Spyware has become as big (if not bigger) a problem for IT
professionals than viruses. One of the big players in the antivirus space,
McAfee also has an enterprise-level solution for battling spyware. McAfee’s
antispyware offering is similar to Symantec’s in that it rides on top of their
existing antivirus software. Unlike Symantec’s solution, however, McAfee’s is
still somewhat separate. Unlike Symantec, which has combined virus and spyware
scanning into a single client, McAfee’s antispyware client is separate and
plugs in to the enterprise antivirus client. In order to use McAfee’s
antispyware software, you need either version 7.1 and 8.0i of McAfee’s
enterprise-edition antivirus software installed, with version 8.0i being

In order to centrally manage this combined client, you also
need McAfee’s management platform, called ePolicy Orchestrator. For this
article, I will be installing ePolicy Orchestrator 3.6 as well as version 8.0i
of both the antivirus client and the antispyware plug in.

I’m going to go over basic information regarding the
antivirus capabilities of the McAfee offering, but will go over handling the
antispyware solution more in depth.


The thing that requires the most in terms of software
requirements is McAfee’s ePolicy Orchestrator (ePolicy Orchestrator) software.
As such, the system requirements listed below for the server and database
server are actually reflective of the requirements for ePolicy Orchestrator.
I’m installing everything, including the database, on a single server.

While McAfee supports non-Windows machines for client
installations, I will be focusing on the Windows environment in this article.
You can also install the ePolicy Orchestrator agent and various clients on
NetWare (4.11-6.0). Keep in mind that ePolicy Orchestrator is the management
solution that covers all of McAfee’s
products. The ePolicy Orchestrator installation guide includes a complete
product support, compatibility and feature matrix.


In order to install the client software, a workstation must
meet a few minimal requirements. First, non-NT-based versions of Windows are
not supported. This means that, if you’re still running Windows 95, 98, or ME,
you’re out of luck. Windows NT, 2000, XP and 2003 are all supported, as long as
your have a reasonably recent service pack.

Beyond this, the antispyware offering has the same system
requirements as the antivirus product:

  • At least a
    166 MHz processor
  • At least 32
    MB of RAM
  • At least 38
    MB of free disk space
  • Internet
    Explorer 6.0 or later
  • A trust
    relationship with the domain’s primary domain controller

As you can see, the client software doesn’t exactly require
a powerhouse of a machine!

Server (including ePolicy Orchestrator)

On the server side, you’re more limited in your operating
system selection, but only slightly. McAfee supports every server version of
Windows back to Windows 2000 SP3, but does not support Windows XP, which makes
sense since XP is not a server operating system. While McAfee does provides
wide support for all versions of Windows server, you do need a reasonably
current service pack installed.

Beyond this, the antispyware offering has the following
requirements, based on the antivirus software core of the product and the
ePolicy Orchestrator system requirements:

  • At least a
    450 MHz processor
  • At least
    512 MB of RAM, with 1 GB recommended
  • At least
    500 MB of free disk space, with at least 2 GB recommended
  • Internet
    Explorer 5.0 or later
  • McAfee also
    recommends using a static IP address for the server

Remote management station (ePolicy Orchestrator)

If you install a remote management station (for example, on
an IT staffer’s machine), the machine needs to meet the following minimum

  • At least a
    Pentium II processor
  • At least
    128 MB of RAM
  • At least
    250 MB of free disk space
  • Internet
    Explorer 6.0 or later
  • Any version
    of Windows back to Windows 2000 SP3, including Windows XP Professional
    (with SP1 or better)


McAfee’s solution runs using MSDE or Microsoft SQL Server
2000 SP3+ database software. You also need MDAC 3.8 for use with ePolicy
Orchestrator. If you’re managing more than 5,000 clients, McAfee recommends
that you use a dedicated SQL Server rather than running ePolicy Orchestrator
and SQL on the same hardware.

Installation procedure

McAfee’s solution is significantly more distributed and
scalable than some other solutions on the market. As such, care needs to be
taken during deployment to make sure that you have no problems. For this
article, I will be installing all of the necessary components

  • SQL Server
    2005 (In my lab, SQL Server 2005 is installed on it’s own server separate
    from the McAfee server.)
  • McAfee
    ePolicy Orchestrator: McAfee’s central management console that manages
    all of their products.
  • AntiVirus
    Enterprise 8.0i
  • AntiSpyware
    Enterprise 8.0i (the plug-in that works with the antivirus software)

Enterprise 8.0i

In this section, I’ll be installing McAfee’s antivirus
client on the target ePolicy Orchestrator server. This client installation is
handled the same way that you would a manual client installation on a
workstation. Later in the article, I will go over an automated deployment
method for your clients as well.

Note: If you’re wondering what the letter ‘i’ means
at the end of McAfee’s newer products, it denotes the newish intrusion
prevention system (IPS) capabilities in the product.

To get started with the AntiVirus client installation,
double-click the setup.exe file from your AntiVirus 8.0i distribution media.

Look at, read, and accept the software license agreement
(Figure A) that is shown on the first screen of the installer. Click the OK
button to continue with the installation.

Figure A

Accept the installation.

Your next major decision is to decide between a typical or a
custom installation. A typical install installs everything, including various
email scanners. If you want to limit what gets installed, choose the Custom
option. I’ve selected the Typical option for the example, as shown in Figure B.
If you want to see what choices are included in a Custom installation, though,
look at Figure C. If you need to change the installation directory, you need to
choose the Custom installation method.

Figure B

Choose your installation type.

Figure C

If you opt for a custom installation, here is what you’ll see.

That’s all you need to do to install the virus scanning
software. On the summary screen, click the Install button to proceed with the
installation based on your selections.

Figure D

Click the Install button to proceed.

After all of the files are copied and the installation
completed, you’ll get a status window shown in Figure E that also allows you to
update your software with the most recent patches and to run an on-demand scan
of your system.

Figure E

Select your desired options and click Finish.

An on-demand scan is shown in Figure F.

Figure F

Cancel your scan by clicking the Stop button, if you want.

Add spyware scanning to AntiVirus Enterprise 8.0i

I mentioned before that McAfee’s antispyware scanning
capability is actually an add-on to the virus scanning product. As such, you
need to make sure you have successfully installed the antivirus product before
you embark on your antispyware quest.
McAfee has announced a standalone version of their spyware scanner that
will not require AntiVirus Enterprise 8.0i. This will give you the option to
use virus and spyware utilities from different companies, if you want. This standalone
edition was just announced and was not available at this writing.

The AntiSpyware module is installed by executing the
VSE80MAS.exe file from your McAfee AntiSpyware distribution media. The opening
screen clearly states that this version enhances the capabilities of your
antivirus product and installs as a module. There is no license screen in the
product since it uses the antivirus product license, as you can see in Figure
. Click Next to continue with the installation.

Figure G

Click Next to continue with the installation.

That’s all there is to it. The software installs and you are
presented with a status screen seen in Figure H. Click Finish on this screen.

Figure H

Click Finish.

You should run a full scan of your ePolicy Orchestrator
system before continuing. You don’t need to manually install these clients
across the board. You can deploy using ePolicy Orchestrator later on.

ePolicy Orchestrator

McAfee’s ePolicy Orchestrator is a centralized management console
that works in conjunction with all of McAfee’s enterprise products. It is not
bundled with the antivirus and antispyware software, though, and is a separate

To get started installing ePolicy Orchestrator, run the
setup.exe program from your ePolicy Orchestrator distribution media. The first
screen, as usual, includes McAfee’s product license agreement. Read it if you
like, choose the accept option, and click OK to continue. This
screen is the same one shown earlier in Figure A.

You have two primary installation options with ePolicy
Orchestrator. You can install both the ePolicy Orchestrator server and the
management console, or, you can install just the console. On the server side,
you do need both components, but if you’re just installing the management tools
on an administrative workstation, choose the Install Console Only
option. I’ll be installing both components.

You also need to specify the folder into which you want to
install ePolicy Orchestrator as seen in Figure I. The default location is
C:\Program Files\McAfee. Click the Next button to continue.

Figure I

Choose your installation type and click Next.

ePolicy Orchestrator uses its own built-in administrative
account and password for the initial log in to the ePolicy Orchestrator server.
As such, in order to provide the maximum security, the installer asks that you
provide this initial password. This is definitely preferable to every ePolicy
Orchestrator installation being shipped with the same default password! On this
screen of the installation, Figure J, provide and confirm the password you want
to use for this purpose. Click Next when you’re done.

Figure J

Provide an administrative password for your log in to ePolicy Orchestrator.

I mentioned earlier that ePolicy Orchestrator needs a
database in order to work. ePolicy Orchestrator is bundled with Microsoft’s
MSDE product, which you can opt to install on this step by choosing the Install
A Database Server On This Computer And Use It option. Or, as I have
done for this article, you can point ePolicy Orchestrator at an existing SQL
Server (SQL Server 2000 SP3 or higher) installation. I’ve installed SQL Server
2005 on a server named W2K3-STD. To use this option, select Use An
Existing Database Server On The Network and, with the drop-down
arrow, choose the name of your network’s SQL server. If you have installed SQL
Server on the ePolicy Orchestrator computer, choose the Use The Existing
Database Server On This Computer option instead, as you can see in
Figure K. Click Next when you’re ready.

Figure K

Choose the way in which you would like to handle ePolicy Orchestrator’s
database requirements.

SQL Server works with either domain logins, or logins
created in SQL Server. For the installation, ePolicy Orchestrator needs an
account that provides the rights necessary to create its database in SQL
Server, and to make updates to this database as part of the routine. I’ve opted
to provide ePolicy Orchestrator with the SQL Server ‘sa’ account, as shown in
Figure L. When you’re done, click Next.

Figure L

Provide either domain or SQL Server credentials for ePolicy Orchestrator.

ePolicy Orchestrator relies on the ubiquitous HTTP protocol
for communication between consoles and agents. As such, you need to make sure
that communication on specific ports is enabled. McAfee allows you to
completely customize which ports you want to use, as shown in Figure M below. The
only value I’ve changed for this example is the Agent-to-Server
communication port. The default is 80, but I’ve changed this to 82 on the
recommendation of the ePolicy Orchestrator installation guide. Click Next to

Figure M

Provide port numbers for the various types of communications.

If you want to be notified about specific events in ePolicy
Orchestrator, you must provide an email address to which notifications can be
sent. The default is administrator@example.com. I happen to use the
example.com domain in my lab as well, so I accepted this default in Figure N.
Click Next when you’re done.

Figure N

Provide an administrative email address to which notifications can be sent.

That’s all the questions you need to answer. The final screen, Figure O, you see before the
installation commences outlines the steps that the ePolicy Orchestrator
installer will take to complete your product’s installation. Note that there is
a reboot step, so be prepared! If you’re installing ePolicy Orchestrator on a
production server, do it during a maintenance window. Click the Install button
to begin the installation.

Figure O

Click the Install button to start the installation.

After the installation completes, you’re presented with a
summary window, Figure P, that provides you with options to start the
management console and to create a desktop shortcut. Click Finish.

Figure P

Choose your options.

Orchestrator post-installation tasks

Once ePolicy Orchestrator is installed, you need to take
care of some critical tasks that make the product actually work, and that
protect your organization’s systems:

  • Create the
    ePolicy Orchestrator directory.
  • Install
    ePolicy Orchestrator agents on systems you wish to be managed by ePolicy
  • Tell
    ePolicy Orchestrator which products you want to manage via ePolicy

Create the ePolicy Orchestrator directory

I’m not going to go into great detail regarding the ePolicy
Orchestrator directory, but will provide you with enough information to get
started. Like Active Directory, the ePolicy Orchestrator directory is used to
group objects in some logical way. By creating groups of computers, for
example, you can apply different management policies to different systems in
your organization. For example, for the Marketing group, you might want to scan
their systems early in the morning during their regular team meeting while, for
Engineering, you might want to scan their systems late at night.

ePolicy Orchestrator uses two different kinds of
organizational units:

  • Sites: A
    site is a top-level major group that can contain both computers as well as
    other sub-level groups (described next). Every site contains a group called
    LostFound, which contains managed systems that ePolicy
    Orchestrator was unable to assign to a sub-level group. (i.e. you
    installed the ePolicy Orchestrator agent to a system, but deleted that
    system from the directory without removing the agent)
  • Groups:
    Like Sites, groups can contain nested groups, but every top-level Group belongs to a Site. Groups do
    not contain Lost&Found objects.

The ePolicy Orchestrator directory also uses the concept of
inheritance to handle policy and rights propagation. Inheritance is enabled by
default in ePolicy Orchestrator, but can be disabled.

I will be using two methods to populate and maintain my
ePolicy Orchestrator directory for this article. First, I will use ePolicy
Orchestrator’s Active Directory Import Wizard to initially synchronize ePolicy
Orchestrator with my existing Windows domain. As a part of the importation
process, I will enable a task that routinely synchronizes ePolicy Orchestrator
with my Active Directory domain.

I particularly like the synchronization features provided by
ePolicy Orchestrator. One great thing about an enterprise directory is its
inherent ability to be centrally managed. ePolicy
Orchestrator/VirusScan/AntiSpyware, while they doadd some maintenance burden to your IT staff, at least the IT
staff does not need to manually maintain multiple directories!

Before you can synchronize anything, you need to log in to
ePolicy Orchestrator. Do so by going to Start | All Programs | McAfee | ePolicy
Orchestrator 3.6.0 Console. Once you’re at the main ePolicy Orchestrator
screen, Figure Q, choose the Log On To Server option.

Figure Q

Choose Log On To Server.

In the Log On To Server box, Figure R, provide
the password you specified during the installation of ePolicy Orchestrator. The
default administrative user name is admin.

Figure R

Provide the appropriate password and click the OK button.

The initial synchronization is accomplished by
right-clicking the Directory option under the name of your ePolicy Orchestrator
server and selecting All Tasks | Import Active Directory Computers. You can see
how this works in Figure S.

Figure S

This will start the AD import wizard.

Figure T below shows you all five screens related to importing
and synchronizing Active Directory computers.

Figure T

The Active Directory import processes handles both importation and

In short, you need to specify the following items when it
comes to the importation and synchronization of Active Directory computers :

  • To which
    ePolicy Orchestrator site do you want to import your AD information? You
    can only import to a site you create, or to the Root site. For this
    example, I have not created any sites and will import my Active Directory
    computers to ePolicy Orchestrator’s root.
  • From which
    AD server would you like to pull computer information? You also need to
    provide the credentials for a user with rights to extract information from
  • From which
    AD container would you like to
    pull computer information. A default AD infrastructure uses the
    Computers container and many people created groups nested
    within this top-level container. I am using the Computers container for
    this example. Note that ePolicy Orchestrator will search through subgroups
    if you have created them in Computers. If you want to exclude a particular
    subgroup, click the Add button and browse for it.
  • The last
    screen on which you have to provide information, create your
    synchronization scheduled task right here. I’ve used the default, which
    specifies that synchronization will take place every night at midnight.
  • The final
    screen summarizes what ePolicy Orchestrator accomplished. Note that the
    two systems found–XPP1 and W2K-BASE–were placed into the Lost&Found

Deploy ePolicy Orchestrator agents to manage systems

There are a ton of ways you can get an ePolicy Orchestrator
agent on your desktops. You can use your normal enterprise software
distribution method, for example, or you can use ePolicy Orchestrator itself.

To deploy an agent from within ePolicy Orchestrator, in the
Directory find the target system (often found in Lost&Found). Right-click
the system and select Send Agent Install from the shortcut menu.
You can also deploy to an entire group by choosing Send Agent
Install from the group’s shortcut menu instead.

On the resulting screen–the Install Agent screen seen in
Figure U–choose the appropriate options and click OK. You do need to provide
credentials for a user account with rights to install software on the target

Figure U

A remote agent deployment via ePolicy Orchestrator.

Note that the default settings deploy the client at
midnight. I overrode this setting for this example by selecting the machine in
the directory, and choosing the Tasks tab in the right-hand pane. I opened the
Deploy task and unchecked the Inherit option and enabled the task. Next, from
the tasks Schedule tab, I changed the deployment to run immediately.

Allow ePolicy Orchestrator to manage the VirusScan product and AntiSpyware

ePolicy Orchestrator handles all updating and replication of
software for your entire organization. Before this can happen, you need to tell
ePolicy Orchestrator which software packages it should manage for your clients.

Click the Repository option in ePolicy Orchestrator. This
opens a flowchart like screen that shows you how ePolicy Orchestrator
propagates updates, similar to the one in Figure V.

Figure V

The repository screen can be a bear until you get a handle on how
everything works.

To add the VirusScan Enterprise 8.0i and AntiSpyware module
packages, do the following. For each of the two products, you need to both add
the package to the master software repository and add the package to the
ePolicy Orchestrator server.

Click the Check In Package option. This starts a wizard
shown in Figure W. Browse to the location of the product’s
PkgCatalog.z file, usually located in the directory to which you
extracted the contents of the product (i.e. AntiVirus Enterprise 8.0i). There
is a separate package file for both the virus and spyware scanning products,
which means that you need to go through this process twice–once for each

Figure W

Choose the option to add a product to the master repository. Locate the
file and click Finish when you’re done.

Likewise, you need to check in a .NAP (Network Associates
Package) file to your ePolicy Orchestrator server. From the main Repository
screen, choose Check In NAP. You will be presented with two
options: Add New Software and Add New Reports. I will add new
software only. Locate the .NAP file for each product (again, perform this
process once for each product) and follow the instructions. The software is
then available for use.

Now, to see what your clients are using, from the Directory,
select a client, or select a group (including the whole directory itself, or a
site). In Figure X, notice that there are options available to configure
policies for both antivirus and antispyware features.

Figure X

Each client or group is covered by the policies and software shown.

Modify policies

To change a policy, choose the Policy Catalog option from
ePolicy Orchestrator and select the policy you’d like to modify. I’m not going
to get very deep into this as ePolicy Orchestrator policies could be an entire
series of articles all by itself.

However, suppose you wanted to modify the way that the
end-user sees the AntiVirus client. Perhaps you don’t want them to even be able
to see the McAfee icon in the system tray, for example. To change this policy,
expand the VirusScan Enterprise 8.0.0 group and choose User Interface Policies
and then click the policy name McAfee Default. You’ll see the
screen shown in Figure Y.

Figure Y

From here, you can change the global default policy, if you like.

Stopping spyware
the McAffee way

When it comes to complexity, McAfee’s antispyware solution
takes the cake in that it’s the most difficult to get up and running. However,
with that difficulty come extreme flexibility and scalability. I haven’t
touched one tenth of the capabilities of ePolicy Orchestrator coupled with
AntiVirus and AntiSpyware, but with these steps, you should be able to get your
McAfee products going in a minimal way.