detect a threat.

Schedule on-demand scanSchedule an on‑demand scan to scan the managed Mac to detect a threat.



3 Click the Assigned Client Tasks tab, then click Actions | New Client Task Assignment. The Client Task AssignmentBuilder screen appears.

4 In Product, select Anti‑malware for Mac 9.5.0

5 In Task Type, select On Demand Scan Task.

6 Click Create New Task. The Client Task Catalog screen appears.

7 Type a name for the task, then click Save. The task is listed in the Task Name.

8 Select the task then click Next.

Managing the software from ePolicy OrchestratorCreate anti-malware policy 5


9 Define these parameters, then click Next.• Schedule status • Start time

• Schedule type • Task runs according to

• Effective period • Options

then click Next.

The summary page appears.

10 Click Save.

11 In the System Tree pane, select the systems or groups where you assigned the task.

12 In th right pane, select Group Details, then click Wake Up Agents.

The Wake Up McAfee Agent screen appears.

13 In Fore policy update, select Fore complete policy and task update, then click OK.

Create application protection policyCreate policies to define rules to run applications without restrictions, with restrictions or block theexecution.


2 From the Policy Catalog, select Application Protection for Mac 2.0 as the product then select Application Protectionas the category.

3 Click New Policy, type a name for the policy then click OK. The policy page General tab appears.

4 Select the required options from General Application Protection policies.

5 Click Rules tab, then click Add. The Add Application Rule box appears.

6 Type the application name with path.

For example, if you want to create a rule for the application Chess, type /Applications/Chess.app in the Name.

7 From the Status drop‑down list, select one of this option as required:

• Allow execution with full network access

• Allow execution without network access

• Allow execution with restricted network access

• Deny execution

8 Click Exclusions tab.

9 Click Add.

The Add Application Exclusion box appears.

5 Managing the software from ePolicy OrchestratorCreate application protection policy


10 Type the application name with path, then click OK.

For example, if you want to exclude the application Calculator, type /Applications/Calculator.app in the Name.

11 Click Save.

Desktop firewall policyDefine firewall policies and rules to assign on managed Mac to control incoming and outgoing networktraffic.

McAfee EPM uses the common ePolicy Orchestrator extension (Host Intrusion Prevention), which isalso used for Windows. Refer this table to know the policies you can create under each productcategory.

Product Extension Available policies

Host Intrusion Prevention8.0: Firewall

Firewall Options (Windows,Mac)

Policies to• Enable or disable the regular or adaptive firewall

protection on the managed Mac.

• Define stateful firewall settings

• Retain existing client rules when enforce firewallpolicy.


Firewall Rules (Windows,Mac) (UBP)

Policies to• Create new firewall rules

• Create rule groups.

• Add rules from catalog.

• Add group from catalog.


DNS Blocking (Windows,Mac)

Policies to block access based on domain names.

Host Intrusion Prevention8.0: General

Trusted Networks(Windows, Mac)

Set the trusted network options with a list of addressesand subnets mark as trusted.

Create desktop firewall policyCreate desktop firewall policy and assign them on managed Mac.


2 From the Policy Catalog, select Host Intrusion Prevention 8.0: Firewall as the product then select Firewall Options(Win, Mac) as the category.

3 Click New Policy, type a name for the policy then click OK. The policy page appears.

Managing the software from ePolicy OrchestratorDesktop firewall policy 5


From.. Set these options..

Firewall status Select Enabled ‑ To enable desktop firewall protection on managed Mac.• Select Regular protection — To allow the network traffic, only when the network

packet adheres to rule's conditions.

• Adaptive mode — To create a new allow rule, when the network packet does notmatch with the existing rule.

Firewall clientrules

Select Retain existing client rules when this policy is enforced — To retain the rules that arecreated by the client Mac when you enforce this policy.

Stateful firewallsettings

Select FTP protocol inspection, then type numbers in TCP connection timeout (in seconds) andUDP and ICMP echo virtual connection timeout (in seconds).

4 Click Save.

5 Send an Wake Up Agents call.

For more details on Wake Up Agents, see Assign policies section.

Create new firewall rules


2 From the Policy Catalog, select Host Intrusion Prevention 8.0: Firewall as the product then select Firewall Rules(Windows, Mac) (UBP) as the category.

3 Click New Policy, type a name for the policy then click OK. The policy page appears.

4 Click New Rule , type a name for the policy then click OK. The Firewall Rule Builder page appears. In theDescription tab,

From.. Configure these options..

Name Type a name for the rule.

Action Select• Allow — To allow the traffic.

• Block — To block the traffic.

Check Log matching traffic, if needed.

Direction Select• In — To apply the rules for incoming traffic.

• Out — To apply the rules for outgoing traffic.

• Either — To apply the rules for incoming and outgoing traffic.

Status Select• Enabled — To enable the rule on the managed Mac.

• Disabled — To disable the rule on the managed Mac.

5 Click Next. The Network Options page appears.

5 Managing the software from ePolicy OrchestratorDesktop firewall policy



Networkprotocol

1 Select• Any Protocol — To allow any IP Protocol.

• IP Protocol — To select IPv4 Protocol.

McAfee EPM supports only IPv4 Protocols and IPv6 Protocols are not supported inthis version.

2 Select appropriate values for

• New (Local)

• New (Remote)

• Add From Catalog (Local)

• Add From Catalog (Remote)

Media Types Check• Wired — To apply the rule for wired connections.

• Wireless — To apply the rule for wireless connections.

• Virtual — To apply the rule for virtual connections.

You can check more than one option in Media types.

6 Click Next. The Transport Options page appears.


Transport protocol Select• All Protocols — To allow TCP, UDP, and ICMP protocols.

• TCP — To allow only TCP protocol

• UDP — To allow only UDP protocol.

• ICMP — To allow only ICMP protocol.

7 Click Save, then click Summary tab.

You can skip the Applications and Schedule tab settings because they are Windows operating systemspecific configuration.

8 Send an Wake Up Agents call.

For more details on Wake Up Agents, see Assign policies section.

Create a DNS blocking policyAdd domain name servers that desktop firewall blocks by not allowing their IP address.

To block the fully qualified domains, do not use this task but use FQDN remote address option in firewallrule.

Managing the software from ePolicy OrchestratorCreate a DNS blocking policy 5



2 From the Policy Catalog, select Host Intrusion Prevention 8.0: Firewall as the product then select DNS Blocking(Windows, Mac) as the category.

3 Click New Policy, type a name for the policy then click OK.

The policy page appears.

4 In Blocked Domains, type the domain name, then click Save.

You can add more domains in a single policy by clicking .

5 Click Save.

Create trusted network policyConfigure settings to define trusted network options and maintain a list of network addresses andsubnets mark as trusted.The trusted networks policy maintains a list of network addresses and subnets, which you can tag astrusted for clients on Mac and apply the firewall rules whose remote address is set to trusted.

This policy category contains a pre configured policy, which includes local subnets automatically butlists no network addresses, and an editable My Default policy. You can view and duplicate the preconfigured policy; you can create, edit, rename, duplicate, delete, and export editable custom policies.


2 From the Policy Catalog, select Host Intrusion Prevention 8.0: General as the product then select Trusted Networks(Windows, Mac) as the category.



4 Select Enabled under Include Local Subnet Automatically to treat all users on the same subnet as trusted.

5 In the Trusted Networks, type a trusted IP address, address range, or subnet.

6 Select Trust for IPS, to define the network as trusted for network IPS signatures or HTTP type hostand custom IPS signatures.

Click or to add or remove a trusted network entry.

Create location awareness policyAllows user to access network from multiple locations with an unique security policy of each locationLocation awareness policy contains a set of defined rules and when a network packet matches withcertain criteria with the group definitions such as ePO reachability, DNS server address, DNS Suffix,Primary WINS, Secondary WINS, and gateway, the group becomes active. When the locationawareness group is active, the network packet should match with the rules in the group.

5 Managing the software from ePolicy OrchestratorCreate trusted network policy



2 From the Policy Catalog, select Host Intrusion Prevention 8.0: Firewall as the product then select Firewall Rules(Windows, Mac) as the category.



4 Click New Group.

The Firewall Group Builder page appears.

5 Type a name for the Group, then select Direction, and Status options then click Next.

The Location tab appears.

6 Define the parameters then click Next.• Location status • DHCP server

• Name • DNS server

• ePO reachability • Primary WINS

• Connection specific DNS suffix • Secondary WINS

• Default gateway

The Network Options tab appears.

7 Define the parameters for Network protocols and Media type, then click Next.

The Transport Options tab appears.

8 Click Summary tab. Verify the parameters.

9 Click Save.

Schedule anti-malware engine updateSchedule automatic updates to keep the software up‑to‑date with the latest anti‑malware definitions(DATs) and scan engine.



3 Click the Assigned Client Tasks tab, then click New Client Task Assignment. The Client Task Assignment Builderscreen appears.

4 In Product, select McAfee Agent

5 In Task Type, select Product Update Task.

6 Click Create New Task. The Client Task Catalog screen appears.

Managing the software from ePolicy OrchestratorSchedule anti-malware engine update 5


7 Type a name for the task, select Mac Engine and DAT in Signatures and engines from Package types then clickSave. The task is listed in the Task Name.

8 Select the task, then click Next. The Schedule page appears.In the System Tree pane, select thesystems or groups where you assigned the task.

9 Set the values for:

• Schedule status • Start time

• Schedule type • Task runs according to

• Effective period • Options

then click Next.

The Summary screen appears.

10 Click Save.

11 In the right pane, select Group Details, then click Wake Up Agents.

The Wake Up McAfee Agent screen appears.

12 In Fore policy update, select Fore complete policy and task update, then click OK.

Queries and reportsRun predefined queries to generate reports, or modify them to generate custom reports.

Query Displays information on..

EPM: Endpoint Protection for Mac 2.0.0:Anti‑malware Compliance

Displays the current Endpoint Protection for Mac 2.0.0Anti‑malware version compliance.

EPM: Endpoint Protection for Mac 2.0.0:Anti‑malware Threats

Displays a line chart of the number of internal virusdetections.

EPM: Endpoint Protection for Mac 2.0.0:Anti‑malware Version

Displays client versions for Endpoint Protection for Mac2.0.0: Anti‑malware.

EPM: Endpoint Protection for Mac 2.0.0: ApplicationProtection Version

Displays client versions for Endpoint Protection for Mac2.0.0 : Application Protection

Host IPS: Clients Pending Restart Managed systems where Host IPS is deployed and theinstaller needs to restart the system.

Host IPS: Count of Firewall Client Rules number of firewall client rules created over time.

Run a queryRun queries to generate reports based on EPM data.

Task1 Log on to ePolicy Orchestrator as administrator.

2 Click Menu | Reporting | Queries & Reports.

3 From Shared Groups in the Groups pane, select the group.

4 Select a query from the Queries list, then click Actions | Run.

5 Click the item in the results list to view the details.

5 Managing the software from ePolicy OrchestratorQueries and reports


Index

Aabout this guide 5

Ccheck-in Agent package

ePolicy Orchestrator 4.6 15

check-in McAfee Endpoint Protection for MacePolicy Orchestrator 4.6 15

command-line installation 12

configurescan task 26

conventions and icons used in this guide 5create

application protection rule 33

on-demand scan task 26

Ddefault activity

update now 25

documentationproduct-specific, finding 6typographical conventions and icons 5

EEICAR test file 18

eventsview details 24

Iintroduction

McAfee Endpoint Protection 7

Mmalware

quarantine 24

McAfee Endpoint Protectionfeatures 9introduction 7

McAfee Endpoint Protection for Machow it works 8

McAfee ServicePortal, accessing 6

Oon-demand scan task

create 26

Pproduct features 9

Qquarantine

malware 24

quarantined itemrestoring and deleting 24

Sschedule scan 26

ServicePortal, finding product documentation 6silent installation 12

systemrequirements 11

TTechnical Support, finding product information 6test the installation

anti-malware feature 18

application protection 18

desktop firewall 19

Test the installation 18

Uuninstall 20

update now 25

Vview event details 24
