SolutionBase: Controlling spyware with McAfee Antispyware

When it comes to fighting spyware, sometimes it's easiest to combine your antivirus and antispyware tools. Here's how you can fight spyware with McAfee Antispyware.

Spyware has become as big (if not bigger) a problem for IT professionals than viruses. One of the big players in the antivirus space, McAfee also has an enterprise-level solution for battling spyware. McAfee's antispyware offering is similar to Symantec's in that it rides on top of their existing antivirus software. Unlike Symantec's solution, however, McAfee's is still somewhat separate. Unlike Symantec, which has combined virus and spyware scanning into a single client, McAfee's antispyware client is separate and plugs in to the enterprise antivirus client. In order to use McAfee's antispyware software, you need either version 7.1 and 8.0i of McAfee's enterprise-edition antivirus software installed, with version 8.0i being preferred.

In order to centrally manage this combined client, you also need McAfee's management platform, called ePolicy Orchestrator. For this article, I will be installing ePolicy Orchestrator 3.6 as well as version 8.0i of both the antivirus client and the antispyware plug in.

I'm going to go over basic information regarding the antivirus capabilities of the McAfee offering, but will go over handling the antispyware solution more in depth.

System requirements

The thing that requires the most in terms of software requirements is McAfee's ePolicy Orchestrator (ePolicy Orchestrator) software. As such, the system requirements listed below for the server and database server are actually reflective of the requirements for ePolicy Orchestrator. I'm installing everything, including the database, on a single server.

While McAfee supports non-Windows machines for client installations, I will be focusing on the Windows environment in this article. You can also install the ePolicy Orchestrator agent and various clients on NetWare (4.11-6.0). Keep in mind that ePolicy Orchestrator is the management solution that covers all of McAfee's products. The ePolicy Orchestrator installation guide includes a complete product support, compatibility and feature matrix.


In order to install the client software, a workstation must meet a few minimal requirements. First, non-NT-based versions of Windows are not supported. This means that, if you're still running Windows 95, 98, or ME, you're out of luck. Windows NT, 2000, XP and 2003 are all supported, as long as your have a reasonably recent service pack.

Beyond this, the antispyware offering has the same system requirements as the antivirus product:

  • At least a 166 MHz processor
  • At least 32 MB of RAM
  • At least 38 MB of free disk space
  • Internet Explorer 6.0 or later
  • A trust relationship with the domain's primary domain controller

As you can see, the client software doesn't exactly require a powerhouse of a machine!

Server (including ePolicy Orchestrator)

On the server side, you're more limited in your operating system selection, but only slightly. McAfee supports every server version of Windows back to Windows 2000 SP3, but does not support Windows XP, which makes sense since XP is not a server operating system. While McAfee does provides wide support for all versions of Windows server, you do need a reasonably current service pack installed.

Beyond this, the antispyware offering has the following requirements, based on the antivirus software core of the product and the ePolicy Orchestrator system requirements:

  • At least a 450 MHz processor
  • At least 512 MB of RAM, with 1 GB recommended
  • At least 500 MB of free disk space, with at least 2 GB recommended
  • Internet Explorer 5.0 or later
  • McAfee also recommends using a static IP address for the server

Remote management station (ePolicy Orchestrator)

If you install a remote management station (for example, on an IT staffer's machine), the machine needs to meet the following minimum requirements:

  • At least a Pentium II processor
  • At least 128 MB of RAM
  • At least 250 MB of free disk space
  • Internet Explorer 6.0 or later
  • Any version of Windows back to Windows 2000 SP3, including Windows XP Professional (with SP1 or better)


McAfee's solution runs using MSDE or Microsoft SQL Server 2000 SP3+ database software. You also need MDAC 3.8 for use with ePolicy Orchestrator. If you're managing more than 5,000 clients, McAfee recommends that you use a dedicated SQL Server rather than running ePolicy Orchestrator and SQL on the same hardware.

Installation procedure

McAfee's solution is significantly more distributed and scalable than some other solutions on the market. As such, care needs to be taken during deployment to make sure that you have no problems. For this article, I will be installing all of the necessary components

  • SQL Server 2005 (In my lab, SQL Server 2005 is installed on it's own server separate from the McAfee server.)
  • McAfee ePolicy Orchestrator: McAfee's central management console that manages all of their products.
  • AntiVirus Enterprise 8.0i
  • AntiSpyware Enterprise 8.0i (the plug-in that works with the antivirus software)

AntiVirus Enterprise 8.0i

In this section, I'll be installing McAfee's antivirus client on the target ePolicy Orchestrator server. This client installation is handled the same way that you would a manual client installation on a workstation. Later in the article, I will go over an automated deployment method for your clients as well.

Note: If you're wondering what the letter 'i' means at the end of McAfee's newer products, it denotes the newish intrusion prevention system (IPS) capabilities in the product.

To get started with the AntiVirus client installation, double-click the setup.exe file from your AntiVirus 8.0i distribution media.

Look at, read, and accept the software license agreement (Figure A) that is shown on the first screen of the installer. Click the OK button to continue with the installation.

Figure A

Accept the installation.

Your next major decision is to decide between a typical or a custom installation. A typical install installs everything, including various email scanners. If you want to limit what gets installed, choose the Custom option. I've selected the Typical option for the example, as shown in Figure B. If you want to see what choices are included in a Custom installation, though, look at Figure C. If you need to change the installation directory, you need to choose the Custom installation method.

Figure B

Choose your installation type.

Figure C

If you opt for a custom installation, here is what you'll see.

That's all you need to do to install the virus scanning software. On the summary screen, click the Install button to proceed with the installation based on your selections.

Figure D

Click the Install button to proceed.

After all of the files are copied and the installation completed, you'll get a status window shown in Figure E that also allows you to update your software with the most recent patches and to run an on-demand scan of your system.

Figure E

Select your desired options and click Finish.

An on-demand scan is shown in Figure F.

Figure F

Cancel your scan by clicking the Stop button, if you want.

Add spyware scanning to AntiVirus Enterprise 8.0i

I mentioned before that McAfee's antispyware scanning capability is actually an add-on to the virus scanning product. As such, you need to make sure you have successfully installed the antivirus product before you embark on your antispyware quest. McAfee has announced a standalone version of their spyware scanner that will not require AntiVirus Enterprise 8.0i. This will give you the option to use virus and spyware utilities from different companies, if you want. This standalone edition was just announced and was not available at this writing.

The AntiSpyware module is installed by executing the VSE80MAS.exe file from your McAfee AntiSpyware distribution media. The opening screen clearly states that this version enhances the capabilities of your antivirus product and installs as a module. There is no license screen in the product since it uses the antivirus product license, as you can see in Figure G. Click Next to continue with the installation.

Figure G

Click Next to continue with the installation.

That's all there is to it. The software installs and you are presented with a status screen seen in Figure H. Click Finish on this screen.

Figure H

Click Finish.

You should run a full scan of your ePolicy Orchestrator system before continuing. You don't need to manually install these clients across the board. You can deploy using ePolicy Orchestrator later on.

ePolicy Orchestrator

McAfee's ePolicy Orchestrator is a centralized management console that works in conjunction with all of McAfee's enterprise products. It is not bundled with the antivirus and antispyware software, though, and is a separate installation.

To get started installing ePolicy Orchestrator, run the setup.exe program from your ePolicy Orchestrator distribution media. The first screen, as usual, includes McAfee's product license agreement. Read it if you like, choose the accept option, and click OK to continue. This screen is the same one shown earlier in Figure A.

You have two primary installation options with ePolicy Orchestrator. You can install both the ePolicy Orchestrator server and the management console, or, you can install just the console. On the server side, you do need both components, but if you're just installing the management tools on an administrative workstation, choose the Install Console Only option. I'll be installing both components.

You also need to specify the folder into which you want to install ePolicy Orchestrator as seen in Figure I. The default location is C:\Program Files\McAfee. Click the Next button to continue.

Figure I

Choose your installation type and click Next.

ePolicy Orchestrator uses its own built-in administrative account and password for the initial log in to the ePolicy Orchestrator server. As such, in order to provide the maximum security, the installer asks that you provide this initial password. This is definitely preferable to every ePolicy Orchestrator installation being shipped with the same default password! On this screen of the installation, Figure J, provide and confirm the password you want to use for this purpose. Click Next when you're done.

Figure J

Provide an administrative password for your log in to ePolicy Orchestrator.

I mentioned earlier that ePolicy Orchestrator needs a database in order to work. ePolicy Orchestrator is bundled with Microsoft's MSDE product, which you can opt to install on this step by choosing the Install A Database Server On This Computer And Use It option. Or, as I have done for this article, you can point ePolicy Orchestrator at an existing SQL Server (SQL Server 2000 SP3 or higher) installation. I've installed SQL Server 2005 on a server named W2K3-STD. To use this option, select Use An Existing Database Server On The Network and, with the drop-down arrow, choose the name of your network's SQL server. If you have installed SQL Server on the ePolicy Orchestrator computer, choose the Use The Existing Database Server On This Computer option instead, as you can see in Figure K. Click Next when you're ready.

Figure K

Choose the way in which you would like to handle ePolicy Orchestrator's database requirements.

SQL Server works with either domain logins, or logins created in SQL Server. For the installation, ePolicy Orchestrator needs an account that provides the rights necessary to create its database in SQL Server, and to make updates to this database as part of the routine. I've opted to provide ePolicy Orchestrator with the SQL Server 'sa' account, as shown in Figure L. When you're done, click Next.

Figure L

Provide either domain or SQL Server credentials for ePolicy Orchestrator.

ePolicy Orchestrator relies on the ubiquitous HTTP protocol for communication between consoles and agents. As such, you need to make sure that communication on specific ports is enabled. McAfee allows you to completely customize which ports you want to use, as shown in Figure M below. The only value I've changed for this example is the Agent-to-Server communication port. The default is 80, but I've changed this to 82 on the recommendation of the ePolicy Orchestrator installation guide. Click Next to continue.

Figure M

Provide port numbers for the various types of communications.

If you want to be notified about specific events in ePolicy Orchestrator, you must provide an email address to which notifications can be sent. The default is I happen to use the domain in my lab as well, so I accepted this default in Figure N. Click Next when you're done.

Figure N

Provide an administrative email address to which notifications can be sent.

That's all the questions you need to answer. The final screen, Figure O, you see before the installation commences outlines the steps that the ePolicy Orchestrator installer will take to complete your product's installation. Note that there is a reboot step, so be prepared! If you're installing ePolicy Orchestrator on a production server, do it during a maintenance window. Click the Install button to begin the installation.

Figure O

Click the Install button to start the installation.

After the installation completes, you're presented with a summary window, Figure P, that provides you with options to start the management console and to create a desktop shortcut. Click Finish.

Figure P

Choose your options.

ePolicy Orchestrator post-installation tasks

Once ePolicy Orchestrator is installed, you need to take care of some critical tasks that make the product actually work, and that protect your organization's systems:

  • Create the ePolicy Orchestrator directory.
  • Install ePolicy Orchestrator agents on systems you wish to be managed by ePolicy Orchestrator.
  • Tell ePolicy Orchestrator which products you want to manage via ePolicy Orchestrator.

Create the ePolicy Orchestrator directory

I'm not going to go into great detail regarding the ePolicy Orchestrator directory, but will provide you with enough information to get started. Like Active Directory, the ePolicy Orchestrator directory is used to group objects in some logical way. By creating groups of computers, for example, you can apply different management policies to different systems in your organization. For example, for the Marketing group, you might want to scan their systems early in the morning during their regular team meeting while, for Engineering, you might want to scan their systems late at night.

ePolicy Orchestrator uses two different kinds of organizational units:

  • Sites: A site is a top-level major group that can contain both computers as well as other sub-level groups (described next). Every site contains a group called LostFound, which contains managed systems that ePolicy Orchestrator was unable to assign to a sub-level group. (i.e. you installed the ePolicy Orchestrator agent to a system, but deleted that system from the directory without removing the agent)
  • Groups: Like Sites, groups can contain nested groups, but every top-level Group belongs to a Site. Groups do not contain Lost&Found objects.

The ePolicy Orchestrator directory also uses the concept of inheritance to handle policy and rights propagation. Inheritance is enabled by default in ePolicy Orchestrator, but can be disabled.

I will be using two methods to populate and maintain my ePolicy Orchestrator directory for this article. First, I will use ePolicy Orchestrator's Active Directory Import Wizard to initially synchronize ePolicy Orchestrator with my existing Windows domain. As a part of the importation process, I will enable a task that routinely synchronizes ePolicy Orchestrator with my Active Directory domain.

I particularly like the synchronization features provided by ePolicy Orchestrator. One great thing about an enterprise directory is its inherent ability to be centrally managed. ePolicy Orchestrator/VirusScan/AntiSpyware, while they doadd some maintenance burden to your IT staff, at least the IT staff does not need to manually maintain multiple directories!

Before you can synchronize anything, you need to log in to ePolicy Orchestrator. Do so by going to Start | All Programs | McAfee | ePolicy Orchestrator 3.6.0 Console. Once you're at the main ePolicy Orchestrator screen, Figure Q, choose the Log On To Server option.

Figure Q

Choose Log On To Server.

In the Log On To Server box, Figure R, provide the password you specified during the installation of ePolicy Orchestrator. The default administrative user name is admin.

Figure R

Provide the appropriate password and click the OK button.

The initial synchronization is accomplished by right-clicking the Directory option under the name of your ePolicy Orchestrator server and selecting All Tasks | Import Active Directory Computers. You can see how this works in Figure S.

Figure S

This will start the AD import wizard.

Figure T below shows you all five screens related to importing and synchronizing Active Directory computers.

Figure T

The Active Directory import processes handles both importation and synchronization.

In short, you need to specify the following items when it comes to the importation and synchronization of Active Directory computers :

  • To which ePolicy Orchestrator site do you want to import your AD information? You can only import to a site you create, or to the Root site. For this example, I have not created any sites and will import my Active Directory computers to ePolicy Orchestrator's root.
  • From which AD server would you like to pull computer information? You also need to provide the credentials for a user with rights to extract information from AD.
  • From which AD container would you like to pull computer information. A default AD infrastructure uses the Computers container and many people created groups nested within this top-level container. I am using the Computers container for this example. Note that ePolicy Orchestrator will search through subgroups if you have created them in Computers. If you want to exclude a particular subgroup, click the Add button and browse for it.
  • The last screen on which you have to provide information, create your synchronization scheduled task right here. I've used the default, which specifies that synchronization will take place every night at midnight.
  • The final screen summarizes what ePolicy Orchestrator accomplished. Note that the two systems found--XPP1 and W2K-BASE--were placed into the Lost&Found group.

Deploy ePolicy Orchestrator agents to manage systems

There are a ton of ways you can get an ePolicy Orchestrator agent on your desktops. You can use your normal enterprise software distribution method, for example, or you can use ePolicy Orchestrator itself.

To deploy an agent from within ePolicy Orchestrator, in the Directory find the target system (often found in Lost&Found). Right-click the system and select Send Agent Install from the shortcut menu. You can also deploy to an entire group by choosing Send Agent Install from the group's shortcut menu instead.

On the resulting screen--the Install Agent screen seen in Figure U--choose the appropriate options and click OK. You do need to provide credentials for a user account with rights to install software on the target machine.

Figure U

A remote agent deployment via ePolicy Orchestrator.

Note that the default settings deploy the client at midnight. I overrode this setting for this example by selecting the machine in the directory, and choosing the Tasks tab in the right-hand pane. I opened the Deploy task and unchecked the Inherit option and enabled the task. Next, from the tasks Schedule tab, I changed the deployment to run immediately.

Allow ePolicy Orchestrator to manage the VirusScan product and AntiSpyware module

ePolicy Orchestrator handles all updating and replication of software for your entire organization. Before this can happen, you need to tell ePolicy Orchestrator which software packages it should manage for your clients.

Click the Repository option in ePolicy Orchestrator. This opens a flowchart like screen that shows you how ePolicy Orchestrator propagates updates, similar to the one in Figure V.

Figure V

The repository screen can be a bear until you get a handle on how everything works.

To add the VirusScan Enterprise 8.0i and AntiSpyware module packages, do the following. For each of the two products, you need to both add the package to the master software repository and add the package to the ePolicy Orchestrator server.

Click the Check In Package option. This starts a wizard shown in Figure W. Browse to the location of the product's PkgCatalog.z file, usually located in the directory to which you extracted the contents of the product (i.e. AntiVirus Enterprise 8.0i). There is a separate package file for both the virus and spyware scanning products, which means that you need to go through this process twice--once for each product.

Figure W

Choose the option to add a product to the master repository. Locate the file and click Finish when you're done.

Likewise, you need to check in a .NAP (Network Associates Package) file to your ePolicy Orchestrator server. From the main Repository screen, choose Check In NAP. You will be presented with two options: Add New Software and Add New Reports. I will add new software only. Locate the .NAP file for each product (again, perform this process once for each product) and follow the instructions. The software is then available for use.

Now, to see what your clients are using, from the Directory, select a client, or select a group (including the whole directory itself, or a site). In Figure X, notice that there are options available to configure policies for both antivirus and antispyware features.

Figure X

Each client or group is covered by the policies and software shown.

Modify policies

To change a policy, choose the Policy Catalog option from ePolicy Orchestrator and select the policy you'd like to modify. I'm not going to get very deep into this as ePolicy Orchestrator policies could be an entire series of articles all by itself.

However, suppose you wanted to modify the way that the end-user sees the AntiVirus client. Perhaps you don't want them to even be able to see the McAfee icon in the system tray, for example. To change this policy, expand the VirusScan Enterprise 8.0.0 group and choose User Interface Policies and then click the policy name McAfee Default. You'll see the screen shown in Figure Y.

Figure Y

From here, you can change the global default policy, if you like.

Stopping spyware the McAffee way

When it comes to complexity, McAfee's antispyware solution takes the cake in that it's the most difficult to get up and running. However, with that difficulty come extreme flexibility and scalability. I haven't touched one tenth of the capabilities of ePolicy Orchestrator coupled with AntiVirus and AntiSpyware, but with these steps, you should be able to get your McAfee products going in a minimal way.