mcafee endpoint security for mac 10.2 - knowledge … introduction mcafee® endpoint security for...

Product Guide

McAfee Endpoint Security for Mac 10.2.0

COPYRIGHT

© 2016 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Endpoint Security for Mac 10.2.0 Product Guide

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Introduction 9Why you need security for Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9How McAfee Endpoint Security for Mac protects your system . . . . . . . . . . . . . . . . 10

Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Protecting your standalone Mac2 Installing the software on a standalone Mac 17

Hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . . . . 17Install the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Install the software using wizard . . . . . . . . . . . . . . . . . . . . . . . . 18Install the software from the command line (silent installation) . . . . . . . . . . . . 18

Test the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Test the Threat Prevention feature . . . . . . . . . . . . . . . . . . . . . . . . 19Test the Firewall feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Test the Web Control feature . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Upgrading the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Supported upgrades on a standalone Mac . . . . . . . . . . . . . . . . . . . . . 21

Default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Recommended post-installation tasks . . . . . . . . . . . . . . . . . . . . . . . . . 25Uninstall the software from a standalone Mac . . . . . . . . . . . . . . . . . . . . . . 25

3 Using the software on a standalone Mac 27Security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27View your Mac security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Recent events summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28View event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Remove event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28View the quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Remove or restore the quarantined item . . . . . . . . . . . . . . . . . . . . . . . . 29Update the DAT and Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Run a system scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configure custom scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Create a scan task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Change settings in an existing scan task . . . . . . . . . . . . . . . . . . . . . 31Remove an existing scan schedule . . . . . . . . . . . . . . . . . . . . . . . . 32

McAfee Endpoint Security for Mac 10.2.0 Product Guide 3

4 Configuring protection settings on a standalone Mac 33General protection options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Enable or disable protection features . . . . . . . . . . . . . . . . . . . . . . 33Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

How Threat Prevention works . . . . . . . . . . . . . . . . . . . . . . . . . . 34Types of scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configure on-access scan preferences . . . . . . . . . . . . . . . . . . . . . . 36Configure on-demand scan preferences . . . . . . . . . . . . . . . . . . . . . . 38Exclude files or directories from scanning . . . . . . . . . . . . . . . . . . . . . 39Best practices for Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . 39

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40How stateful filtering works . . . . . . . . . . . . . . . . . . . . . . . . . . 41How regular mode firewall protection works . . . . . . . . . . . . . . . . . . . . 41How Adaptive mode firewall protection works . . . . . . . . . . . . . . . . . . . 42How DNS blocking works . . . . . . . . . . . . . . . . . . . . . . . . . . . 43How stateful FTP inspection works . . . . . . . . . . . . . . . . . . . . . . . . 44How Firewall rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44How firewall rules are organized . . . . . . . . . . . . . . . . . . . . . . . . . 46Create a Firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Firewall rules examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Best practices for Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52How Web Control works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52How safety ratings are compiled . . . . . . . . . . . . . . . . . . . . . . . . . 53Color-coded buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Color icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Site safety report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Site rating action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Blocking sites based on the content category . . . . . . . . . . . . . . . . . . . 56Block and Allow List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Configure Web Control on a standalone Mac . . . . . . . . . . . . . . . . . . . . 57

Configure an update schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Configure the repository list . . . . . . . . . . . . . . . . . . . . . . . . . . 58Configure proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Configure the DAT update schedule . . . . . . . . . . . . . . . . . . . . . . . 59

Debug logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Enable or disable debug logging . . . . . . . . . . . . . . . . . . . . . . . . . 60

5 Troubleshooting 61Run the repairMSC utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Protecting your managed Mac6 Installing the software on a Mac managed with McAfee ePO 65

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Check in the package to the McAfee ePO server . . . . . . . . . . . . . . . . . . . . . 66

Check in the package using Software Manager . . . . . . . . . . . . . . . . . . . 66Check in the package manually . . . . . . . . . . . . . . . . . . . . . . . . . 66

Install the extensions on the McAfee ePO server . . . . . . . . . . . . . . . . . . . . . 66Install the extensions using Software Manager . . . . . . . . . . . . . . . . . . . 67Install the extensions manually . . . . . . . . . . . . . . . . . . . . . . . . . 67

Install the client software on a managed Mac using the installation URL . . . . . . . . . . . . 67Create an installation URL . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Install the software with an installation URL on a managed Mac . . . . . . . . . . . . 68

Deploy the software from McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . 68Test the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Contents


Remove the software from a managed Mac . . . . . . . . . . . . . . . . . . . . . . . 69Remove the software extensions . . . . . . . . . . . . . . . . . . . . . . . . 69Remove the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

7 Installing the software on a Mac managed with McAfee ePO Cloud 71McAfee ePO Cloud components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Accessing the McAfee ePO Cloud account . . . . . . . . . . . . . . . . . . . . . . . . 72Install the client software on a managed systems using the installation URL . . . . . . . . . . 72

Create an installation URL . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Install the software with an installation URL . . . . . . . . . . . . . . . . . . . . 73

Deploy the client software from McAfee ePO Cloud . . . . . . . . . . . . . . . . . . . . 73

8 Managing the software with McAfee ePO and McAfee ePO Cloud 75Using Endpoint Security extensions as common extensions . . . . . . . . . . . . . . . . . 75Manage policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Create or modify policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Assign policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Monitor the McAfee Agent status . . . . . . . . . . . . . . . . . . . . . . . . 77

Common policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Configuring client interface access . . . . . . . . . . . . . . . . . . . . . . . . 78Preventing client software uninstallation . . . . . . . . . . . . . . . . . . . . . 78Self Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Configuring debug logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Default Client Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Configure the Common policy . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Threat Prevention policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Configure On-Access Scan policy . . . . . . . . . . . . . . . . . . . . . . . . 81Configure On-Demand Scan policy (Full Scan) . . . . . . . . . . . . . . . . . . . 83Configure an On-Demand Scan policy (Quick Scan) . . . . . . . . . . . . . . . . . 85Exclude files or directories from scanning . . . . . . . . . . . . . . . . . . . . . 87Schedule a full or quick scan on managed Mac . . . . . . . . . . . . . . . . . . . 88Schedule a custom on-demand scan . . . . . . . . . . . . . . . . . . . . . . . 89Schedule the DAT update . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Configure a firewall rules policy . . . . . . . . . . . . . . . . . . . . . . . . . 91Configure a Firewall Options policy . . . . . . . . . . . . . . . . . . . . . . . . 94Configure location awareness options . . . . . . . . . . . . . . . . . . . . . . 95Configure DNS blocking options . . . . . . . . . . . . . . . . . . . . . . . . . 96

Web Control policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Enable or disable Web Control . . . . . . . . . . . . . . . . . . . . . . . . . 97Configure site rating actions . . . . . . . . . . . . . . . . . . . . . . . . . . 97Configuring actions for unverified sites . . . . . . . . . . . . . . . . . . . . . . 98Define Block and Allow List . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Configure browser events . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Configure Web Control Options policy . . . . . . . . . . . . . . . . . . . . . . 99

Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Queries for Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . 100Queries for Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Queries for Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Other queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Index 105

Contents


Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation,network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Introduction

McAfee®

Endpoint Security for Mac is a comprehensive security solution that protects your Mac andminimizes the risk of exposure to threats.

You can use the software on standalone and managed Mac systems.

• For a standalone Mac — You or your Mac administrator can install the software and configuresettings using the interface.

• For a managed Mac — Your system administrator sets up and configures security policies usingthese servers.

• McAfee® ePolicy Orchestrator® (McAfee ePO™)

• McAfee® ePolicy Orchestrator® Cloud (McAfee ePO™ Cloud)

Contents Why you need security for Mac How McAfee Endpoint Security for Mac protects your system Product features

Why you need security for MacSystems without protection might result in a security breach such as data loss, misuse of personal andbusiness information, and system disorder.

New products and technologies broaden opportunities for new security threats and challenges. Themotive behind these threats is to interrupt and espionage your system or destruct the data and thesystem functionality completely.

The targeted security threats devised by cyber criminals and hackers are evolving consistently andincreasing the risk consistently. The analyst reports say that the overall malware samples reachedmore than 450 million implying the importance of securing your Mac from the threats.

The list of threats and reported vulnerabilities that can harm your Mac are:

Threat category Potential threat

Malware Directs the user to access malicious items that can infect the Mac.

Examples: Flashback Trojan, Fake AV

Spyware Tracks every key you type to access sensitive information, such as user nameand password and other personal details.

Example: Keyloggers

Botnet breakdowns Infects your system or network and controls it remotely to spread malware.

1


Threat category Potential threat

Network threat Slows down network performance and gain unauthorized access to systems.

Web-based threats Infects your Mac when you access malicious sites.

Based on the modules that you have installed and enabled, McAfee Endpoint Security for Mac protectsyour Mac from malware, network threats, and web-based threats.

How McAfee Endpoint Security for Mac protects your systemThe software provides a security mechanism protects your system from malware attacks and minimizethe risk of exposing your systems to threats.

The protection includes Threat Prevention, Firewall, and Web Control, based on the modules you haveselected during the software installation.

Threat PreventionThe Threat Prevention module protects your Mac from malware proactively with the predefined actionsupon detecting malware and suspicious items.

When enabled, Threat Prevention checks for viruses, trojans, unwanted programs, and other threatsby scanning items. The software scans files, folders on local, network-mounted volumes, andremovable media whenever you create or access them. You can also run scans on demand.

The software uses the latest anti-malware engine that:

• Performs complex analysis using the malware definition files (DAT).

• Decodes the contents of the item you access.

• Compares them with the known signatures stored in the DAT files to identify malware.

In addition, McAfee®

Global Threat Intelligence™

(McAfee GTI) (heuristic network check for suspiciousfiles) looks for suspicious files and programs running on client systems that Threat Preventionprotects.

The system must have Internet connection to access McAfee GTI.

FirewallThe Firewall module filters incoming and outgoing network traffic, to allow or block traffic as defined inthe rules. Each rule defines a set of conditions that the network traffic must meet and executes therule's associated action.

Stateful filtering and packet inspection identify data packets for different types of connections and holdthe connection attributes in memory until the end of the session. When the first data packet of a newsession arrives, Firewall matches the packet against the rules list. If the data packet matches anexisting allow rule, a new entry is added to the state table and the traffic is allowed, and itssubsequent packets are allowed without further verification for that session. When the session iscompleted or timed out, the entry is removed from the table.

If the data packet does not match existing rules, firewall blocks the network traffic.

You can run Firewall protection in two ways:

1 IntroductionHow McAfee Endpoint Security for Mac protects your system


• Regular mode — When the network packet adheres to a rule’s condition, the associated actiondefined in the rule is executed. If no matching rule is found, the network packet is blocked.

• Adaptive mode — When the network packet matches a rule’s conditions, the associated actiondefined in the rule is executed. If no matching rule is found, the packet is allowed and a rule iscreated to allow similar packets later.

Controlled network access protection permits the Mac to access only authorized networks, minimizingthe risk from network threats.

Web ControlWeb Control protects your Mac from online threats, called web-based threats, when you browse sites.

The software monitors each site that you access or browse, validates its safety ratings, and allows orblocks the site according to the configuration.

Web Control provides safety ratings at two levels. In the browser, the software:

• Displays a safety rating icon for each site that the search engine lists

The software supports only the Google search engine.

• Displays a safety rating button for each site

The default setting blocks access to malicious sites that can harm your Mac.

Product featuresThis release of the software includes these features.

Threat Prevention

• On-Access Scan — Scans files and directories for threats whenever users access them.

• On-Demand Scan — Schedules a scan on files and directories at specific times. Each on-demandscan contains its own policy settings. You can also run Full Scan or Quick Scan on a Mac.

• McAfee GTI — Supports McAfee GTI, a heuristic network look up for suspicious files for on-accessand on-demand scanning.

• Policy-Based On-Demand Scan client tasks — Run a Quick Scan or Full Scan on the EndpointSecurity Client from McAfee ePO. Configure the behavior of these scans in the policy settings forOn-Demand Scan.

• 5800 Engine support — Pre-packaged with the latest 5800 engine that provides enhanceddetection capabilities.

• Product Update client tasks — Update the engine and content files automatically from theMcAfee download website.

• Extra.DAT files — Download and install Extra.DAT files to provide protection from a major virusoutbreak.

• Scheduled tasks — Modify client tasks (such as Product Update) and scan times to improveperformance by running them during non peak times.

• Content repositories — Reduce network traffic over the enterprise Internet or intranet by movingthe content file repository closer to the clients.

IntroductionProduct features 1


• Scan policies — Analyze log files or queries and modify policies to increase performance or virusprotection, if necessary. For example, you can improve performance by configuring exclusions.

• Additional options when scheduling on-demand scans — Allows you to run an on-demandscan when the system is idle or not running on battery power.

• Exclusion of files and directories from scanning — Excludes specific files and directories fromon-access scanning and on-demand scanning using criteria such as file type, extension, file age, orwildcards.

• Option to scan network volumes, compressed files, and Apple emails — Exclude or includemounted network volumes, compressed files, and Apple emails from scanning.

• Option to retain client-side exclusions — Overwrites or retains the client exclusion list foron-access scanning in a managed environment.

Firewall

• Regular mode — Executes the associated action defined in the rule, when the network packetadheres to a rule's condition. If no matching rule is found, the network packet is blocked.

• Adaptive mode — Executes the associated action defined in the rule, when the network packetadheres to a rule's condition. If no matching rule is found, the network packet is allowed and a ruleis created to allow similar packets later.

• Stateful firewall — Validates each packet for different connections against predefined rules,holding the connection attributes in memory from beginning‑to‑end.

• Domain Name System (DNS) blocking — Blocks access to networks that can include unwanteddomains.

• Defined networks — Define networks including subnets, ranges, or a single IP address that canbe used while creating firewall rules. You can also configure Firewall to trust networks.

• Stateful FTP inspection — Creates dynamic rules automatically for FTP data connections, byactively monitoring the FTP commands on the control channel.

• Location awareness — Create separate rules for locations, such as office or home network.

• Management of rules — Create and manage rules using rule group.

• Firewall events — Send Allow and Block events to McAfee® ePolicy Orchestrator® (McAfee ePO™) .

Web Control

• Support for Google Chrome browser — Protects your Mac from web-based threats, when youbrowse sites using the Google Chrome browser.

• Safety ratings button — Displays the safety rating in the upper-left corner of the browser whenyou access the site. The color of the button indicates the risk associated with the site.

The software supports Safari 7.1 and later, 8.0 and later, and 9.0 and later, and Google Chrome 49and later browser versions.

• Search Annotation — Displays the safety rating icon next to each site listed by the search engine.The color of the icon indicates the risk associated with the site.


• Web category blocking — Configure access to sites based on their content type.

• Block and Allow List — Create a list of sites to allow or block based on URLs and domains.

1 IntroductionProduct features


• Block phishing pages — Block access to phishing sites.

• Logging events — Monitor and regulate browser activity and log events for:

• Sites configured in the Block and Allow List

• Web categories for green-rated sites

• Red or yellow-rated site visits

Common Policy

• Self Protection — Protects the security software files and folders from malware and from beingchanged or deleted.

• Password protection for client interface — Configure different access levels for users asneeded. You can also prevent users from changing the protection preferences.

• Password protection for uninstallation — Set password protection for the client software toprevent removal of the software from the Mac.

General

• Common extensions to manage Windows, Macintosh, and Linux systems — Use McAfee®

Endpoint Security extensions as common extensions to manage policies for your Windows, Mac,and Linux systems.

• Common McAfee ePO Dashboard and queries — Use the McAfee ePO dashboard to view thestatus of managed Mac and Windows systems.

• Turn off protection using the command-line option during product deployment — You candisable Threat Prevention and Firewall protection using the command-line option from the McAfeeePO server when deploying the software on managed Mac systems. For more information aboutusing the command-line option, see McAfee KnowledgeBase article KB85505.

• Support for McAfee® ePolicy Orchestrator® Cloud (McAfee ePO™ Cloud) — Support forMcAfee ePO Cloud to manage policies for your Mac.

• Option to select protection modules — You can install one or all protection modules on astandalone Mac as needed.

• McAfee® Agent status monitor — Displays information, and initiates communication with McAfeeePO manually from the managed system.

• Menulet for easy access of the software interface — Easy access to the user interface byclicking the McAfee menulet from the status bar.

• Enable debug logging from client interface — Enable debug logging for the modules that youhave installed using the client interface.

IntroductionProduct features 1


https://kc.mcafee.com/corporate/index?page=content&id=kb85505

1 IntroductionProduct features


Protecting your standalone MacInstall the software, analyze the default settings, and configure protectionpreferences for your standalone Mac.

Chapter 2 Installing the software on a standalone MacChapter 3 Using the software on a standalone MacChapter 4 Configuring protection settings on a standalone MacChapter 5 Troubleshooting


Protecting your standalone Mac


2 Installing the software on a standaloneMac

Install the software on a standalone Mac using the wizard or from the command line.

Contents Hardware and software requirements Install the software Test the installation Upgrading the software Default settings Recommended post-installation tasks Uninstall the software from a standalone Mac

Hardware and software requirementsMake sure that your standalone Mac meets these requirements for successful installation.

Component Requirement

Hardware Mac that can run the supported operating system configuration.

Operating system • El Capitan 10.11.x (client and server)

If you are using McAfee®

Agent 5.x on your Mac, you must upgrade it to McAfeeAgent 5.0.2 with Hotfix HF1085179 before upgrading the operating system to ElCapitan. Otherwise, the communication between the McAfee

®

ePolicyOrchestrator

®

(McAfee ePO™

) server and the Mac fails, and you would be unableto manage the Mac from the McAfee ePO server. For more information about theMcAfee Agent 5.0.2 known issues with El Capitan, see McAfee KnowledgeBasearticle KB83895.

• Yosemite 10.10.x (client and server)

• Mavericks 10.9.x (client and server)

Browser Safari 7.1.x, 8.0.x, and 9.0.x.

Google Chrome 49 and later.

2


https://kc.mcafee.com/corporate/index?page=content&id=KB83895

Install the softwareInstall the software on a standalone Mac using the wizard or the command line.

Before you beginMcAfee Endpoint Security for Mac doesn't support the co-existence of competitor's softwarein the Mac. You must uninstall competitor's software from the system before installation.

Tasks• Install the software using wizard on page 18

The wizard guides you through the steps to install the software on your standalone Mac.

• Install the software from the command line (silent installation) on page 18You can use the command line to install the software without user intervention.

Install the software using wizardThe wizard guides you through the steps to install the software on your standalone Mac.

Task1 Download McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.dmg to

a temporary location on your Mac, then double-click it to mount.

2 Double-click McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkgto open the wizard.

During the installation, the installer prompts you to select modules for installation. You can selectone or multiple modules. To install a module later, you must start the installation wizard. If themodules are grayed out, it indicates that the installer has detected the competitor software on yourMac. You must uninstall it before installing the module. For more information, see McAfeeKnowledgebase article KB78192.

3 Follow the prompts to install the software.

To install the module that you have already installed, you must start the installation wizard, thenselect the module as needed. When you re-install the module, the protection settings that youconfigured previously are retained.

Install the software from the command line (silent installation)You can use the command line to install the software without user intervention.

Task1 Download McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.dmg to

a temporary location on your Mac, then double-click it to mountMcAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg.

2 Copy the McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg fileto a temporary location on your Mac.

3 Open a Terminal window and change the working directory to the one where you saved theMcAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg file.

2 Installing the software on a standalone MacInstall the software


https://kb.mcafee.com/corporate/index?page=content&id=kb78192

4 Type the following command, then press return.

sudo installer -pkgMcAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg –target /

5 Type the administrator password, then press return. The following message appears.

The Install was successful.

To install individual protection module using the command-line, see McAfee KnowledgeBase articleKB84772.

Test the installationTest the software to make sure that it is installed properly and can protect your Mac.

Tasks• Test the Threat Prevention feature on page 19

Access the EICAR standard anti-virus test file to test the Threat Prevention feature.

• Test the Firewall feature on page 19Test the Firewall feature by creating a rule. Consider a scenario where you want to createan allow rule for www.intelsecurity.com.

• Test the Web Control feature on page 20Make sure that the Web Control extension is added to the Safari browser, and appropriaterating appears for sites.

Test the Threat Prevention featureAccess the EICAR standard anti-virus test file to test the Threat Prevention feature.

This file is the combined effort by anti-virus vendors to implement one standard that customers canuse to validate the anti-virus software.

Task1 Go to the EICAR website http://www.eicar.org.

2 Click DOWNLOAD ANTI MALWARE TESTFILE, then click DOWNLOAD.

3 From the Download area using the standard protocol http section, click the file eicar.com.txt.

For the test to be successful, McAfee Endpoint Security for Mac displays a Notification 1 detection(s)found on your system. with the relevant details.

Test the Firewall featureTest the Firewall feature by creating a rule. Consider a scenario where you want to create an allow rulefor www.intelsecurity.com.

Task1 Click the McAfee menulet on the status bar, then select Preferences.

2 Click Firewall.

3 Click , type the administrator password, then click OK.

4 Select Regular Mode.

Installing the software on a standalone MacTest the installation 2


https://kc.mcafee.com/corporate/index?page=content&id=kb84772

http://www.eicar.org

5 Click in the bottom left corner of the console to create a firewall rule.

a Type a name of the rule in the Rule Name text box.

b Select Enabled from the Status drop-down list.

c Select Allow from the Action drop-down list.

d Select Outgoing from the Direction drop-down list.

6 In the Network Protocol (IPv4), section:

a Select Any Local IP Address for Local.

b Click , select Fully Qualified Domain Name for Remote, then type the Domain Name.

7 In the Transport Protocol section, select All Protocols.

8 Open the browser, type the website name, then press return.

Test the Web Control featureMake sure that the Web Control extension is added to the Safari browser, and appropriate ratingappears for sites.

Tasks• Verify the extension installation on page 20

Make sure that the Web Control extension is added to the Safari browser.

• Test the site rating feature on page 20Make sure that the Web Control feature displays the appropriate rating for sites.

Verify the extension installationMake sure that the Web Control extension is added to the Safari browser.

Task1 Start the Safari browser.

2 On the Menu bar, click Safari, then select Preferences.

3 In the Extension dialog box, you can see McAfee Web Control 10.1 with Enable Web Control selected.

Test the site rating featureMake sure that the Web Control feature displays the appropriate rating for sites.

Before you beginYou must have enabled Web Control in Preferences.

Task1 Start the Safari browser.

2 In the address bar, type www.intelsecurity.com, then press return.

3 You must see the Green rating on the left top of the browser page.

2 Installing the software on a standalone MacTest the installation


Upgrading the softwareMcAfee Endpoint Security for Mac supports upgrading the software and migrating the configurationfrom the previous versions of the software.

Supported upgrades on a standalone MacMcAfee Endpoint Security for Mac supports upgrading the software and migrating the preferences fromthe previous versions of the software.

You can upgrade the software from:

• McAfee® Endpoint Protection for Mac 2.3.0

• McAfee Endpoint Security for Mac 10.x

• McAfee® VirusScan™ for Mac 9.8.0

Upgrading from McAfee Endpoint Protection for Mac 2.3.0

When you upgrade the software, the respective preferences are migrated according to the modulesyou select.

When you upgrade the software from the previous version, the existing software is removed completelybut the preferences for all modules are saved. When you install a module, the respective preferencesare migrated.

For example:

If you select... Migrated preferences...

Threat Prevention Anti-malware

Firewall Desktop Firewall

Web Control None

Since Application Protection module is not part of McAfee Endpoint Security for Mac, the ApplicationProtection preferences are migrated only when you install the McAfee

®

Application Protection 2.3.0software. For more information, see McAfee Application Protection product guide.

When you migrate the preferences from McAfee Endpoint Protection for Mac or McAfee VirusScan forMac, the Quarantine scan action is migrated to Delete, and the Notify scan action is migrated to Deny.

Upgrading from McAfee Endpoint Security for Mac 10.x

When you upgrade the software, the respective existing preferences are migrated according to themodule you select. For example:

If you select... Migrated preferences...

Threat Prevention Threat Prevention

Firewall Firewall

Web Control Web Control

Upgrading from McAfee VirusScan for Mac 9.8.0

When you upgrade the software, the existing anti-malware preferences are migrated.

Installing the software on a standalone MacUpgrading the software 2


Upgrade the software on a standalone MacYou can upgrade the software and migrate the existing configuration settings.

Before you beginBefore upgrading the software, make sure that your system meets all requirements.

Task1 Install the software using the wizard.

For more information, see Install the software using wizard.

2 Make sure that all existing preferences are migrated to the new version.

Default settingsOnce installed, McAfee Endpoint Security for Mac starts protecting the Mac immediately based on thedefault configurations defined. Refer to these default settings, and configure them for yourenvironment.

General

Feature Default settings

Threat Prevention Enabled

Firewall Enabled

Web Control Enabled

2 Installing the software on a standalone MacDefault settings


Threat Prevention


Threat Prevention On-Access Scan:• Scan files while — Write

• Maximum scan time for a file — 45 seconds for a file.

• When a virus is found — Clean

• If clean fails — Delete

• When a spyware is found — Clean


• Enable McAfee GTI — Enabled.

• Sensitivity Level — Medium.

Also scan:• Archives & Compressed Files — Disabled

• Apple Mail messages — Disabled

• Network Volumes — Disabled

On-Demand Scan:• When a virus is found — Clean


• When a spyware is found — Clean


• Enable McAfee GTI — Enabled.

• Sensitivity Level — Medium.

• Archives & Compressed Files — Enabled

• Apple Mail messages — Enabled

• Network Volumes — Disabled

• Scheduled Scan Option• Scan only when the system is idle — Enabled.

• Do not scan when the system is on battery power — Enabled.

Exclusions — None

Firewall


Firewall • Regular Mode — Enabled

Installing the software on a standalone MacDefault settings 2


Web Control


Web Control • Rating Actions for Sites• Red — Block

• Yellow — Warn

• Unrated — Allow

• Unverified — Allow

• Enable Web Category Blocking — Enabled

• Block and Allow List — None

Update


Update In Repository List

• Repository Name — McAfeeHttp, McAfeeFtp

In Proxy Settings

• Proxy settings — Configure proxy settings manually

In Schedule• Schedule — Daily at 4:45 PM (local time)

Logging


Logging In Enable Debug Logging

• Threat Prevention — Disabled

• Firewall — Disabled

• Web Control — Disabled

2 Installing the software on a standalone MacDefault settings


Recommended post-installation tasksPerform these tasks to make sure that the protection configuration does not affect the businessroutines.

Task Description

Update thecontent files

After installation, McAfee Endpoint Security for Mac automatically updates thecontent files to protect the Mac from the latest threats. By default, this update isscheduled at 4.45 pm local time every day. When the files are updated for the firsttime, it may take longer time to download the full content. The subsequent updateswill be incremental.

You can view the content files last update details in the Console page.

Perform anon-demandscan

Run an on-demand-scan to scan the local volumes, after you install the software toclean the infected files that are not accessed by but reside in the Mac.

Configure the On-Demand Scan task to define:• The items to scan (files, folders, and drives)

• Set frequency of scan (daily, weekly, monthly, or immediately)

• Define the action when malware is found (Delete or Clean)

ThreatPrevention

McAfee Endpoint Security for Mac comes with the default settings. Verify that thedefault settings are consistent with your organization policies and providescomplete protection against malware.

Firewall McAfee Endpoint Security for Mac comes with the stateful Firewall enabled, whichprotects your Mac from the moment the product is installed. The firewall comeswith a set of default rules that enable your Mac to access the necessary services.We recommend that you review the default rules to make sure that your Mac canaccess the necessary services according to your organization policies.

The rules are processed using a top-down approach with the implicit default blockrule that denies all traffic. This rule can't be modified.

Web Control Review the default Web Control settings and update the Block and Allow List in such away that you can access business-critical sites and block unwanted sites.

The Block and Allow List overrides other settings such as Enable Web Category Blocking andRating Actions for Sites.

Uninstall the software from a standalone MacYou can uninstall the software or specific modules from a Mac using the command line.

Before you beginYou must have administrator rights to uninstall the software.

Installing the software on a standalone MacRecommended post-installation tasks 2


Task1 Open a Terminal window.

2 Type the following command, then press return.

To remove... Use this command...

All modules sudo /usr/local/McAfee/uninstall EPMThreat Prevention module sudo /usr/local/McAfee/uninstall ThreatPreventionFirewall module sudo /usr/local/McAfee/uninstall FirewallWeb Control module sudo /usr/local/McAfee/uninstall WebControl

The uninstallation command is case sensitive.

3 Type the administrator password when prompted.

When Uninstallation is enabled in Endpoint Security Common policy, uninstalling the software using thecommand line prompts you to type the password set by your McAfee ePO server administrator.

When the software is uninstalled, the following message appears:

Product has been uninstalled successfully.

When you uninstall the software, the McAfee Agent is not uninstalled from the system. This isbecause that it might be used by other products. Refer to the product guide of your McAfee Agentversion for more information.

2 Installing the software on a standalone MacUninstall the software from a standalone Mac


3 Using the software on a standalone Mac

Access the McAfee Endpoint Security for Mac Console page to view your Mac security status and eventsdetails.

You can also view the quarantined items, configure scan schedules, and update the DAT and engine.

Contents Security status View your Mac security status Recent events summary View event log Remove event log View the quarantined items Remove or restore the quarantined item Update the DAT and Engine Run a system scan Configure custom scan tasks

Security statusView the security status and the protection features that are enabled or disabled on your Mac.

Use the dashboard to know the status of:

• Threat Prevention

• Firewall

• Web Control

View your Mac security statusThe Status page displays the security status of your Mac, the protection modules installed, and theirstatus.

You can view recent events summary and the last successful DAT or Engine update time.

The events that appear in the Status page are read-only.

To view your Mac security status and the protection modules installed:

Task• Click the McAfee menulet on the status bar, then select Console | Status.

The Status page also displays the protection modules that are installed on your Mac and its status.

3


Recent events summaryYou can view the summary of recent five events in Status page.

The events summary includes:

• Details of malware detected from on-access scan.

• Status of scan task with number of malware detected from on-demand scan.

• Threat Prevention update status with DAT version details.

Recent events displays only the summary of events. To view the complete details of events, navigate tothe Event Log page, then double-click the particular event.

View event logView and analyze event log to understand the software activity information.

The Event Log page displays all events with details for malware detection, scan schedules, and ThreatPrevention update.

Task1 Click the McAfee menulet on the status bar, then select Console.

2 On the console dashboard, click Event Log.

Twenty events are listed per page and you can use arrow keys to navigate through pages.

3 Double-click the event you want to view.

• Threat Prevention Update — Displays the DAT version, engine version, and the status of the update.

• On-Access Scan — Displays the application that accessed the malware, status of detection found,and total number of detections with the details.

• On-Demand Scan — Displays number of files scanned, name and location of infected files, if found,and action taken.

You can sort events based on Event, Type or Date & Time.

Remove event logRemove event log from the History page.


2 On the console dashboard, click Event Log.

3 Click , type the administrator password, then click OK

4 Select the event, then click Delete.

3 Using the software on a standalone MacRecent events summary


5 Click OK to remove the events.

You can't restore the events once you remove them from the list.

6 Click to prevent further changes.

View the quarantined itemsThe Quarantine feature isolates dangerous or suspicious malware that could harm your Mac otherwise.


2 On the console dashboard, click Quarantine.

The quarantine page displays the original path of items quarantined with date and time of the event.

Remove or restore the quarantined itemThe Quarantine page displays the list of quarantined items with the path, date, and time. You can restorethe quarantined items, only if you are sure that they are non-malicious items, otherwise you canremove them.

Before you beginYou must have administrator rights to remove or restore the quarantined item from the list.

Before restoring an item, we recommend that you send it to McAfee Labs for testing. Tosubmit a sample to McAfee Labs, see McAfee KnowledgeBase article KB68030.


2 On the console dashboard, click Quarantine.


• To restore, select the quarantined item, click Restore, then click OK to confirm.

• To remove, select the quarantined item, click Delete, then click OK to confirm.

You can't restore the items that are deleted from the quarantined list.


Using the software on a standalone MacView the quarantined items 3



Update the DAT and EngineAlways keep the DAT and Engine up to date to protect your Mac from the latest threats.


2 On the console dashboard, click Update Now.

3 Click Start Update to initiate the DAT update task.

Upon completion, the update summary appears with the engine version, DAT version, update status,and DAT creation date in the Threat Prevention Update section. You can view the status and details ofThreat Prevention update event in the Event Log page.

Run a system scanPerform an on-demand scan on specific files, directories, and local or network-mounted volumesimmediately.


2 On the console, click Scan Now.

3 From the What to scan drop-down list, select items, then click Start Scan.

You can select multiple items by clicking .

Configure custom scan tasksSchedule and customize scan tasks based on your requirements, to scan specific files, folders, andvolumes periodically. You can also modify or remove the existing schedule.For example, to scan your download folder and music library folder more frequently, you can define ascan schedule for only these two folders.

Tasks• Create a scan task on page 31

Create scan tasks that automatically run at scheduled periods with the defined parameters.

• Change settings in an existing scan task on page 31Change an existing scan schedule to add or remove locations or change the date and time.

• Remove an existing scan schedule on page 32Remove the scan schedule when you no longer need it.

3 Using the software on a standalone MacUpdate the DAT and Engine


Create a scan taskCreate scan tasks that automatically run at scheduled periods with the defined parameters.


2 Click in the bottom left corner.

3 In the Scan Name field, type a name, then click Create.

4 From the What to scan drop-down list, select the items you want scan. Click or - to remove thelocation.

• Documents — Scans the user documents folder.

• Desktop — Scans files and folders in desktop.

• Users — Scans the user directory.

• Applications — Scans the applications folders.

• Localhost — Scans the local host.

• Choose — Allows you to select folder or file location to scan.

5 In the When to scan section, select a schedule for the scan task, then click Schedule Scan.

• Immediately — Starts a scan task immediately. If you select to scan items immediately, click Start Scan.

• Once — Scans the defined locations once at the scheduled date and time.

• Daily — Scans the defined locations every day at the scheduled time. You can define the numberof occurrence to run the daily scan task or select No End Date to run the schedule without anylimit.

• Weekly — Scans the defined locations on a scheduled day and time of every week. You can definethe number of occurrence to run the weekly scan task or select No End Date to run the schedulewithout any limit.

• Monthly — Scans the defined locations on a scheduled date and time of every month. You candefine the duration or select No End Date to continue the schedule without any limit.

6 When you see a message that the scan task is scheduled, click OK.

7 Click Schedule Scan.

Change settings in an existing scan taskChange an existing scan schedule to add or remove locations or change the date and time.


2 On the console dashboard under Activity, click the scheduled task you want to modify. The scheduledtask displays the Last Scan Time and Next Scan Time.

3 Click Modify Scan, make the needed changes, then click Schedule Scan.

Using the software on a standalone MacConfigure custom scan tasks 3


Remove an existing scan scheduleRemove the scan schedule when you no longer need it.


2 On the console dashboard, select an existing scan schedule in the left pane.

3In the bottom left corner of the console, click to remove the selected item.

3 Using the software on a standalone MacConfigure custom scan tasks


4 Configuring protection settings on astandalone Mac

Use Preferences to configure protection settings for the installed modules.

Contents General protection options Threat Prevention Firewall Web Control Configure an update schedule Debug logging

General protection optionsUse the General tab options to enable the required protection preferences on your self-managed Mac.

You can enable or disable protection for the modules that you have installed.

• Threat Prevention

• Firewall

• Web Control

Enable or disable protection featuresEnable the protection feature as required for your environment.


2 On the General tab, click .

3 Type the password when prompted.

4 Enable or disable the protection as required.


4


Threat PreventionThreat Prevention protects your Mac from malware threats.

Configure the Threat Prevention settings to define actions for on-access scanning and on-demandscanning, and to exclude files and paths from scanning.

How Threat Prevention worksThreat Prevention protects your Mac from malware threats and unwanted programs by scanning itemson your Mac.

When enabled, the software scans files, folders on local, network-mounted volumes, and removablemedia whenever you access or create an item.

McAfee Endpoint Security for Mac uses the latest engine that:

• Performs complex analysis using the malware definition files (DATs)

• Decodes the contents of the item you access

• Compares them with the known signatures stored in the DAT files to identify malware

In addition, McAfee GTI (heuristic network check for suspicious files) looks for suspicious files andprograms running on client systems that Threat Prevention protects.

Use Threat Prevention preferences to configure actions for on-access scan, on-demand scan, or toexclude files or paths from scanning.

Types of scanThe software scans files on Mac in two ways, on-demand and on-access.

On-access scan — Scans files and folders for malware threats and unwanted programs whenever youaccess them, and takes actions according to the configuration.

On-demand scan — Scans files and folders for malware threats and unwanted programs at any timeor at scheduled time. You can run on-demand scan in two ways.

• Scan all files — Scans files and directories immediately for the locations you have selected in What toScan.

• Schedule Scan — Scans files and directories configured in What to Scan at the scheduled time.

4 Configuring protection settings on a standalone MacThreat Prevention


How on-access scan worksThis diagram shows how on-access scan works.

How on-demand scan worksThis diagram shows how on-demand scan works.

Configuring protection settings on a standalone MacThreat Prevention 4


Configure on-access scan preferencesThe on-access scan protects your Mac from threats in real time. It scans for malware whenever anitem is read from or written to the hard disk, and takes action according to the configuration.


2 On the Threat Prevention tab, click , type the administrator password, then click OK.



3 From the Scan files while drop-down list, select one of these options:

• Read — Scans items when they are read from the hard disk.

• Write — Scans items when they are written to the hard disk.

• Read & Write — Scans items when they are read from or written to the hard disk.

4 In Maximum scan time (in seconds), specify the duration allowed to scan each file.

You can specify a value between 10 and 9999. The default value is 45. When scanning exceeds thedefined time, the software stops scanning the file.

5 From the When a virus is found drop-down list, select one of these options:

• Clean — Clean the item that contains malware. Use the If clean fails drop-down list, to select asecondary action (Delete or Deny).

• Delete — Deletes the item that contains malware.

• Deny — Prevents the user from accessing files with detected threats.

Although the software denies access to the file, it still resides in the system.

Whenever you select the primary action as Clean or Delete, the item is quarantined by default.

6 From the When a spyware is found drop-down list, select one of these options:

• Clean — Cleans the item that contains spyware. Use the If clean fails drop-down list, to select asecondary action (Deny, Delete, or Allow).

• Delete — Deletes the item that contains spyware.

• Deny — Prevents the user from accessing files with detected threats.

Although the software denies access to the file, it still resides in the system.

• Allow — Allows the user to access files with detected threats.

Whenever you select the primary action as Clean or Delete, the item is quarantined by default.

7 In Also scan, select where you want to enable scanning:

• Archives & Compressed Files

• Apple Mail Messages

• Network VolumesWhen these options are selected, McAfee Endpoint Security for Mac detects the threat. But, theprimary and secondary actions might vary depending on the options selected.

8 Enable McAfee GTI and define its sensitivity level.

• Very low — The detections and risk of false positives are the same as with regular DAT contentfiles. A detection is made available to Threat Prevention when McAfee Labs publishes it insteadof waiting for the next DAT content file update.

• Low — This setting is the minimum recommendation for systems with a strong security footprint.

• Medium — Use this level when the regular risk of exposure to malware is greater than the risk ofa false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely tobe malware. However, some detections might result in a false positive. With this setting, McAfeeLabs checks that popular applications and operating system files don't result in a false positive.



• High — Use this setting for deployment to systems or areas which are regularly infected.

• Very high — Detections found with this level are presumed malicious, but haven't been fully testedto determine if they are false positives. McAfee recommends to use this level for systems thatrequire highest security.


Configure on-demand scan preferencesSchedule an on-demand scan to run immediately, at a scheduled time, or at regular intervals.


2 On the Threat Prevention tab, click On-Demand Scan.

3 Click , type the administrator password, then click OK to open the On-Demand Scan page.

4 From the When a virus is found drop-down list, select one of these options:

• Clean — Cleans the item that contains malware. Use the If clean fails drop-down list, to select asecondary action (Delete, Continue scanning)

• Delete — Deletes the item that contains malware.

• Continue Scanning — Continues scanning when a threat is detected.

The detected threat still resides in the Mac.

5 From the When a spyware is found drop-down, select one of these options:

• Clean — Cleans the item that contains spyware. Use the If clean fails drop-down list, to select asecondary action (Delete, Continue scanning).

• Delete — Deletes the item that contains spyware.

• Continue scanning — Continues scanning when a threat is detected.

The detected threat still resides in the Mac.

6 Enable McAfee GTI and define its sensitivity level.

• Very low — The detections and risk of false positives are the same as with regular DAT contentfiles. A detection is made available to Threat Prevention when McAfee Labs publishes it insteadof waiting for the next DAT content file update.

• Low — This setting is the minimum recommendation for systems with a strong security footprint.

• Medium — Use this level when the regular risk of exposure to malware is greater than the risk ofa false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely tobe malware. However, some detections might result in a false positive. With this setting, McAfeeLabs checks that popular applications and operating system files don't result in a false positive.

• High — Use this setting for deployment to systems or areas which are regularly infected.

• Very high — Detections found with this level are presumed malicious, but haven't been fully testedto determine if they are false positives. McAfee recommends to use this level for systems thatrequire highest security.



7 In Also scan, select where you want to enable scanning:

• Archives & Compressed Files

• Apple Mail Messages

• Network Volumes

8 In the Scheduled Scan Options, select one of these options:

• Scan only when the system is idle

• Scan anytime

• Do not scan when the system is on battery power


For information about creating a scan task, see Create a scan task.

Exclude files or directories from scanningExclude files and folder paths from an on-access scan or on-demand scan.


2 Click Threat Prevention, then click Exclusions.


4 Click in the bottom left corner.

5 Select the path of the required files and folders, then click Open.

6 Select or deselect the On-Access Scan and On-Demand Scan options as needed.

• Double-click an item to change the name or path that appears in the exclusion list.

• Use regular expressions to exclude items from scanning. For example, to exclude all files in thedesktop from scanning, specify the path as /Users/user/Desktop/*

• To remove the item from the exclusions list, select it, then click in the bottom left corner ofthe page (or press fn+delete).

If you deselect the On-Access Scan and On-Demand Scan options for a path added to the exclusion list, thepath is removed from the exclusion list immediately.


Best practices for Threat PreventionThis section describes the best practices to define the preferences for scheduling an on-access scanand an on-demand scan.

On-access scan preferences• Always enable On-access-Scan because it checks every file the user accesses, and detects malware

before it runs.

• Enable the scan option for the Network Volumes when needed, to scan files copied from or written toany network volumes.



On-demand scan preferences

• Always enable the scan for Archives & Compressed Files while performing on-demand scan. This isrecommended if you disabled scanning option for these files.

On-demand scan schedule

• Schedule an on-demand scan during non-peak hours (for example, during weekends ormaintenance period).

• When scheduling an on-demand scan for the first time, schedule a full on-demand scan of yourentire hard disk.

Exclusions

You can add regular expressions that match required patterns to exclude multiple files and foldersfrom being scanned.

Here are some recommended exclusions:

• Microsoft Outlook database files

• Thunderbird database files

• Encrypted files

• Generic plist files such as Info.plist or version.plist for on-access scanning

Here are some recommended exclusion examples using wildcards:

• To exclude files with the extension mdb, use *.mdb

• To exclude each user's Outlook Database files of different Microsoft Office versions, use /Users/*/Documents/Microsoft\ User\ Data/Office\ *\ Identities/*\ Identity/*

• To exclude all Info.plist under /Applications, use /Applications/*/Contents/Info.plist

• To exclude all version.plist under /Applications, use /Applications/*/Contents/version.plist

• To exclude files with the extensions jar, rar, or war under /private/var/tmp, use /private/var/tmp/*.?ar

FirewallThe Firewall component provides a scalable solution to protect your Mac from unauthorized networktraffic.

The firewall comes with a stateful engine that provides flexibility in defining allowed network traffic foryour Mac. You can define rules based on various traffic parameters and group them for easiermanagement.

Here is the list of features of Firewall component:

• Stateful filtering — The stateful filtering and network packet inspection validate each packet fordifferent connections against predefined rules, holding the connection attributes in memory frombeginning-to-end.

• Regular mode — When the network packet adheres to a rule’s condition, the associated actiondefined in the rule is executed. If no matching rule is found, the network packet is blocked.

4 Configuring protection settings on a standalone MacFirewall


• Adaptive mode — When the network packet matches a rule’s conditions, the associated actiondefined in the rule is executed. If no matching rule is found, the network packet is allowed and arule is created to allow similar packets later.

Use this option only to fine tune your firewall rules.

In both these modes, the status of the TCP/UDP/ICMP connection is tracked to identify whether theincoming packet is part of the existing connection.

• New rules and grouping rules — You can create rules and group them for easier management.

• DNS blocking — Blocks access to unwanted domains.

• Location awareness — Creates separate rules for locations, such as office or home network.

How stateful filtering worksStateful filtering preserves in memory the list of existing network connections allowed by the firewall.Each entry in the state table contains multiple parameters that help to identify the connection state.

When the network packet matches with an allow rule, the packet is allowed and a new entry is addedto the state table. The subsequent packets are allowed without further verification of the predefinedrule sets. When the session is completed or timed out, the entry is removed from the state table.

Stateful filtering automatically tracks the reverse traffic for existing connections eliminating the needfor another firewall rule. Firewall performs stateful filtering on TCP, UDP, and ICMP protocols.

How regular mode firewall protection worksEach rule contains a set of conditions that the network traffic must meet. The associated parametersof that rule allow or block the network traffic.

In Regular mode, firewall uses precedence to apply rules. The rule at the top of the rules list is appliedfirst. If the network packet meets the conditions, firewall allows or blocks the packet as defined. If thepacket does not meet the first rule's condition, the next rule is verified and moves through the ruleslist until a rule is satisfied. If no rule is met from the rules list, firewall blocks the traffic.

When the traffic matches the rule condition, firewall does not try to apply any further rules from thelist.

Configuring protection settings on a standalone MacFirewall 4


To change the firewall protection from Regular mode to Adaptive mode, click | Preferences | Firewall |Adaptive Mode.

How Adaptive mode firewall protection worksIn Adaptive mode, the precedence method is followed, but differently than in Regular mode.

In Adaptive mode, firewall uses precedence to apply rules. The rule at the top of the rules list isapplied first. When the network packet does not match the defined rules from the list, an allow rule iscreated to allow the non-matching packet.

If the IP destination is a broadcast, multicast, loopback, or ICMP protocol, the network packet isblocked. No additional rules are created for these types of traffic.

For security reasons, when Adaptive mode is enabled, incoming pings are blocked unless an explicitallow rule is created for incoming ICMP traffic.

This diagram shows how network packets are handled in Adaptive mode.



To change the firewall protection from Adaptive mode to Regular mode, click | Preferences | Firewall |Regular Mode.

How DNS blocking worksYou can create a list of domain names for which you want to block access.

Specify the domain names that you want to block. You can use ? and * wildcards to define the domainnames.

You can create rules to block a Fully Qualified Domain Name (FQDN) using the client interface. TheDomain Name System (DNS) blocking can be configured only using Firewall policy in McAfee ePO.

If the firewall host has not initiated any DNS queries for the blocked domains or FQDN, the DNSblocking and FQDN-based rules do not work.



How stateful FTP inspection worksFirewall can perform stateful inspection for the FTP protocol.

FTP involves two connections:

• Control for commands

• Data for the information

When a client connects to an FTP server, the control channel is established on FTP destination Port 21,and an entry is made in the state table. If the option for FTP inspection was set with the FirewallOptions policy, when the firewall encounters a connection opened on Port 21, it knows to performstateful packet inspection on the packets coming through the FTP control channel.

Firewall monitors the PORT, EPRT, PASV, and EPSV commands on the control channel, and determineswhich dynamic rules must be created for subsequent FTP data connections.

The combination of the control connection and one or more data connections is called a session. Whenthe data transfer is complete, the dynamic rules created for data transfer are removed.

When the control connection is terminated, Firewall makes sure that all corresponding dataconnections are also removed.

How Firewall rules workEach rule contains a set of conditions that the network traffic must meet. The associated parametersof that rule allow or block the network traffic.

This diagram shows how network packet filtering works.



This diagram explains how each network packet is processed.



How firewall rules are organizedRules are categorized as ePO Rules, Client Rules, and Adaptive Rules.

Rules are displayed in tree view. The ePO Rules group appears at the top with the list of rules, followedby Client Rules, then Adaptive Rules.

To view firewall rules, click | Preferences | Firewall.



• ePO Rules — Defined and enforced by administrators if your Mac is managed by McAfee ePO.

The ePO Rules group also contains list of rules that firewall creates automatically at run time forbusiness continuity. These rules can't be modified.

• ePO Rules are displayed and applied only when the Mac is managed by McAfee ePO.

• A local user can't modify ePO Rules.

• A user can't add rules above or in between ePO Rules.

• When rules are created from a client Mac, they are added after the existing rules in the ClientRules section.

• ePO Rules are the first rules processed to match the network packet.

• These rules allow the Mac to:

• Obtain an IP address using DHCP.

• Perform DNS queries.

• Perform DAT updates.

• Allow communication with McAfee ePO.

• Client Rules — Created locally to allow or block specific network access.

• Adaptive Rules — Created automatically, when Firewall is running in Adaptive mode to allow anon-matching network packet.

Create a Firewall ruleCreate firewall rules to handle the network traffic according to your requirements.


2 Click Firewall.


4 Select Regular Mode.



5 Click in the bottom left corner of the console to open the rule page.

6 Define the following parameters as needed, then click OK.

For thisfield...

Configure these options...

Rule Name Type a name for the rule.

Status • Enabled — To enable the firewall rule.

• Disabled — To disable the firewall rule.

The rules appear as grayed out in the rules list, when their status is set to Disabled.

Action • Block — To block the network traffic.

• Allow — To allow the network traffic.

Direction • Incoming — To apply the rules for incoming network traffic.

• Outgoing — To apply the rules for outgoing network traffic.

Logging • Enabled — To make an entry in the system log, when a network packet matches arule.

• Disabled — To avoid making an entry in the system log when the network packetmatches a rule.

Enabling the logging feature can impact the system performance. We recommendthat you enable Logging only for troubleshooting and learning purpose.



For thisfield...


Interface(s) • Wired

• Wireless

• Virtual

NetworkProtocol IPv4

Define the configuration for Local Mac using:• Single • Fully Qualified Domain Name

• Subnet • Any local IP Address

• Local Subnet • Any IPv4 Address

• Range (of IP addresses)

Local system is the system on which you are adding rules.

Select the configuration for Remote system using:• Single • Fully Qualified Domain Name

• Subnet • Any local IP Address

• Local Subnet • Any IPv4 Address

• Range (of IP addresses)

Remote system is the system you want to connect.

Use to add more criteria and to remove existing criteria.

TransportProtocol

Select All Protocols to apply the rule for all protocols.

For Select Protocol, define the parameters for:• TCP

• UDP

• ICMP

Use to add more criteria and to remove existing criteria.

Add specific rules at the top of the list, and generic rules at the bottom to filter the traffic mostefficiently.


To edit an existing Firewall rule, select the rule, then click to open the rule page.

Firewall rules examplesRefer to these examples when creating firewall rules.

Create a rule to allow DHCP outgoing on UDP local port 68 to remote port 67To create a firewall rule that allows you to get an IP address on an interface, werecommend creating two rules. First create a rule to allow DHCP outgoing on UDP localport 68 and remote port 67, then create a rule to allow DNS queries.



• Rule Name — Type a name for the rule

• Status — Enabled

• Action — Allow

• Direction — Outgoing

• Network Protocol (IPv4) — Not applicable

• Transport Protocol — Select Protocol

• Select UDP, Local, then type the Port No as 68

• Select UDP, Remote, then type the Port No as 67

Create a rule to allow DNS queries• Rule Name — Type a name for the rule




• Network Protocol (IPv4) — Not applicable


• Select UDP, Remote, then type the Port No as 53

Create a rule to allow access to websites• Rule Name — Type a name for the rule




• Network Protocol (IPv4) — Not applicable.


• Select TCP, Remote, then type the Port No as 80

Allow specific remote IP address and port access• Rule Name — Type a name for the rule




• In Network Protocol (IPv4), select Remote | Subnet, then type the Subnet Mask value




• Select TCP, Remote, then type the Port No

You can type a single port number, or series of port numbers using a comma, or a range ofports using a hyphen.

Recommended firewall rulesIn addition to the default firewall rules, we recommend that you configure these rules:

• Allow bi-directional NTP port 123 to 123

• Allow bi-directional NetBIOS name service port 137 to 137

• Allow outgoing FTP client port 1024-65535 to 21

• Allow outgoing for POP3, IMAP, SMTP

• Allow outgoing for RDP

• Allow outgoing for Idap

• Allow bi-directional for AFP/SMB, if you are using file sharing

Best practices for FirewallWe recommend that you configure these firewall rules that protect your system in line with yourorganizational requirements.

• McAfee Endpoint Security for Mac is shipped with a set of default firewall rules. We recommend thatyou use them as starting point, and modify them according to your organizational requirements.

• If your organization does not have a firewall policy or if this is the first time your organization usesa firewall policy, we recommend that you use the default corporate policy. After, you can use theAdaptive mode for further fine tuning.

We strongly suggest not to run Adaptive mode in production.

• Remember that Adaptive mode must be used to fine-tune the firewall rule sets. So, run Adaptivemode only for short duration to identify the organizational requirements.

• Create Defined Networks for easier rule creation and management.

• Configure the DNS blocking feature to block the known unwanted domains.

• Always use firewall rule groups to organize the rules in an efficient way.

• Make rules as specific as possible.

For example, to allow access to a particular website, provide the name or IP address, with the portnumber.

• Use more specific rules on the top of the rules set and the generic one toward the end.

For example, to give access to a particular website for all Mac users in the organization except onesystem, create a specific deny rule to block the website on that particular system first.

• Because Firewall validates rules using a top-down approach, we recommend that you always revisitthe rules completely to avoid the loopholes.



Web ControlWeb Control protects your Mac from online threats, called web-based threats, when you access orbrowse website.

The software monitors sites that you access or browse, checks for their safety ratings, and allows orblocks the sites according to the configuration.

Web Control provides safety ratings at two levels. The software:

• Displays a safety rating for each page while browsing

• Displays a safety rating for each site that the search engine lists


The software allows you to configure access permission to sites based on their rating or contentcategory defined by McAfee GTI.

For a standalone Mac, you can configure the security preferences to:

• Enable or disable the Web Control feature

• Allow or block access to sites based on their rating

• Configure access to sites based on the content type

• Define a list of sites to allow or block

How Web Control worksThis diagram shows how Web Control works and protect your system.

4 Configuring protection settings on a standalone MacWeb Control


How safety ratings are compiledSafety rating is a color-coded safety category for a website.

A McAfee team analyzes each website and assigns a color-coded safety rating based on test results.The color indicates the safety level of the site. The team develops safety ratings by testing criteria foreach site and evaluating the results to detect common threats.

Configuring protection settings on a standalone MacWeb Control 4


Automated tests compile safety ratings for a website by:

• Downloading files to check for viruses and potentially unwanted programs bundled with thedownload.

• Entering contact information into sign-up forms and checking for resulting spam or a high volumeof non-spam email sent by the site or its affiliates.

• Checking for an excessive number of pop-up windows.

• Checking for attempts by the site to exploit browser vulnerabilities.

• Checking for deceptive or fraudulent practices that a site uses.

The team compiles test results into a safety report that can also include:

• Feedback submitted by site owners, which might include descriptions of safety precautions used bythe site or responses to user feedback about the site.

• Feedback submitted by site users, which might include reports of phishing scams or bad shoppingexperiences.

• More analysis by McAfee experts.

The McAfee GTI server stores site ratings. The server is updated periodically with the latest rating andsite details.

Color-coded buttonsEach color button indicates the safety rating category of the site.

Button Color Description

Green Sites are safe and you can access them.

Yellow Sites are suspicious and they might pose security issues. You must accessthese sites with caution.

Red Sites contain potential security risks. You must access these sites withextreme caution. However, by default, the software denies access to red-ratedsites.

Gray No rating is available for this site. By default, Web Control allows sites when arating is not available.

Orange Communication with the McAfee GTI server is unavailable to display the siterating.

Black This site is a phishing site, or the site is explicitly blocked by Web Controlsettings.

Blue The site is internal or in a private IP address range.



Button Color Description

Silver The Web Control setting is disabled.

White Web Control configuration allows the site.

For Chrome browser, the rating button appears on the right side of the address bar.

The safety rating applies to HTTP and HTTPS protocol URLs only.

Color iconsWhen users type keywords in the Google search engine, the color-coded icon appears next to eachsite listed in the search results.

Icon color Description

The site is safe. Tests revealed no significant problems.

Tests revealed some issues that users must know about. For example, the site tried tochange browser defaults, displayed pop-ups, or sent testers a significant amount ofnon-spam email.

This site has some serious issues that users must consider carefully before accessing.For example, the site sent spam email or bundled adware with a download.

This site is unrated.The difference between the Unrated and Unverified sites is:• Unrated sites — Site information is not available because the site is not verified by

McAfee GTI.

• Unverified sites — Site has a McAfee GTI rating of 15.

Site safety reportThe site safety report provides the test result details of a site.

The site safety information is available when you access a site, and access sites through the Googlesearch engine.

• Safety rating at search engine — Displays the safety rating balloon that summarizes the safetyreport for a site. The Read Site Report link provides the safety report summary of the site.

• Safety rating at site level — Displays the safety rating at the left top of the browser. You canview the test result report in the McAfee website.

Site rating actionAllow or block access to sites based on the safety rating.

By default, the software allows access to green-rated sites. You can configure the action for sites ratedas Red, Yellow, Unrated, or Unverified.

The default settings for these categories are:

Configuring protection settings on a standalone MacWeb Control 4


Rating color Configuration

Red Block access — Prevents users from accessing the site and displays a message that thesite is blocked.

Yellow Warn — Displays a warning to notify users of potential dangers associated with the site.User can decide whether to access the site by selecting Continue or Cancel.

Unrated Allow access — Permits users to access the site.

Unverified Allow access — Permits users to access the site.

Web Control does not scan files that are downloaded from allowed sites. However, if you installed theThreat Prevention module and enabled on-access scanning, files are scanned for threats.

Blocking sites based on the content category Enable Web Category Blocking blocks sites based on their content category, which McAfee defines.

Web Control provides more filtering options. Enable Web Category Blocking classifies sites based on theircontent and block them. Use this option to block access to sites that are categorized as maliciouscontent, such as pornography, spyware, adware, or phishing.

Enable Web Category Blocking overrides the Rating Actions for Sites configuration. For example, the Rating Actionsfor Sites is set to Allow for yellow-rated sites with Enable Web Category Blocking enabled for all categories. Ifyou visit a yellow-rated site that belongs to the blocked category, the software blocks the site althoughthe Rating Actions for Sites configuration allows access to yellow-rated sites.

These categories are enabled by default:

• Potential Hacking/Computer Crime • Phishing

• Malicious Sites • Browser Exploits

• Pornography • Malicious Downloads

• Spyware/Adware/Keyloggers

Block and Allow ListDefine access permission for each site.

You can include sites in this list and specify access permission for each site.

Block and Allow List configuration overrides the Enable Web Category Blocking and Rating Actions for Sitesconfiguration. You can allow sites that are blocked by other settings, or block sites that are allowed byother settings. Using Block and Allow List option, you can define access for sites regardless of their rating.

Use this option to allow access to business-specific sites and block unwanted sites.

Add or remove sites to Block and Allow ListUse the Block and Allow List option to explicitly allow or block access to sites.

Task1 Click the McAfee Menulet on the status bar, then select Preferences.

2 Click the Web Control tab.

3 Click , then type the administrator password when prompted.



4Under Block and Allow List, click

5 Type the URL in the Site area and define the permission in the Action field.

To add another URL, click then define the settings. To remove the URL from the list, click .To change the permission for an existing URL, click the URL, then change the permission. You canuse ? and * wildcards to define sites.


Configure Web Control on a standalone MacConfigure the Web Control options on your standalone Mac to access or block sites as required.

Task

1 Click the McAfee menulet on the status bar, select Preferences, then click the Web Control tab.


3 Under Block and Allow List, click , type the URL in the Site column, then select an action from theAction drop-down list.

• Allow — Allows access to the site

• Block — Blocks access to the site

The action set for sites in the Block and Allow List overrides the actions defined in Enable Web CategoryBlocking and Rating Actions for Sites.

4 In Enable Web Category Blocking, select the categories as needed.

5 In Rating Actions for Sites, define the action for Red, Yellow, Unrated, and Unverified sites.

• Allow — Allows access to the site

• Warn — Displays a warning message with the option to Continue or Cancel navigation to the site

• Block — Blocks access to the site


Configure an update scheduleConfigure the repository list that needs to be accessed to update the DAT or Engine, the proxyconnection settings, and the update schedule.

Tasks• Configure the repository list on page 58

Always keep your DAT file up to date to secure your Mac from the latest threats.

• Configure proxy settings on page 58Configure Proxy settings if you use proxy servers to connect to the Internet for retrievingpackages.

• Configure the DAT update schedule on page 59Periodic DAT updates secure your Mac from latest threats.

Configuring protection settings on a standalone MacConfigure an update schedule 4


Configure the repository listAlways keep your DAT file up to date to secure your Mac from the latest threats.

The software is shipped with the configuration that allows access to the McAfee FTP server and HTTPserver to download the latest DAT file while your Mac is connected to the Internet.


2 Click Update.


4 In Repository Name list box, on the Repository List tab:

• — To add a repository.

• — To delete an existing repository.

• — To deprioritize repositories.

• — To prioritize repositories.

5 In Repository Type, select FTP, HTTP, or a Local repository from where the latest DATs can bedownloaded.

6 Specify a Repository URL, Port, User Name, and Password for the repository.

7 On the Schedule tab, define the schedule, then click Apply.


Configure proxy settingsConfigure Proxy settings if you use proxy servers to connect to the Internet for retrieving packages.


2 Click Update, then click the Proxy Settings tab.


4 Select whether to use a proxy.

• Do not use a proxy

• Configure proxy settings manually

5 Select Use these settings for all proxy types to specify the same IP address and port number for all proxytypes.

6 Select FTP or HTTP server, then type the IP address and port number of the selected server.

7 Select Use authentication, then type the user name and password for the server.

4 Configuring protection settings on a standalone MacConfigure an update schedule


8 To bypass a proxy server for specific domains, select the Specify exceptions, then type the domainname.


Configure the DAT update schedulePeriodic DAT updates secure your Mac from latest threats.


2 On the Update tab, click Schedule.


4 Click the drop-down list to select the update frequency, then click Apply.• Never — Never run the update

We recommend not to select this option. Always keep your DAT files and Engine up to date toprotect your Mac from the latest threats.

• Hourly — To run the update on the selected hours.

• Daily — To run the update daily at a specific time.

• Weekly — To run the update weekly at a specified time on weekdays.

• Monthly — To run the update once in a month at a specified time.


Debug loggingDebug logs provide important information that you can use for troubleshooting purposes.

Enabling debug logs for a module logs details for all components of the module.

For example, if you enable logging for Threat Prevention, logs are stored for on-access scanning andon-demand scanning activity.

• You can find the Threat Prevention logs at /var/log/system.log and /var/log/McAfeeSecurity.log. You can identify and filter the Threat Prevention logs by its name MFE_AV.

• You can find the Firewall logs at /var/log/system.log. You can identify and filter the firewall logsby its name MFE_FW.

• You can find the Web Control logs at /var/log/McAfeeSecurity.log. You can identify and filterthe Web Control specific log by its name MFE_WC.

Configuring protection settings on a standalone MacDebug logging 4


Enable or disable debug loggingConfigure the debug logging option for the installed modules.


2 Click the Logging tab.


4 Select the modules as required.


4 Configuring protection settings on a standalone MacDebug logging


5 Troubleshooting

Identify and troubleshoot issues when using the standalone version of McAfee Endpoint Security forMac .

Run the repairMSC utilityUse the repairMSC utility to troubleshoot McAfee Endpoint Security for Mac issues. It generatesdiagnostic reports, which can be uploaded to the McAfee server for analysis.

Task1 Open a Terminal window, type the following command, then press return.

/usr/local/McAfee/repairMSC

2 Type the administrator password when prompted, then press return.

3 Type Y to continue, then press return.

A consolidated diagnostic report is generated in home directory for issue analysis. A list of issuesappears with each category relating to a number from 1 to 8.

4 Type a number that best describes the issue, then press return. The repairMSC runs a repair utilitybased on the number selected and provides a solution.

5 Type y or n to confirm whether the issue was fixed, then follow the on-screen instructions.

The report file repairMSC.zip is available in your home directory. (Users/<user>).

Contact McAfee support for troubleshooting assistance.

5


http://mysupport.mcafee.com

5 TroubleshootingRun the repairMSC utility


Protecting your managed MacInstall the required extensions and deploy a security strategy to protect yourmanaged Mac systems from threats.

Chapter 6 Installing the software on a Mac managed with McAfee ePOChapter 7 Installing the software on a Mac managed with McAfee ePO CloudChapter 8 Managing the software with McAfee ePO and McAfee ePO Cloud


Protecting your managed Mac


6 Installing the software on a Macmanaged with McAfee ePO

Install the software on the McAfee ePO server and deploy it to your managed Mac.

Contents System requirements Check in the package to the McAfee ePO server Install the extensions on the McAfee ePO server Install the client software on a managed Mac using the installation URL Deploy the software from McAfee ePO Test the installation Remove the software from a managed Mac

System requirementsMake sure that these requirements are met and you have administrator permission.

Component Requirements

Hardware Mac that can run with the supported operating system configuration.



Agent 5.x on your Mac, you must upgrade it toMcAfee Agent 5.0.2 with Hotfix HF1085179 before upgrading the operatingsystem to El Capitan. Otherwise, the communication between the McAfee

®

ePolicy Orchestrator®

(McAfee ePO™

) server and the Mac fails, and you wouldbe unable to manage the Mac from the McAfee ePO server. For moreinformation about the McAfee Agent 5.0.2 known issues with El Capitan, seeMcAfee KnowledgeBase article KB83895.



Browser Safari 7.1.x, 8.0.x, and 9.0.x

Google Chrome 49 and later.

McAfee Agent McAfee Agent 5.0.2 with Hotfix HF1085179 and later

McAfee ePolicyOrchestrator

5.1.1 and later

6



Check in the package to the McAfee ePO serverYou can check in the package using the Software Manager or check in the package manually.

Tasks• Check in the package using Software Manager on page 66

Check in, update, or remove McAfee Endpoint Security for Mac using the Software Manager.

• Check in the package manually on page 66Check in the McAfee Endpoint Security for Mac deployment package to the McAfee ePOMaster Repository.

Check in the package using Software ManagerCheck in, update, or remove McAfee Endpoint Security for Mac using the Software Manager.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 Log on to the McAfee ePO server as an administrator.

2 Select Menu | Software | Software Manager.

3 From the Product Categories list under Software (By Label), select Endpoint Security, select the package file,then click Check in All.

4 On the summary page, accept the McAfee End User License Agreement, then click OK.

Check in the package manuallyCheck in the McAfee Endpoint Security for Mac deployment package to the McAfee ePO MasterRepository.


1 Download the .zip file to a temporary location on the McAfee ePO server.


3 Select Menu | Software | Master Repository | Check In Package.

a For Package type, select Product or Update (.ZIP).

b Click Choose File, select the file, click Choose, then click Next.

4 Select Current, then click Save.

Install the extensions on the McAfee ePO serverInstall the software on the McAfee ePO server to configure and deploy policies for managed Mac.

Tasks• Install the extensions using Software Manager on page 67

Install the extensions using the Software Manager.

• Install the extensions manually on page 67Install Endpoint Security extensions on the McAfee ePO server manually.

6 Installing the software on a Mac managed with McAfee ePOCheck in the package to the McAfee ePO server


Install the extensions using Software ManagerInstall the extensions using the Software Manager.



2 Select Menu, Software, then click Software Manager.

3 From the Software Manager | Product Categories | Software (By Label), select Endpoint Security | McAfee EndpointSecurity 10.2.0, select from the right pane, then check in the extensions.

Install the extensions manuallyInstall Endpoint Security extensions on the McAfee ePO server manually.

You must install the extensions to enable the features of the product.



2 Select Menu | Software | Extensions, then click Install Extension.

3 Click Choose File and select the file that contains the extension, then click OK.

After installing the Endpoint Security extensions, you can use the migration tasks to migrate McAfeeEndpoint Protection for Mac 2.3 or McAfee VirusScan for Mac 9.8 policies and tasks. For moreinformation, see Endpoint Security migration help.

Install the client software on a managed Mac using theinstallation URL

McAfee ePO administrators can create an installation URL to install Endpoint Security for Mac clientsoftware on managed Mac.

Tasks• Create an installation URL on page 67

Create an installation URL and send it to the user to install McAfee Agent on a managedMac.

• Install the software with an installation URL on a managed Mac on page 68The Mac user can access the URL to install the client software on a managed Mac.

Create an installation URLCreate an installation URL and send it to the user to install McAfee Agent on a managed Mac.



2 Select Menu | Dashboards, then select Getting Started with ePolicy Orchestrator from the drop-down list.

Installing the software on a Mac managed with McAfee ePOInstall the client software on a managed Mac using the installation URL 6


3 On the Product Deployment page, click Start Deployment, define these settings, then click Deploy.• System Tree Group

• McAfee Agent

• Software and Policies

• Auto Update

4 On the Initial Product Deployment Summary page, click OK.

On the Dashboard page, the installation URL appears under Product Deployment section.

5 Email the URL with instructions to install the client software on the Mac to the user.

After successful installation, McAfee Agent checks back with the McAfee ePO server for assignedtasks for that system group, then installs the software accordingly.

Install the software with an installation URL on a managed MacThe Mac user can access the URL to install the client software on a managed Mac.

Before you beginMake sure that your managed Mac meets the hardware and software requirements.

You must have an installation URL that you created or received from your administrator.


1 Open a browser window, paste the installation URL in the address bar, then press Enter.

2 Follow the on screen instructions. If the installation does not start automatically, click Install.

Deploy the software from McAfee ePOUse McAfee ePO to deploy the client software to systems in your network that are managed.



2 Select Menu | Systems | System Tree, then select a group or systems.

3 On the Assigned Client Tasks tab, click Actions, then click New Client Task Assignment.

4 Complete these options, then click Create New Task:

a For Product, select McAfee Agent.

b For Task Type, select Product Deployment.

6 Installing the software on a Mac managed with McAfee ePODeploy the software from McAfee ePO


5 On the Client Task Catalog page:

a Type a name for the task.

b Select Mac as the target platform.

c In Products and components, select the product , select Install as the action, then click Save.

You can add more products by using .

6 In the Client Task Assignment Builder page:

a Select the task, then click Next.

b Schedule the task to run immediately, click Next to view a summary of the task, then click Save.

7 In the System Tree, select the systems or groups where you assigned the task, then click Wake UpAgents.

8 Select Force complete policy and task update, then click OK.

Test the installationAfter deploying the software, verify that the client software is installed and updated correctly onmanaged Mac systems.


1 Wait for client systems to report back to the McAfee ePO server (typically after an hour).

2 On the McAfee ePO console, select Menu | Dashboards, then select Endpoint Security: Installation Status for acomplete list of managed Mac and their installation status.

Remove the software from a managed MacRemove the client software from the managed Mac systems and remove the extensions from theMcAfee ePO server.

Tasks• Remove the software extensions on page 69

Remove the McAfee Endpoint Security for Mac extensions from the McAfee ePO server.

• Remove the software on page 70Create a client task on the McAfee ePO server to remove McAfee Endpoint Security for Macfrom the managed Mac.

Remove the software extensionsRemove the McAfee Endpoint Security for Mac extensions from the McAfee ePO server.

Installing the software on a Mac managed with McAfee ePOTest the installation 6




2 Select Menu | Software | Extensions.

3 In the left pane, select the extension and click Remove.

4 Select Force removal, bypassing any checks or errors, then click OK.

Remove the softwareCreate a client task on the McAfee ePO server to remove McAfee Endpoint Security for Mac from themanaged Mac.



2 Select Menu | Systems | System Tree, then select a group or systems.

3 Click the Assigned Client Tasks tab, then click New Client Task Assignment.

4 Complete these options, then click Create New Task.

a For Products, select McAfee Agent.

b For Task Type, select Product Deployment.

5 On the Client Task Catalog page:

a Type a name for the task.

b Select Mac as the Target platform.

c In Products and components, select the product, select Remove as the action, then click Save.

6 On the Client Task Assignment Builder page:

a Select the task, then click Next.

b Schedule the task to run immediately. Click Next to view a summary of the task, then click Save.

7 In the System Tree, select the systems or groups for which you assigned the task, then click Wake UpAgents.

8 Select Force complete policy and task update, then click OK.

6 Installing the software on a Mac managed with McAfee ePORemove the software from a managed Mac


7 Installing the software on a Macmanaged with McAfee ePO Cloud

Install and manage the software on a Mac that is managed with McAfee ePO Cloud.

McAfee ePO Cloud is an extensible management platform that enables centralized policy managementand enforcement of your security products and the systems where they are installed.

It also provides comprehensive reporting and product deployment capabilities, all through a singlepoint of control. Using McAfee ePO Cloud, you can deploy security products, patches, and servicepacks to the managed systems in your network.

Contents McAfee ePO Cloud components System requirements Accessing the McAfee ePO Cloud account Install the client software on a managed systems using the installation URL Deploy the client software from McAfee ePO Cloud

McAfee ePO Cloud componentsThese components make up McAfee ePO Cloud software.

• McAfee ePO Cloud — The center of your managed environment. McAfee ePO Cloud deliverssecurity policies and tasks, controls updates, and processes events for all managed Mac.

• McAfee Agent — A vehicle of information and enforcement between the McAfee ePO Cloud andeach managed Mac. The agent retrieves updates, ensures task implementation, enforces policies,and forwards events for each managed Mac.

• Master Repository — The central location for all McAfee updates and signatures, residing onMcAfee ePO Cloud. The Master Repository retrieves user-specified updates and signatures fromMcAfee.

7


System requirementsMake sure that your managed Mac meet these requirements, and you have a valid account with theMcAfee ePO Cloud.

Component Requirements

Hardware Mac that can run with the supported operating system configuration.



Agent 5.x on your Mac, you must upgrade it to McAfeeAgent 5.0.2 with Hotfix HF1085179 before upgrading the operating system to ElCapitan. Otherwise, the communication between the McAfee

®

ePolicyOrchestrator

®

(McAfee ePO™

) server and the Mac fails, and you would be unableto manage the Mac from the McAfee ePO server. For more information about theMcAfee Agent 5.0.2 known issues with El Capitan, see McAfee KnowledgeBasearticle KB83895.



Browser Safari 7.1.x, 8.0.x, and 9.0.xGoogle Chrome 49 and later.

Accessing the McAfee ePO Cloud accountThese are the high level actions to set up the McAfee ePO Cloud account.

1 The enterprise administrator requests access to use McAfee ePO Cloud.

2 McAfee emails the McAfee ePO Cloud URL and logon information to the enterprise administrator.

3 Log on to the McAfee ePO Cloud server.

Install the client software on a managed systems using theinstallation URL

Create an installation URL and send it to users to install the client software on managed systems.

Tasks• Create an installation URL on page 72

Create an installation URL to install the software on managed Mac.

• Install the software with an installation URL on page 73The managed Mac user can install the software on a local Mac with an installation URL.

Create an installation URLCreate an installation URL to install the software on managed Mac.

7 Installing the software on a Mac managed with McAfee ePO CloudSystem requirements




1 Log on to McAfee ePO Cloud as an administrator.

2 Click Menu | Getting Started | Customize.

3 On the Customize Software Installation page, define these settings, then click Done.• Group Name — Type a name of the group.

• Operating System — Select McAfee Agent for Mac.

• Software and Policies — Select McAfee Endpoint Security software modules as required.

• Auto Update — Select this option to download updates for the software.

The default policies and tasks of the module are selected by default.

4 Click Done.

5 From the Dashboards drop-down list, select Getting Started with ePolicy Orchestrator.

On the right side pane under Getting Started, the URL that you created appears.

6 Email the URL with installation instructions to the Mac users.

After successful installation, McAfee Agent checks back with the McAfee ePO server for assignedtasks for that system group, then installs the software accordingly.

Install the software with an installation URLThe managed Mac user can install the software on a local Mac with an installation URL.

Before you begin• Make sure that your Mac meets the hardware and software requirements.

• You must have an installation URL that you created or received from your administrator.


1 Open a browser window, paste the installation URL in the address bar, then press Enter.

2 Follow the on-screen instructions.

Deploy the client software from McAfee ePO CloudDeploy the client software to systems in your network that are managed.



2 Select Menu | Software | Product Deployment

Installing the software on a Mac managed with McAfee ePO CloudDeploy the client software from McAfee ePO Cloud 7


3 In the Product Deployment page, define these settings, then click Save.• Name • Language

• Description • Branch

• Type • Command line

• Auto Update • Select the systems

• Package • Select a start time

7 Installing the software on a Mac managed with McAfee ePO CloudDeploy the client software from McAfee ePO Cloud


8 Managing the software with McAfee ePOand McAfee ePO Cloud

Integrate and manage McAfee Endpoint Security for Mac using McAfee ePO or McAfee ePO Cloud.

The primary differences in managing policies in two environments are:

• McAfee ePO — Organizations maintain McAfee ePO server in their premises and administratorscheck in and install the software on the server, create policy settings, and enforce them on multiplemanaged Mac systems using deployment tasks.

• McAfee ePO Cloud — McAfee or the service provider maintains the McAfee ePO server includingchecking in and installing the software. After setting up the cloud account from McAfee or otherservice providers, local administrators create policies and enforce them on managed Mac systemsusing deployment tasks.

For instructions about setting up and using McAfee ePO and McAfee Agent, see the product guide foryour version of the product.

Contents Using Endpoint Security extensions as common extensions Manage policies Common policy Threat Prevention policy Firewall policy Web Control policy Queries and reports

Using Endpoint Security extensions as common extensionsUse the latest Endpoint Security extensions as common extensions to manage your MicrosoftWindows, Macintosh, and Linux systems.

You can use Endpoint Security extensions to configure and deploy policies for your Macintosh andWindows systems. On each policy page, a tag indicates that the option applies only for specificoperating systems. For example:

• Windows only — Applies only to Windows-based systems.

• Linux only — Applies only to Linux-based systems.

• Windows and Mac only — Applies only to Windows and Macintosh-based systems.

• Windows and Linux only — Applies only to Windows and Linux-based systems.

8


The policy options that don't contain any tag are applicable for Windows, Mac, and Linux systems.

To view the Windows only tag in the policy and task options, you must have installed the licensingextension on your McAfee ePO.

For the list of features supported for Microsoft Windows, Macintosh, and Linux operating system, seeMcAfee KnowledgeBase article KB84410.

Manage policiesMcAfee Endpoint Security for Mac policies provide options to configure features, featureadministration, and to log details on managed systems.You can find these policies on the Policy Catalog page under Product:• Endpoint Security Threat Prevention

• Endpoint Security Firewall

• Endpoint Security Web Control

• Endpoint Security Common

Configure these policies with your preferences, then assign them to groups of the managed Mac. Forgeneric information about policies, see the product guide for your version of McAfee ePO.

Create or modify policiesYou can create and edit policies for a specific group in the System Tree.



2 From the Policy Catalog, select a Product and Category.

3 Perform these steps to create or modify a policy.

To create a policy To modify a policy

1 Click New Policy.

2 Type the Policy Name.

3 Click OK.

4 Configure the settings.

1 Click the policy you want to modify.

2 Modify the settings.

4 Click Save.

Assign policiesWhen you have created or modified policies, assign them to the systems that are managed by McAfeeePO.

8 Managing the software with McAfee ePO and McAfee ePO CloudManage policies





2 Navigate to System Tree, select a group or systems, then click the Assigned Policies tab.

3 Select a product from the product list, select a policy, then click Edit Assignment.

4 Select the policy to assign, select appropriate inheritance options, then click Save.

Monitor the McAfee Agent statusMonitor the McAfee Agent status for information about the collection and transmission of properties onthe managed Mac.You can also send events, enforce policies, collect and send properties, and check for new policies andtasks.


1 On the managed Mac, click the McAfee menulet on the status bar, then select McAfee Agent StatusMonitor.

2 Select one of these options as required:

• Collect and Send Props — Send properties to the McAfee ePO server.

• Send Events — Send events to the McAfee ePO server.

• Check New Policies — Trigger the agent to communicate with the server to update policy and tasks.

• Enforce Policies — Enforce all configured policies on the managed system on demand.

• Save Contents to Desktop — Save the content of the McAfee Agent log to desktop.

• Close — Close the McAfee Agent Status Monitor interface.

Common policyThe Common policy options can be used to configure protection settings for your managed Mac.Configure the Options page settings in the Common policy to:

• Enable self-protection for software files.

• Configure password-protection for the client interface.

• Prevent uninstalling the client software.

• Prevent changing the protection settings.

• Configure preferences for debug logging.

For the list of features supported for Microsoft Windows and Macintosh operating systems, see McAfeeKnowledgeBase article KB84410.

Contents Configuring client interface access Preventing client software uninstallation Self Protection

Managing the software with McAfee ePO and McAfee ePO CloudCommon policy 8



Configuring debug logging Default Client Update Configure the Common policy

Configuring client interface accessClassify your user group and determine the required access level for them.

The Client Interface Mode provides three levels of access.

• Full access — Allows the managed Mac user to view or change all feature settings using the local Macpassword credentials.

You can provide Full access to users for whom you don't want to restrict any action.

• Standard access — Allows the managed Mac users to run software updates and to run scheduledscans. To view or change the protection preferences, the managed Mac user must provide thepassword defined by the McAfee ePO administrator. The default password is mcafee.

• Lock client interface — The user is prompted for the McAfee ePO administrator password to start theclient console.

If the managed Mac user changes the protection preferences locally, the subsequent policy enforcementoverrides the changes.

Preventing client software uninstallationAdministrators can configure the Uninstallation option settings to prevent accidental removal of clientsoftware from the managed Mac.

When Require password to uninstall the client is selected, the user is prompted for the McAfee ePO passwordto uninstall the client software. The default password is mcafee.

Self ProtectionThe Self Protection option protects the security software files from threats.

One of the first things that malware attempts to do during an attack is to change, delete, or disableyour system security software. Configure the Self Protection settings to protect Endpoint Security for Macfiles and its module files from being changed or deleted. We recommend that you enable this optionalways because malware attacks primarily target the software files first.

For managed Mac, deselecting Enable Self Protection or Files and folders disables Self Protection.

For a standalone Mac, Self Protection is always enabled.

Endpoint Security for Mac supports only the Files and Folders option in Self Protection.

Configuring debug loggingAdministrators can enable or disable debug logging for the installed modules.

When you enable debug logging for a module, events are logged for all components of the module.

For example, if you enable debug logging for Threat Prevention, events are logged for on-accessscanning, and on-demand scanning at user level and at the kext level.

8 Managing the software with McAfee ePO and McAfee ePO CloudCommon policy


Default Client UpdateThe Default Client Update option allows administrators to enable or disable the update schedule on amanaged Mac.

Administrators can enable or disable the default update task schedule on a managed Mac.

By default, the software checks for updates at 4:45 p.m every day. When you deselect Enable defaultupdate task schedule in the client, the update schedule is set to Never in the client interface.

After deselecting Enable default update task schedule in the client, if you select it again, the user must configurethe update schedule.

Whichever options you select under What to update, the software updates the DAT files and Engine, andthe product.

Configure the Common policyConfigure the Common policy settings to enable or disable Self Protection, debug logging,uninstallation, and to define client interface access.



2 From the Policy Catalog, select Endpoint Security Common as the product, then Options as the category.

3 Click New Policy, type a name for the policy, then click OK.

4 On the Policy Catalog page, click Show Advanced, then define these options:

In thissection...

In thiscategory...

Configure...

Client InterfaceMode

• Full access — Allows the managed Mac user to view or change allfeature settings using the local Mac password credentials.

• Standard access — Allows the managed Mac users to run softwareupdates, and to run scheduled scans.

• Lock client interface — Prompts the user for the password set by theMcAfee ePO administrator to start the client software console.

Uninstallation Require apassword touninstall the client

• Password — Type a password.

• Confirm Password — Retype the password.

Self Protection Enable SelfProtection

Files and Folders — Protects the Endpoint Security for Mac softwarefiles from threats.• Block and Report — Prevents the user from changing or deleting the

software files. An event is sent to the McAfee ePO server.

• Block only — Prevents the user from changing or deleting thesoftware files. No McAfee ePO events are generated for thisactivity.

• Report only — Allows the managed Mac user to delete or change thesoftware files. An event is sent to the McAfee ePO server.

The default option is Block and Report.

Managing the software with McAfee ePO and McAfee ePO CloudCommon policy 8


In thissection...

In thiscategory...

Configure...

Client logging Debug Logging Configure these logging preferences:• Enable for Threat Prevention — Enables debug logging for Threat

Prevention. You can find the logs at:/var/log/system.log and /var/log/McAfeeSecurity.log.

You can identify and filter the Threat Prevention log by its nameMFE–AV.

• Enable for Firewall — Enables debug logging for firewall. You can findthe firewall logs at:/var/log/system.logYou can identify and filter the firewall log by its name MFE–FW.

• Enable for Web Control — Enables debug logging for Web Control. Youcan find the logs at:/var/log/McAfeeSecurity.log

Default ClientUpdate

Enable Default Update task schedule in the client — Enables or disables theupdate task on managed Mac.

5 Click Save.

6 In the System Tree, select the systems or groups.

7 In the right pane, click the Group Details tab, then click Wake Up Agents.

8 In Force policy update, select Force complete policy and task update, then click OK.

Threat Prevention policyThreat Prevention checks for malware and other threats by scanning items on your managed Macsystems.

Use Endpoint Security Threat Prevention policy to configure scanning settings for your managed Mac.

Product Category Available options

Endpoint Security ThreatPrevention

On-Access Scan • Enable or disable on-access scanning on managed Mac.

• Specify time limit to scan each file.

• Specify when to scan files.

• Scan specific types of files.

• Define actions for detected items and unwanted programs.

• Exclude files and directories.

On-Demand Scan • Run full scan and quick scan on managed Mac.

• Scan specific directories and their subdirectories.

• Scan specific types of files.

• Define actions for detected items and unwanted programs.

• Exclude files and directories from scanning.

8 Managing the software with McAfee ePO and McAfee ePO CloudThreat Prevention policy


For the list of features supported for Microsoft Windows and Macintosh operating system, see McAfeeKnowledgeBase article KB84410.

Configure On-Access Scan policyCreate an on-access policy to enable or disable on-access scan, define scanning time limit for eachfile, and to define exclusions.



2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Access Scanas the category.


4 Click the policy that you created, click Show Advanced.

5 In the On-Access Scan section, define these settings.

In... Configure...

On-AccessScan

• Enable On-Access Scan — Enables or disables on-access scanning on managed Mac.

• Specify maximum number of seconds for each file scan — Specify the scan timeout value to scaneach item. If you unselect this option, the value is set to 45 seconds.

McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network look up for suspiciousfiles.

Select the Sensitivity level as required:• Very low — The detections and risk of false positives are the same as with regular DAT

content files. A detection is made available to Threat Prevention when McAfee Labspublishes it instead of waiting for the next DAT content file update.

• Low — This setting is the minimum recommendation for systems with a strongsecurity footprint.

• Medium — Use this level when the regular risk of exposure to malware is greater thanthe risk of a false positive. McAfee Labs proprietary, heuristic checks result indetections that are likely to be malware. However, some detections might result in afalse positive. With this setting, McAfee Labs checks that popular applications andoperating system files don't result in a false positive.

• High — Use this setting for deployment to systems or areas which are regularlyinfected.

• Very high — Detections found with this level are presumed malicious, but haven't beenfully tested to determine if they are false positives. McAfee recommends to use thislevel for systems that require highest security.

ProcessSettings

Use Standard settings for all processes — Applies standard settings when performingon-access scanning.

Managing the software with McAfee ePO and McAfee ePO CloudThreat Prevention policy 8



In... Configure...

In the Standard process type:• In Specify when to scan:

• When writing to disk — Scans files when they are written to.

• When reading from disk — Scans all files when they are read.

• Let McAfee decide — Scans files when written to or read.

• On network drives — Scans files in mounted-network volumes.

• In File type to scan:

• All files — Scans files with any extension.

• Default and specified file types — Scans files with extensions defined in the software, andthe extensions you specify. For the list of the default file types, see McAfeeKnowledgeBase article KB 84411.

• Also scan for macros in all files — Scans macros in the files.

• Specified file types only — Scans only files with extensions that you specify, andoptionally, files with no extension.

• In Specify what to scan:

• Compressed archive files — Scans the contents of compressed archive files.

Scanning compressed archive files requires additional time.

• Compressed MIME-encoded files — Scans Apple email messages.

• Detect unwanted programs — Enables the scanner to detect potentially unwantedprograms.

In Actions | Threat detection first response:

• Deny access to files — Prevents users from accessing any files with potential threats.

• Delete files — Deletes files that contain malware.

• Clean files — Removes threats from the detected file.

You can also configure a secondary response using the If first response fails option, in casethe primary response is unsuccessful.

In Unwanted program first response:• Clean files — Removes the threat from the detected file.

• Delete files — Deletes the file that contains threats.

• Deny access to files — Prevents users from accessing files with potential threats.

• Allow access to files — Allows users to access the detected file.


In the Exclusions section, click:• Add — To add files to the exclusion list.

• Edit — To edit the exclusion settings.

• Delete — To remove the selected item from the exclusion list.

• Clear All — To remove all items from the exclusion list.




In... Configure...

Enable Overwrite exclusions configured on the client to overwrite the exclusions list created bythe managed Mac user.

For more information about configuring exclusions, see Exclude files or directoriesfrom scanning.

6 Click Save.

Configure On-Demand Scan policy (Full Scan)Configure On-Demand Full Scan policy settings for your managed Mac.


1 Log on to McAfee ePO as an administrator.

2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Demand Scanas the category.


4 Click the policy that you created, click the Full Scan tab, then define these settings.

In... Configure...

Full Scan • Detect unwanted programs — Enables the scanner to detect potentially unwantedprograms.

• Decode MIME encoded files — Scans Apple mail messages.

• Scan inside archives — Scans the contents of compressed archive files.


• Find unknown program threats — Detects files that contain code resembling malware.

• Find unknown macro threats — Detects unknown macro threats.

ScanLocations

• Scan subfolders — Examines all subfolders in the specified volumes when any of theseoptions are selected.

• Home folder • All local drives

• Temp folder • All fixed drives

• User profile folder • All removable drives

• File or folder • All mapped drives

You can add locations by clicking . Click to remove the locations from scanning.



In... Configure...

File Types toScan

• All files — Scans all files regardless of extension.

McAfee strongly recommends that you enable All files to make sure that no malwarethreat resides in your managed Mac systems.

• Default and specified file types — Scans files with extensions defined in the software andextensions you specify. For the list of the default file types, see McAfeeKnowledgeBase article KB 84411.Also scan for macros in all files — Enables scanning for macros in all files.

• Specified file types only — Scans only files with extensions that you specify. Select Includefiles with no extension to scan files that contains no extension.

McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network look up for suspiciousfiles.

Select the Sensitivity level as required:• Very low — The detections and risk of false positives are the same as with regular

DAT content files. A detection is made available to Threat Prevention when McAfeeLabs publishes it instead of waiting for the next DAT content file update.

• Low — This setting is the minimum recommendation for systems with a strongsecurity footprint.

• Medium — Use this level when the regular risk of exposure to malware is greater thanthe risk of a false positive. McAfee Labs proprietary, heuristic checks result indetections that are likely to be malware. However, some detections might result in afalse positive. With this setting, McAfee Labs checks that popular applications andoperating system files don't result in a false positive.

• High — Use this setting for deployment to systems or areas which are regularlyinfected.

• Very high — Detections found with this level are presumed malicious, but haven'tbeen fully tested to determine if they are false positives. McAfee recommends touse this level for systems that require highest security.

Exclusions In the Exclusions section, click:• Add — To add files to the exclusion list.




For more information about configuring exclusions, see Exclude files or directoriesfrom scanning.




In... Configure...

Actions In Threat detection first response:• Continue scanning — Continues scanning files when a threat is detected. The scanner

doesn't move items to the quarantine.

• Clean files — Removes the threat from the detected file.

• Delete files — Delete the file that contains malware.


In Unwanted program first response:• Continue scanning — Continues scanning files when a threat is detected. The scanner



• Delete files — Delete the file that contains malware.


ScheduledScan Options

• Scan only when the system is idle — Runs the scan only when the system is idle. Thesystem is considered as idle when there is no keyboard or mouse activity for 5minutes.

The User can resume paused scans option is not supported for Mac systems.

• Scan anytime — Runs the scan even if the user is active and specifies options for thescan.

The User can defer scans, User can pause and cancel scans, and Do not scan when the system is inpresentation mode options are not supported for Mac systems.

• Do not scan when the system is on battery power — Postpones the scan when the system isusing battery power.

5 Click Save.

For scheduling the task, see the product guide for your version of McAfee ePO.

Endpoint Security for Mac does not support the Right-Click Scan option.

Configure an On-Demand Scan policy (Quick Scan)Configure an On-Demand Quick Scan policy settings for your managed Mac.



2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Demand Scanas the category.


4 Click the policy that you created, click the Quick Scan tab, then define these settings.



In... Configure...

Quick Scan • Detect unwanted programs — Enables the scanner to detect potentially unwantedprograms.

• Decode MIME encoded files — Scans Apple mail messages.

• Scan inside archives — Scans the contents of compressed archive files.


• Find unknown program threats — Detects files that contain code resembling malware.

• Find unknown macro threats — Detects unknown macro threats.

ScanLocations

• Scan subfolders — Examines all subfolders in the specified volumes when any of theseoptions are selected.

• Home folder

• Temp folder

• File or folder

• All removable drives

Select the directory from the Specify locations drop-down list. You can add directories byclicking . Click to remove the directory from scanning.

File Types toScan

• All files — Scans all files regardless of extension.

Best Practice: Enable All files to make sure that no malware threat resides in yourmanaged Mac.

• Default and specified file types — Scans files with extensions defined in the software andextensions you specify. For the list of the default and specified file types, seeMcAfee KnowledgeBase article KB 84411.Also scan for macros in all files — Enables scanning for macros in all files.

• Specified file types only — Scans only files with extensions that you specify. Select Includefiles with no extension to scan files that contains no extension.

McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network check for suspiciousfiles.

Exclusions In the Exclusions section, click• Add — To add files to the exclusion list.




For more information on configuring exclusions, see Exclude files or directories fromscanning.




In... Configure...

Actions In Threat detection first response:• Continue scanning — Continues scanning files when a threat is detected. The scanner



• Delete files — Deletes the file that contains malware.

You can also configure a secondary response using the If first response fails option, incase the primary response is unsuccessful.

In Unwanted program first response:• Continue scanning — Continues scanning files when a threat is detected. The scanner



• Delete files — Deletes the file that contains malware.

You can also configure a secondary response using the If first response fails option, incase the primary response is unsuccessful.

ScheduledScan Options

• Scan only when the system is idle — Runs the scan only when the system is idle.

The User can resume paused scans option is not supported for Mac.

• Scan anytime — Runs the scan even if the user is active and specifies options for thescan.

The User can defer scans, User can pause and cancel scans, and Do not scan when the system is inpresentation mode options are not supported for Mac.

• Do not scan when the system is on battery power — Postpones the scan when the system isusing battery power.

5 Click Save.

For scheduling the task, see the product guide of your version of McAfee ePO.

Endpoint Security for Mac does not support the Right-Click Scan option.

Exclude files or directories from scanningExclude files or directories from on-access scanning and on-demand scanning.



2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Access Scanor On-Demand Scan as required.

3 Click the policy, then click Show Advanced.

If you haven't created a policy, click New Policy, type a name for the policy, then click OK.

4 In the Exclusion area under Process Settings, click Add and define these settings as required, then clickSave.



In... Configure...

What toexclude

• Pattern (can include wildcards * or ?) — Specifies the file pattern to exclude.For example, to exclude all files in the desktop from scanning, specify the path as /Users/user/Desktop/*

• Also exclude subfolders — Excludes files and directories from the specified location.

• File type (can include wildcard ?) — Excludes files that contains the extension.

• File Age — Excludes files based on their age in terms of creation date and modifieddate.

• Modified — Excludes files that were edited earlier to the days specified in the Minimumage in days field.

• Created — Excludes files that were created earlier to the days specified in theMinimum age in days field.

• Accessed —Excludes files that were accessed earlier to the days specified in theMinimum age in days field.

The Accessed option is applicable for On-Demand Scan policies only.

Select the option Overwrite exclusions configured on the client to overwrite the client exclusionlist.

You can apply this option for On-Access Scan policies only.

When toexclude

• On read — Excludes from scanning when the file is accessed.

• On write — Excludes from scanning when the file is changed.

These two options are applicable for On-Access Scan policies only.

Schedule a full or quick scan on managed MacSchedule an on-demand scan to detect malware threats in the managed Mac.



2 Click Menu | Systems | System Tree, then select a group or systems.

3 Click the Assigned Client Tasks tab, then click Actions | New Client Task Assignment.

a For Product, select Endpoint Security Threat Prevention.

b For Task Type, select Policy Based On-Demand Scan, then select the task from the Task Name list.

4 Click Next.

5 Define these parameters, then click Next.• Schedule status • Start time

• Schedule type • Task runs according to

• Effective period • Options

6 In the Summary page, click Save.



7 In the System Tree, select the systems or groups where you assigned the task.

8 In the right pane, click the Group Details tab, then click Wake Up Agents.


Schedule a custom on-demand scanSchedule a custom on-demand scan for managed Mac.



2 Click Menu | Client Task Catalog.

3 In Client Task Types, expand Endpoint Security Threat Prevention, select Custom On-Demand Scan, then click NewTask.

4 Select Custom On-Demand Scan from the Task Type drop-down list.

5 Define these settings, then click Save.• Name • McAfee GTI

• Description • Exclusions

• Scan Options • Actions

• Scan Locations • Scheduled scan options

• File Types to Scan

6 On the Client Task Catalog page, select the custom scan that you created, click Assign, select a group toassign the task, then click OK.

7 On the Select Task page, define the settings, then click Next.

8 On the Schedule page, define the settings, then click Next.

9 On the Summary page, review the settings, then click Save.

Schedule the DAT update Schedule an update to keep the content files and engine up to date.



2 Click Menu | Systems | System Tree, then select a group or systems.

3 On the Assigned Client Tasks tab, click Actions, then select New Client Task Assignment.

a For product, select McAfee Agent.

b For Task Type, select Product Update.

c Click Create New Task to open the Client Task Catalog.



d Type a name for the task, select Mac Engine and DAT in Signatures and engines from Package types, thenclick Save. The task is listed under Task Name.

e Select the task, then click Next.

4 On the Schedule page, define the schedule for the task.

a In the System Tree, select the systems or groups where you want to assign the task.

b Set these values, then click Next.• Schedule status • Start time

• Schedule type • Task runs according to

• Effective period • Options

5 On the Summary page, click Save.

6 In the right pane, select Group Details, then click Wake Up Agents.


Firewall policyDefine firewall policies and rules and enforce them on a managed Mac to control incoming andoutgoing network traffic.

McAfee Endpoint Security for Mac uses the McAfee Endpoint Security Firewall extension to manage theMac.

This table lists the policies that you can create under each product category.

Because Firewall uses McAfee Endpoint Security Firewall extensions as common extensions, the featuresspecific to McAfee Endpoint Security are marked as Windows only.

Use Endpoint Security Firewall policy to create and enforce firewall rules, rule groups, to block accessto domains, and to create location-specific rules for your managed Mac systems.


Endpoint SecurityFirewall

Options • Enable or disable Firewall protection for managed Mac.

• Enable or disable Adaptive mode on client Mac.

• Retain existing Adaptive mode client rules when enforce Firewallpolicy.

• Define maximum time limit to establish TCP, UDP, and ICMPconnections.

• Define networks.

Rules • Create firewall rules. • Add group from catalog.

• Create rule groups. • Configure location awarenesssettings.

• Add rules from catalog.

For the list of features supported for Microsoft Windows and Macintosh operating system, see McAfeeKnowledgeBase article KB84410.

8 Managing the software with McAfee ePO and McAfee ePO CloudFirewall policy



Configure a firewall rules policyCreate Firewall rules and enforce it on managed Mac.

Use the Firewall Rules policy to

• Create firewall rules. • Define the network protocols.

• Create rule groups. • Define the transport protocols.

• Add rules from catalog. • Configure location awareness settings.



2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Rules as the category.


4 On the Policy Catalog page, click the policy that you created, then define these settings.

5 Click Advanced to view all options.

6 On the Firewall Rules page, configure these options, then click Save.• Move Up — Move up the selected rule one row.

If the item previous to the selected rule is a rule group, make sure that the rule group is notexpanded. Otherwise, the rule is added to the rule group.

• Move Down — Move the selected rule one row down.

If the item after the selected rule is a rule group, make sure that the rule group is not expanded.Otherwise, the rule is added to the rule group.

• Duplicate — Copy the rule settings in a new name in the Firewall rules list.

• Delete — Delete the selected rule from Firewall rules list.

• Add Rule — Add a rule to the Firewall rules list.

For more information, see Create a Firewall rule.

• Add Group — Add a rule group to the Firewall rules list.

For more information, see Create a rule group and move rules to the group.

• Add Rule from Catalog — Add rule from the catalog.

• Add Group from Catalog — Add rule group from the catalog.

• Export — Export the rules as a .xml file. You can select multiple rules by using the Ctrl key.

Create a firewall ruleCreate a firewall rule for managed Mac.

Managing the software with McAfee ePO and McAfee ePO CloudFirewall policy 8






4 On the Policy Catalog page, click the policy that you created, then define these settings:

5 Click Add Rule to create a Firewall rule, define these settings, then click Save.

In this category... In this section... Configure these options...

Description Name Type a name of the policy.

Status Select Enable rule to enable the Firewall rules on managedMac.

Actions Allow — Allows the network traffic through the firewall.

Block — Blocks the network traffic.

Treat match as intrusion — Treats traffic that matches the ruleas an attack and generates an event that is sent to theMcAfee ePO server.

Log matching traffic — Logs a record of matching traffic inthe system log in client Mac.

Direction Either — Matches incoming and outgoing traffic.

In — Matches incoming traffic.

Out — Matches outgoing traffic.

Notes You can store additional information.

Networks Network Protocol IP protocol — Supports only IPv4 protocol.Any protocol — Supports only IPv4 protocol.

Connection types Wired

Wireless

Virtual

Specify networks Add Local — Adds local networks.

Add Remote — Adds remote networks.

Add from Catalog (Local) — Adds local networks from thecatalog.

Add from Catalog (Remote) — Adds remote networks from thecatalog.

Transport Transport protocol ICMP — Matches ICMP protocol.

TCP — Matches TCP protocol.

UDP — Matches UDP protocol.

All protocol — Matches ICMP, TCP, or UDP protocol.

Create a firewall rule groupCreate rule groups and add related rules to the group for better management.For details about product features, usage, and best practices, click ? or Help.



Task1 Log on to the McAfee ePO server as an administrator.


3 Click Add Group to create a Firewall group, define these settings, then click Save.

In thiscategory...

In thissection...


Description Name Type a name of the group.

Status Select Enable group to enable the rule group on managed Mac.

Direction • Either — Matches incoming and outgoing traffic.

• In — Matches incoming traffic.

• Out — Matches outgoing traffic.

Notes You can store additional information.

Location awareness Enable locationawareness

Enable or disable location information of the group. Formore information, see Configure location awareness options.

Require the ePolicyOrchestrator bereachable

Enables the group to match only if there is communicationwith the McAfee ePO server and the FQDN of the server isresolved.

Location criteria Define criteria for Firewall to identify network location.

Networks Network Protocol • Any protocol — Supports only IPv4 protocol.

• IP protocol — Supports only IPv4 protocol.

Connection types • Wired

• Wireless

• Virtual

Specify networks • Add Local — Adds local networks.

• Add Remote — Adds remote networks.

• Add from Catalog (Local) — Adds local networks from thecatalog.

• Add from Catalog (Remote) — Adds remote networks from thecatalog.

Transport Transport protocol • ICMP — Matches ICMP protocol.

• TCP — Matches TCP protocol.

• UDP — Matches UDP protocol.

• All protocol — Matches ICMP, TCP, or UDP protocol.

4 Verify the configuration details, then click Save.

Add rules to a rule groupCreate a rule group and add rules to the group for easier management of rules.







4 On the Policy Catalog page, click the policy that you created.

5 In the Firewall Rules page, click Add Group, then define these settings, then click Save.• Description

• Location

• Network

• Transport

6 Verify the configuration details, then click Save. The rule group appears on the Firewall Rules page.

7 Select the rule group, then click to expand the rule group.

8 Select the rule that you want to move to the rule group, then click Move Up or Move Down according tothe rule's position toward the rule group, until the rule is moved into the rule group.

• Click Move Up if the rule appears after the rule group.

• Click Move Down if the rule appears before the rule group.

Always expand the rule group before moving rules into the group. Otherwise, the rules are notplaced inside the rule group.

Configure a Firewall Options policyConfigure the Firewall Options policy and enforce it to managed Mac.

You can define these settings in the Firewall Options policy.

• Enable or disable Firewall protection on managed Mac.

• Enable or disable Adaptive mode on managed Mac.

• Retain existing client rules when enforce Firewall policy.

• Define maximum time limit for TCP, UDP, and ICMP connections time out.

• Define networks



2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Options as thecategory.





In... Configure...

Firewall Enable Firewall — Enables or disables Firewall protection on managed Mac.

Tuning Options • Enable Adaptive mode (create rules on the clients automatically — Enables Adaptive mode onmanaged Mac.

• Retain existing user added rules and Adaptive mode rules when this policy is enforced — Retains rulescreated locally on the managed Mac and the Adaptive mode rules.

StatefulFirewall

• No. of seconds (1 -240) before TCP connections time out

• No. of seconds (1 -240) before UDP and ICMP echo virtual connections time out

The default value is 30 seconds.

• Use FTP Protocol Inspection — Creates dynamic rules for FTP data connections byactively monitoring the FTP commands on the control channel.

DNS Blocking Domain Name — Specify domain names.For more information, see Configure DNS Blocking.

DefinedNetworks

In Add Defined Networks• Single IP • Fully qualified domain name

• Subnet • Any local IP address

• Local Subnet • Any IPV4 Address

• Range

Select the option from the Trusted drop-down list.• Yes — The network is trusted automatically.

• No — The network is not trusted automatically. The network is allowed or blockedaccording to the rule settings.

5 Click Save.

Configure location awareness optionsA location awareness policy enables administrators to enforce rules based on the network to which theMac is connected.

A location awareness policy contains a set of defined rules. When a network packet matches certaincriteria with the group definitions, such as ePO reachability or DNS server address, the group becomesactive. When the location awareness group is active, the rules in the group are also considered formatching.




3 Click the policy that you want to configure location awareness settings. .

To create a new policy, click New Policy, type a name for the policy, then click OK to open the policypage.

4 Click Add Group to add a group.



5 Type a name for the Group, select Enable group, then select Direction options.

6 Select Enable Location Awareness.

7 On the Location section, define these parameters, then click Next.• Name — Type a name for the policy.

• Require that ePolicy Orchestrator be reachable — Enable the group to match only if there iscommunication with the McAfee ePO server and the FQDN of the server is resolved.

• Location criteria• Connection-specific DNS suffix — Specify a connection-specific DNS suffix in the format:

domain.com.

• Default gateway — Specify a single IP address for a default gateway in IPv4 format.

• DHCP server — Specify a single IP address for a DHCP server in IPv4 format.

• DNS server — Specify a single IP address for a domain name server in IPv4 format.

• Primary WINS — Specify a single IP address for a primary WINS server in IPv4 format.

• Secondary WINS — Specify a single IP address for a secondary WINS server in IPv4 format.

• Domain reachability (HTTPS) — Specify a domain name.

You can use the Add from Catalog option to add settings from the catalog.

Configure DNS blocking optionsConfigure DNS settings to block access to unwanted domains.



2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Options as thecategory.

3 Click New Policy, type a name for the policy, then click OK to open the policy page.

To configure the DNS settings for the policy that you have already created , click the policy.

4 In the DNS Blocking section, click Add, type the domain name, then click Save.• Add — To add domains to the list.

• Edit — To edit the domain in the list.

• Delete — To remove the selected item from the list.

• Clear All — To remove all items from the list.

You can use wildcards ? and * to define domains.



Web Control policyUse the Web Control policy to protect your managed Mac from browser-based threats.

Web Control is a browser-based threat prevention solution that you can deploy and manage fromMcAfee ePO or McAfee ePO Cloud.

When enabled, the software monitors each site that you access or browse, verifies its safety ratings,and allows or blocks navigation to the site according to the configuration. You can also block access tosites based on the content of the site.

Use Endpoint Security Web Control policies to configure protection settings for your managed Mac.


Endpoint Security WebControl

Block and Allow List • Define sites in the Block and Allow List.

Content Actions • Enable or disable web category blocking.

• Configure rating actions for sites.

Options • Enable or disable Web Control on managed Mac systems.

• Log web categories for green-rated sites.

• Log events for allowed sites configured in the Block and Allow List.

• Actions for sites that are unverified by McAfee GTI.

• Block access to phishing pages for all sites.

For the list of features supported for Microsoft Windows and Macintosh operating systems, see McAfeeKnowledgeBase article KB84410.

Enable or disable Web ControlUse the Web Control Options policy to enable or disable Web Control on managed Mac systems.



2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then select Options as thecategory.

3 Select Enable Web Control.

Configure site rating actionsConfigure permission for sites based on their reputation rating.



2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then Content Actions as thecategory.

Managing the software with McAfee ePO and McAfee ePO CloudWeb Control policy 8




To edit the existing policy, click the name of the policy.

4 In Rating Actions, define Rating actions for sites, then click Save.

For more information about site rating and its descriptions, see Color-coded buttons.

Web Control does not scan files that are downloaded from allowed sites. However, if you installedthe Threat Prevention module and enabled on-access scanning, files are scanned for threats.

Configuring actions for unverified sitesConfigure actions for sites that are not verified by McAfee GTI, or sites blocked by default whenMcAfee GTI is not reachable.

You can configure these settings in the Web Control Options policy. For more information, seeConfigure Web Control Options policy.

Define Block and Allow ListConfigure Block and Allow List policy settings to define access to sites based on the domain or URL.

Before you beginYou must have enabled Web Control in the Options policy.



2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then select Block and AllowList as the category.

3 Click New Policy.

4 On the Create a New Policy dialog box, type a name and description for the policy.

5 On the Policy Catalog page, click the policy that you created.

6 Click Show Advanced.

7 On the Block and Allow List tab, define these settings:

• Add — Add sites to the Block and Allow List. You can enter URLs or partial URLs (site patterns) ofat least three characters. For multiple sites, enter a comma-separated list or enter each site ona separate line.

• Delete — Delete sites from the Block and Allow List.

• Edit — Change information (URL, site pattern, or comment) for a site.

• Search — Search the Block and Allow List. This feature is useful for finding sites in large lists.

8 Managing the software with McAfee ePO and McAfee ePO CloudWeb Control policy


• Test Pattern — Test whether specific sites match the patterns in the Block and Allow List.

• Enable allowed sites to take precedence over blocked sites — By default, when a site is set to both Allow andBlock, the block action takes precedence and the site is blocked. Select this option to overridethe default behavior and make sure that users can access allowed sites, even if they are alsoblocked.

When selecting this option, make sure that allowed sites are safe so that client systems remainprotected from web-based threats.

8 Click Save.

Configure browser eventsUse Options policy settings to configure Web Control events sent from a managed Mac to the McAfeeePO database.





To edit the existing policy, click the name of the policy.

4 Configure these settings in the Client Logging section as needed.

• Log web categories for green rated sites

• Log events for allowed sites configured in the Block and Allow List

5 Click Save.

Events are always generated for red or yellow-rated sites.

Configure Web Control Options policyConfigure the Web Control Options policy to enable or disable the web protection, configure loggingpreferences, and enforce actions for specific scenarios.


1 Log on to the McAfee ePO sever as an administrator.




Managing the software with McAfee ePO and McAfee ePO CloudWeb Control policy 8


In ... Configure...

Web Control Enable Web Control — Enables or disables Web Control on managed Mac systems.

Event Logging • Log web categories for green rated sites — Logs content category details for thegreen-rated sites that you access.

• Log events for allowed sites configured in the Block and Allow List — Logs events for sites listedin the Block and Allow List with Allow permission.

ActionEnforcement

Apply this action to sites not yet verified by McAfee GTI:• Allow — Allows access to unverified sites

• Block — Blocks access to unverified sites

• Warn — Displays a warning for unverified sites. You can either select Continue orCancel the navigation.

• Blocks site by default if McAfee GTI ratings server is not reachable — Blocks access to sites ifMcAfee GTI is not reachable for site rating.

• Blocks phishing pages for all sites (Includes Allowed sites and overrides content rating actions) —Blocks access to phishing sites although the Block Allow List allows access to the siteand the content rating is enabled.

Exclusions Allow all IP addresses in the local network — Allows the IP addresses of the local network.

Specify IP addresses or ranges to exclude from Web Control rating or blocking — Excludes the IPaddresses from Web Control rating and blocking.

Specify only a single IP address or the IP address range. The software doesn'tsupport Classless Inter-Domain Routing (CIDR) IP address format.

5 Click Save.

Queries and reportsRun predefined queries to generate reports, or modify them to generate custom reports.

Queries for Threat PreventionHere is the list of queries that you can view or customize for Threat Prevention.

Query... Displays...

Endpoint Security Threat Prevention: Hotfixes Installed The hotfixes installed for the software.

Endpoint Security Threat Prevention: On-Access ScanCompliance Status

This is the On-Access Scan compliance status.

Endpoint Security Threat Prevention: Duration ofCompleted Full Scans in the Last 7 Days

The duration of completed Full Scan in the last sevendays.

Endpoint Security Threat Prevention: Systems NotCompleted a Full Scan in the Last 7 Days

The number of systems that have not completed a FullScan in the last seven days but within the last month.

Endpoint Security Threat Prevention: Systems NotCompleted a Full Scan in the Last Month

The number of systems that have not completed a FullScan in the last month.

Endpoint Security Threat Prevention: Duration ofCompleted Quick Scans in the Last 7 Days

The duration of completed Quick Scan in the last sevendays.

Endpoint Security Threat Prevention: DetectionResponse Summary

The number of threats on which an action was taken(Clean, or Delete), versus the number threats on whichno action was taken, in the last three months.

8 Managing the software with McAfee ePO and McAfee ePO CloudQueries and reports



Endpoint Security Threat Prevention: Threats DetectedOver the Previous 2 Quarters

The threats detected in the previous two quarters. Nocookies.

Endpoint Security Threat Prevention: Threat Count bySeverity

Slice count is the number of events. Slices are thedifferent event severities. All in the last three months.

Endpoint Security Threat Prevention: Top 10 DetectedThreats

The top 10 detected items in the last three months.

Endpoint Security Threat Prevention: Top 10 ThreatSources

The top 10 computers which are the source for a threatin the last three months.

Endpoint Security Threat Prevention: Top 10 Computerswith the Most Detections

The 10 ten computers with the most detections in thelast three months.

Endpoint Security Threat Prevention: Top 10 ThreatsPer Threat Category

The top 10 threats per threat category in the last threemonths, grouped by threat category then by threatname.

Endpoint Security Threat Prevention: Top 10 Users withthe Most Detections

The top 10 users with the most detections in the lastthree months.

Endpoint Security Threat Prevention On-Access ScanMcAfee GTI Sensitivity level

This reports displays the McAfee GTI sensitivity level forOn-Access Scans.

Endpoint Security Threat Prevention On-Demand ScanFull Scan GTI sensitivity level

This reports displays the McAfee GTI sensitivity level forOn-Demand Full Scans.

Endpoint Security Threat Prevention On-Demand ScanQuick Scan GTI sensitivity level

This reports displays the McAfee GTI sensitivity level forOn-Demand Quick Scans.

Queries for FirewallHere is the list of queries that you can view or customize for Firewall.


Endpoint Security Firewall : Intrusion events in the last 24hours

The number of intrusion events in the last twenty-fourhours.

Endpoint Security Firewall : Traffic Block events in the last24 hours

The number of traffic blocked events in the lasttwenty-four hours.

Endpoint Security Firewall: Hotfixes Installed The hotfixes installed for Endpoint Security software.

Endpoint Security Firewall Status The Endpoint Security Firewall status.

Endpoint Security Firewall : Compliance Status Whether the firewall status is enabled or disabled onmanaged Mac.

Endpoint Security Firewall : Count of Firewall Client Rules The number of Firewall client rules created over time.

Endpoint Security Firewall : Client Rules By Protocol/System Name

Firewall client rules listed by protocol and systemname.

Endpoint Security Firewall : Events in the last 24 hours The number of Firewall events in the last twenty-fourhours.

Queries for Web ControlHere is the list of queries that you can view or customize for Web Control.


Endpoint Security Web Control: Visit Log The detailed event log for site navigation log activity forthe last thirty days.

Endpoint Security Web Control: Top 100 Blocked RedSites

The top 100 red category sites that were blocked in thelast thirty days.

Managing the software with McAfee ePO and McAfee ePO CloudQueries and reports 8



Endpoint Security Web Control: Top 100 BlockedSites

The top 100 blocked sites that were blocked in the lastthirty days.

Endpoint Security Web Control: Top 100 Visited RedSites

The top 100 red category sites visited in the last thirtydays.

Endpoint Security Web Control: Top 100 Red Sites onAllow List

The top 100 red category sites allowed because of Allowor Block list policy in the last thirty days.

Endpoint Security Web Control: Top 100 Sites onAllow List

The top 100 sites allowed because of Allow or Block listpolicy in the last thirty days.

Endpoint Security Web Control: Top 100 Sites onBlock List

The top 100 sites blocked because of Allow or Block listpolicy in the last thirty days.

Endpoint Security Web Control: Top 100 VisitedUnrated Sites

The top 100 unrated sites visited in the last thirty days.

Endpoint Security Web Control: Top 100Warned-Cancelled Sites

The top 100 sites that were warned-cancelled in the lastthirty days.

Endpoint Security Web Control: Top 100Warned-Continued Sites

The top 100 sites that were warned-continued in the lastthirty days.

Endpoint Security Web Control: Top 100 VisitedYellow Sites

The top 100 yellow category sites visited in the last thirtydays.

Endpoint Security Web Control: Top Sites Groupedby Content

The top sites grouped by contents in the last thirty days.

Endpoint Security Web Control: Visits by ActionGrouped by Content

The chart depicting the number of visits to each contentcategory in the last thirty days, grouped by policy-basedactions.

Endpoint Security Web Control: Visits by Action The chart depicting number of visits in the last thirtydays, grouped by policy-based actions.

Endpoint Security Web Control: Visits by Content The chart depicting number of visits in the last thirtydays, grouped by site content.

Endpoint Security Web Control: Visits by Rating The chart depicting number of visits in the last thirtydays, grouped by site rating.

Endpoint Security Web Control: Web ContentCategories that Caused the Most Infections in theLast 7 Days

The web content category with the most infections in thelast seven days.

Endpoint Security Web Control: Compliance Status The Web Control Compliance Status report.

Endpoint Security Web Control: Hotfixes Installed The hotfixes installed for Endpoint Security.

Other queriesRun these queries to generate reports, or modify them to generate custom reports.

Query.. Displays...

Endpoint Security: Top Infected Users in the Last 7Days

The list of top infected users in the last seven days.

Endpoint Security: Primary Vectors of Attack in theLast 7 Days

The list of Primary Vectors of Attack in the last sevendays.

Endpoint Security: Top Threats in the Last 48 Hours The list of top threats in the last forty-eight hours.

Endpoint Security: Threats Detected in the Last 24Hours

The number of threat events generated in the lasttwenty-four hours.

Endpoint Security: Threats Detected in the Last 7Days

The number of threat events generated in the last sevendays.



Query.. Displays...

Endpoint Security: Summary of Threats Detected inthe Last 24 Hours

The summary of threats detected in the last twenty-fourhours.

Endpoint Security: Summary of Threats Detected inthe Last 7 Days

The summary of threats detected in the last seven days.

Endpoint Security: Currently Enabled Technology The list of technology that are currently enabled on eachmanaged Mac.

Endpoint Security: Policy Compliance by ComputerName

Two lists of computers which do and do not have thelatest policy applied.

Endpoint Security: Policy Compliance by Policy Name A boolean pie chart showing which policies have and havenot been updated on the client Mac.

Endpoint Security: Self Protection Compliance Status The list of self-protection compliance status report.

Endpoint Security Platform: Hotfixes Installed The list of hot fixes installed for the software.

Endpoint Security: Installation Status Report The stacked bar chart of multiple modules and theirinstallation status.

Managing the software with McAfee ePO and McAfee ePO CloudQueries and reports 8


Index

Aabout this guide 7adaptive mode 40

adaptive rules 42

anti-malwarebest practices 39

configuring anti-malware 39

defining exclusions 39

Bbest practices

firewall rules 51

browsersupported versions 65

Ccheck-in package, ePolicy Orchestrator

checking in package 66

client softwareconfiguring access 79

installation 72

installing using url 68

installing with URL 73

preventing uninstallation 79

protecting accidental uninstallation 78

client software accessfull access 78

locking client interface 78

standard access 78

command-line installation 18

configurationdisabling web control 99

enabling debug logging 79

enabling web control 99

logging preferences 99

proxy settings 58

repository list 58

scan task 30

scheduling anti-malware engine update 59

standalone web protection 57

unverified sites 99

content files update, ePolicy Orchestratorscheduling 89

conventions and icons used in this guide 7creation

installation url 72

DDAT update, ePolicy Orchestrator

scheduling 89

debug logenabling debug log 59

default settingsfirewall 22

general 22

repository list 22

threat prevention 22

web control 22

deployment, ePolicy Orchestrator 68

desktop firewallstateful filter 41

detection statusviewing detection details 28

documentationaudience for this guide 7product-specific, finding 8typographical conventions and icons 7

Domain Name System (DNS) 43

Eevents

viewing summary 28

examples, firewall rules 49

Ffeatures

protection, viewing status 27

firewallcreating rules 47

editing rule 47

rules 44

testing the feature 19

firewall rulesexamples 49

organization 46


Hhow the software works 10

Iinstallation

client software 67, 68, 72

command line 18

extensions 66

silent 18

testing 19

using software manager 67

using url 68

using URL 73

using urls 67

using wizard 18

installation URLsMcAfee ePO cloud 72

installation, standalone Maccommand line 18

wizard 18

Mmalware

quarantine 29

removing quarantined items 29

restoring quarantined items 29

managed environmenthardware requirements 65

software requirements 65

McAfee ServicePortal, accessing 8

Nneed for security 9

Oon-access scan 36

on-demand scan 30

configuring preferences 38

creating a task 31

removing scan task 32

scheduling custom scans 89

scheduling for standalone Mac 31

scheduling from ePolicy Orchestrator 88

on-demand-scanviewing detection details 28

Ppackage

checking in 66

packageschecking in 66

policiesassign 76

policies (continued)create 76

management 76

modify 76

policy creationDNS blocking 96

location awareness 95

post installation tasks 25

protectionbrowser-based threats 52

enabling web control 97

online threats 52

Qquarantine

malware 29

removing malware 29

restoring malware 29

Rrating color

configuring permissions 55

default permissions 55

regular firewall protection 41

removal of quarantined item 29

removal of software 70

removal of software extension 69

requirementsbrowser 17

hardware 17, 65

operating system 17

software 65

rule groupgrouping rules 93

Ssafety rating

calculating criteria 53

description 54

icons 55

scanscheduling custom scans 89

scan taskcreate 31

modify 31

search engineviewing site rating 52

ServicePortal, finding product documentation 8silent installation 18

site categoryblocking sites 56

site ratingviewing safety rating 52

Index


sitesadding to allow list 56

adding to block list 56

compiling safety rating 53

softwareprotecting from threats 78

repair 61

updating DAT files 30

stateful filter 41

stateful FTP 44

statusmonitoring McAfee Agent status 77

scan task 28

viewing events summary 27

viewing protections enabled 27

viewing security status 27

summaryviewing recent events 27

system requirementsmanaged Mac 72

Ttechnical support, finding product information 8

Uurls

installing client software 67

Wworkflow

on-access scanning 35

on-demand scanning 35

Index
