release notes for

mcafee(r) virusscan(r) enterprise

version 8.0i with patch 10
copyright (c) 2004 networks associates technology,
inc.
all rights reserved

==========================================================

- dat version: 4442

- engine version: 4.4.00

==========================================================

thank you for using virusscan(r) enterprise

software. this file contains important information
regarding this release. we strongly recommend that
you read the entire document.

important:
mcafee does not support automatic upgrading of a
pre-release version of the software. to upgrade
to a production release of the software, you
must first uninstall the existing version of the
software.

__________________________________________________________
what's in this file

- new features
- changed features
- installation & system requirements
- testing your installation
- resolved issues
- mcafee installation designer
- version 8.0i
- known issues
- installing, upgrading, and uninstalling
- compatibility with other products
- alert manager(tm)
- common management agent
- epolicy orchestrator(r)
- groupshield(tm)
- protectionpilot(tm)
- third party software
- access protection
- adding file type extensions
- autoupdate
- buffer overflow protection
- log file format
- lotus notes
- mirror tasks
- scanning
- unwanted programs policy
- documentation
- participating in the mcafee beta program
- contact information
- copyright & trademark attributions
- license & patent information

__________________________________________________________
new features

this version of virusscan enterprise provides

several new features that help to prevent and more
effectively detect intrusions:

- product version number

the new version is 8.0i.

the product version number has changed from 7.1

to 8.0 to reflect the major changes within the
product since the last release. see the
following "new features" and "changed features"
for more information.

the "i" has been added to represent that mcafee

virusscan enterprise is the first anti-virus
product in the world that contains proactive
intrusion prevention systems (ips) protection
capabilities. these ips capabilities are
provided in the buffer overflow protection
feature which comes from mcafee entercept, our
host intrusion prevention security product.

- access protection.

use this feature to prevent intrusions by

restricting access to ports, files, shares, and
folders.

you can block ports by creating rules to specify

which ports to block and whether to restrict
access to inbound or outbound processes. you can
also exclude processes from the rule if you want
a specific process, or list of processes, to be
allowed access to the otherwise blocked port.
when you block a port, both tcp and udp accesses
are blocked.

you can restrict access to shares by making them

read-only or blocking read and write access to
all shares.

you can block files and folders by creating

rules that specify which processes to block from
the files or folders you define, which file
actions to prevent, and what action to take when
an attempt is made to access a blocked item.

these access protection features can be very

effective in preventing intrusions. in the event
of an outbreak, the administrator can block
 access to the infected areas until a dat is
released.

note:
if you block a port that is used by the
epolicy orchestrator agent or the entercept
agent, the agent's processes are trusted by
the filter and are allowed to communicate
with the blocked port. all other traffic not
related to these agent processes will be
blocked.

this version of virusscan enterprise provides

some sample port blocking rules and some sample
file and folder blocking rules. with a default
installation, some of these rules are in warning
mode and others are in blocking mode.

warning:
these rules have been chosen to protect
against a broad range of common threats but
they may also block legitimate activity.
before deploying virusscan enterprise, we
recommend that you review these rules to
ensure they are suitable for your
environment.

things to consider:

- whitelists. each port blocking rule includes

a list of applications which are excluded
from being blocked. these lists have been
populated with many of the most common e-mail
clients and web browsers. be certain to
review each of these lists to ensure they
include all programs that are allowed to send
email and download files. including these
programs in the whitelist ensures that these
programs will not be blocked.

- blocking of file system activity that

originates on the network. some rules such as
"prevent remote
creation/modification/deletion of files
(.exe)" are very effective at stopping
viruses that copy themselves from share to
share. however, they may also block
management systems that rely on pushing files
to workstations. for example, when the
epolicy orchestrator server deploys an agent,
it does this by pushing the agent installer
onto the workstations' administrative share
and running it. be certain to select the
correct mode (off, warn or block) for each
rule before deployment.

mcafee installation designer can be used to

configure a virusscan package for
 deployment.

warning:
the default rules cannot provide complete
protection for your environment. the
restrictions that you need depend on your
environment. the rules that we provide are
examples of what the feature can do and how
rules can be used to prevent some specific
threats.

as new threats are discovered, the virus

information library will provide
recommendations on how access protection
rules can be used to block these new threats.
access the virus information library at this
location:

http://vil.mcafee.com

- source ip (on-access scanning).

when the on-access scanner detects a virus

written to a file share, it displays the source
ip for the detection in the on-access scan
statistics dialog box and the on-access scan
messages dialog box.

- blocking (on-access scanning).

use this feature to block further access by

remote computers that have placed infected files
in a shared folder. you can specify how long to
block these connections. if you want to unblock
all connections before the specified time limit,
you can do so from the on-access scanning
statistics dialog box.

- buffer overflow protection.

use this feature to block exploited buffer

overflows from executing code on your computer.
buffer overflow protection detects code starting
to run from data in a heap or stack and prevents
that code from running. it does not stop data
from being written to the heap or stack. do not
rely on the exploited application remaining
stable after being exploited, even if buffer
overflow protection stops the exploited code
from running.

virusscan enterprise protects against buffer

overflows for approximately 30 of the most
commonly used and exploited software
applications and microsoft windows services.
these protected applications are defined in a
separate buffer overflow protection definitions
(dat) file. this dat file is available for
 download along with the virus definitions file
during regular updates. as of the date of this
product release, these applications are included
in the buffer overflow protection definitions
file:

- dllhost.exe
- eventparser.exe
- excel.exe
- explorer.exe
- frameworkservice.exe
- ftp.exe
- iexplore.exe
- inetinfo.exe
- lsass.exe
- mapisp32.exe
- mplayer2.exe
- msaccess.exe
- msimn.exe
- mstask.exe
- msmsgs.exe
- naimserv.exe
- naprdmgr.exe
- outlook.exe
- powerpnt.exe
- rpcss.exe
- services.exe
- sqlservr.exe
- srvmon.exe
- svchost.exe
- visio32.exe
- vsebotest.exe
- w3wp.exe
- winword.exe
- wmplayer.exe
- wuauclt.exe

this list will change when the buffer overflow

protection definitions file is updated.

- unwanted programs policy.

use this feature to detect and take action on

unwanted programs, such as spyware, adware,
dialers, jokes, etc.

you can select whole categories of programs or

specific programs within those categories from a
pre-defined list which comes from the current
dat file. you can also add your own programs to
detect.

configuration is a two-step process:

- first, you configure what programs to detect

in the unwanted programs policy. this policy
is enabled by default in each of the
scanner�s property pages.
 - second, you independently configure each of
the scanners (on-access scanner, on-demand
scanner, and e-mail scanners) to specify what
actions you want the scanner to take when an
unwanted program is detected. the actions you
specify here are independent of your other
scan settings.

the actual detection and subsequent cleaning of

unwanted programs is determined by the dat file,
just as it is for a virus. if you detect a
program and you have the primary action set to
"clean," the dat file tries to clean the program
using the information in the dat file. if the
detected program cannot be cleaned, or is not in
the dat file, for example a user-defined
program, the clean action fails and the
secondary action is taken. if you select
"delete" only the process defined as unwanted is
deleted and modified registry keys may be left
intact.

- script scanning (on-access scanning).

use this feature to scan javascript and vbscript

scripts before they are executed. the script
scanner operates as a proxy component to the
real windows scripting host component. it
intercepts the execution of a script, for
example an internet explorer web page script,
and scans it. if the script is clean, it is
passed on to the real host. if the script is
infected, it is not executed.

- lotus notes (e-mail scanning).

both the on-delivery e-mail scanner and the

on-demand e-mail scanner now scan lotus notes
messages and databases, in addition to
mapi-based e-mail, such as microsoft outlook.

you configure one set of properties that applies

to whichever e-mail client you have installed.

the client scanners have some behavior

differences that are described in the e-mail
scanning section of the product guide. for
example, microsoft outlook messages are scanned
on delivery, but lotus notes mail is scanned
when it is accessed.

- selective updating (autoupdate).

selectively update just the dat file, scanning

engine, product upgrades, hotfixes, patches, or
service packs, etc., using the autoupdate task
in the virusscan console.
 if you are managing virusscan enterprise with
epolicy orchestrator, the selective updating
feature is only available in epolicy
orchestrator 3.5 or later. it does not work with
earlier versions of epolicy orchestrator.

- alert manager local alerting.

generate snmp traps and local event log entries

without installing alert manager server
locally.

- repair installation.

a new item in the virusscan console help menu

allows you to repair the installation. you have
the option of restoring the product to the
original installation settings or reinstalling
the program files.

the user must have administrative rights to

perform these functions. the administrator can
protect this feature by setting a password for
it from the user interface options, password
options dialog box.

warning:
customized settings will be lost when
restoring the product to the original
installation settings.

hotfixes, patches, and service packs will be

overwritten when reinstalling the program
files.

- error reporting service.

when enabled, the error reporting service

provides constant background monitoring of
network associates applications and prompts the
user when it detects a problem. when an error is
detected, the user can choose to either submit
data for analysis or ignore the error. enable
the error reporting service from the tools menu
in the virusscan console.

_____________________________________________________
changed features

these features have changed since the previous

release of virusscan enterprise:

- daily updating (autoupdate).

the default autoupdate task schedule has been

changed from weekly to daily. the schedule can
 be modified by the administrator.

- default download site (autoupdate).

when performing an autoupdate, the default

download site is now http with the ftp site as
the secondary site. see the virusscan enterprise
product guide for more information.

- system utilization (on-demand scanning).

cpu utilization has been changed to system

utilization. when an on-demand scan starts, the
feature takes cpu and io samples over the first
30 seconds, then scans based on the utilization
level you specified in the on-demand scan
properties. this provides more realistic scaling
of both cpu and disk resources.

- resumable scanning.

the on-demand scanner has been changed to

perform true resumable scanning. the scanner
automatically resumes scanning where it left off
if the scan is interrupted before it completes.
the incremental scan feature of the scanner
recognizes the last file it scanned, so the next
time it starts, it resumes from where it left
off.

- scanning of compressed files.

the "scan compressed files" option has been

removed from the scanning options because the
feature has been permanently enabled in each of
the scanners. the scanner always scans
compressed files.

__________________________________________________________
installation and system requirements

see the product documentation for complete

information on installation and system
requirements.

testing your installation

you can test the operation of the software by

running the eicar standard antivirus test file on
any computer where you have installed the software.
the eicar standard antivirus test file is a combined
effort by anti-virus vendors throughout the world to
implement one standard by which customers can verify
their anti-virus installations.

to test your installation:

1. copy the following line into its own file, then
save the file with the name eicar.com.

x5o!p%@ap[4\pzx54(p^)7cc)7}$eicar-standard-antivirus-test-file!$h+h*

the file size will be 68 or 70 bytes.

2. start your anti-virus software and allow it to

scan the directory that contains eicar.com.

when virusscan enterprise scans this file, it

will report finding the eicar test file.

3. delete the file when you have finished testing

your installation to avoid alarming unsuspecting
users.

important:
please note that this file is not a virus.

__________________________________________________________
resolved issues

this section describes issues that have been

resolved in this release.

mcafee installation designer

1. issue:
two issues occurred when installing a virusscan
enterprise 8.0i package that had been configured
using mcafee installation designer.

a. in some cases, custom configuration settings

were not being applied at installation time
due to a timing issue. a reboot was required
in these cases to apply the custom
configuration settings.

b. pop-up error messages were appearing during

silent installations even when performing the
silent installation via epolicy orchestrator.
the following pop-up messages required the ok
button to be clicked before installation
continued.

- "unable to create or open log file. logging

disabled for this session."
- "invalid configuration options specified.
confirm product correctly installed."

resolution:
this release includes an updated version of the
binary midutil.dll. use this release to resolve
the described issues.
version 8.0i
1. issue:
the virusscan enterprise 7.1 on-access scanner
could take action on data contained in
quarantine folders of other mcafee anti-virus or
security products, unless you excluded those
folders from scanning. for example, if you were
using mcafee groupshield or intrushield on the
same computer where virusscan enterprise
resided, their respective quarantine folders
might contain legitimate infected data. those
quarantine folders should have been excluded
from on-access scanning to avoid the possibility
of cleaning, deleting, or moving the legitimate
infected data.

resolution:
the installer detects the other products and
adds exclusions for them.

2. issue:
resumable scanning did not work for on-demand
scan tasks created and deployed using epolicy
orchestrator 3.0. this occurred if the on-demand
scan that was created in epolicy orchestrator
ended before the scan completed (due to system
shutdown, etc.). when the on-demand scan task
started again, it began scanning at the
beginning, rather than resuming from the last
file scanned.

resolution:
resumable scanning works correctly for on-demand
scan tasks that were created and deployed using
epolicy orchestrator.

3. issue:
when a user with user rights (as opposed to an
administrator with administrator rights) rolled
back dat files, the following error occurred:

"failed to save the version of the dats that

have just been rolled back"

this meant that virusscan enterprise failed to

create the correct registry key identifying that
the rollback had occurred. because of this,
performing an update could allow the rolled-back
dats to be reapplied. this could cause problems
if the rolled-back dat versions were corrupted
(usually the reason for performing a dat
rollback).

normally, virusscan enterprise did not update

dat versions that had been rolled back.

note:
 this problem only occurred when a
non-administrator performed the dat rollback.
when administrators performed it, the
rolled-back dat versions could not be applied
through updating.

resolution:
rolled-back dats cannot be reapplied.

4. issue:
the vshield icon did not appear in the system
tray when virusscan enterprise was deployed via
epolicy orchestrator or when a silent
installation was used.

resolution:
the vshield icon now displays in the system tray
after deployment via epolicy orchestrator or
when using a silent installation.

5. issue:
when installing virusscan enterprise to an intel
64-bit processor-based system, the vsupdate.dll
file did not register correctly with the
regsvr32.exe. as a result, when an update was
performed after installation, an error occurred
and the following error message was displayed:

"error occurred while loading com component."

to correctly register the .dll, enter the

following command at the command prompt:

"<drive>:\winnt\syswow64\regsvr32.exe <installation path>vsupdate.dll"

note:
if you are installing virusscan enterprise to
the default location, the installation path
is:

<drive>:\program files\network associates\virusscan\

resolution:
this issue has been resolved in virusscan
enterprise 8.0

_____________________________________________________
known issues

installing, upgrading, and uninstalling

1. an optional restart is required at the end of

installation to load the tdi network driver.
port blocking, infection trace, and infection
trace blocking are disabled until the computer
is restarted.
2. internet explorer requirement. the virusscan
enterprise 8.0 installation guide incorrectly
lists the internet explorer requirement as
version 5.0 or later. the internet explorer
requirement is version 4.0 with service pack 2
or later.

3. if you plan to install virusscan enterprise 8.0

and use the autoupdate feature on a computer
with a windows nt4 operating system, you must
first install internet explorer 4.0 with service
pack 2 or later on that computer.

if internet explorer 4.0 with service pack 2 or

later is not installed before you begin
installing virusscan enterprise 8.0 on a windows
nt4 operating system, error 1920 "service failed
to start" is generated and you are given the
option to "abort," "retry," or "continue" the
installation. if you "continue" the
installation, the autoupdate component is not
installed. if you decide later to install the
autoupdate feature, you must first install
internet explorer 4.0 with service pack 2 or
later then completely remove virusscan
enterprise 8.0 and re-install it.

4. if you are installing virusscan enterprise on a

windows nt4 terminal server using the
uncompressed setup utility; "setupvse.exe", you
must first switch the terminal server to
"install mode" before you execute
"setupvse.exe." for more information, see
knowledge base article kb37558.

5. to install the virusscan enterprise product

using msiexec.exe, complete these steps:

a. extract the .msi and other files by entering

this command at the command prompt:

setup.exe -nos_ne [-nos_o"<output path>"]

notes:
the -nos_ne command extracts the setup
files from the setup.exe, but does not
execute the setup.exe or delete the setup
files.

the -nos_o"<output path>" command

specifies the folder to which you want to
extract the setup files.

if you do not specify the output path,

the files are extracted to the user
profile's "temp" folder.

b. ensure that any competitor's products are

 removed including previous versions of mcafee
virusscan and virusscan enterprise.

c. run msiexec.exe by entering this command at

the command prompt:

"msiexec.exe /i vse800.msi"

6. when installing buffer overflow protection,

these limitations apply:

- if buffer overflow protection is installed on

a computer that already has the mcafee
entercept agent installed on it, the buffer
overflow protection feature is disabled in
the virusscan console.

the mcafee entercept product provides more

complete coverage, so it takes precedence
over the buffer overflow protection feature
in virusscan enterprise.

- buffer overflow protection cannot be

installed on 64-bit platforms.

- when using buffer overflow protection with

microsoft windows xp fast user switching,
only session 0 is protected.

- buffer overflow protection does not protect

terminal sessions for windows terminal server
or citrix metaframe. only the local login is
protected.

7. scriptscan cannot be installed on 64-bit

platforms.

8. right-click scan cannot be installed on 64-bit

platforms.

9. this release supports deployment using

administration installation points (aip).
however, you must run setup.exe from the aip to
perform upgrades or to uninstall other
anti-virus software.

to create an aip, type "setup.exe /a" at the

command prompt. a wizard appears to take you
through the process of creating the aip. when
the aip is created, all of the necessary files
in the compressed (.zip) file are also copied to
the aip. these files are:

- cmu300.nap
- contact.txt
- example.sms
- extra.dat
- install.pkg
 - instmsiw.exe
- pkgcatalog.z
- packing.lst
- readme.txt
- setup.ini
- setupvse.exe
- signlic.txt
- uninst.dll
- uninst.ini
- vse800.nap
- vse800det.mcs

since these files are automatically copied to

the aip, the administrator does not need to
manually copy the files.

note:
if you deploy virusscan enterprise via active
directory group policies, which install using
msiexec.exe, you must remove any existing
anti-virus products prior to installing
virusscan enterprise.

10. when silently over-installing the computer

associates etrust antivirus program, the action
is not completely silent. the computer
associates etrust antivirus program displays a
message box stating that a restart is needed
with an "ok" button. once you click "ok", the
over-installation continues normally. this
problem is a known computer associates problem
referenced on the computer associates' web site
under article qo19636. the web site provides a
downloadable file that fixes this problem. the
problem references computer associates etrust
antivirus version 6.0, but the fix also works
for version 7.0.

compatibility with other products

alert manager

1. virusscan enterprise 8.0 can only send alerts to

alert manager 4.7.x. it cannot send alerts to
earlier versions of alert manager.

furthermore, virusscan enterprise 8.0 cannot be

installed on a computer where an alert manager
version earlier than 4.7.x is already installed.
if you are installing virusscan enterprise 8.0
onto a system where alert manager 4.5 or 4.6 is
installed, you should also install alert manager
4.7.x, which automatically replaces the older
version of alert manager.

however, also note that alert manager 4.7.x can

receive alerts from earlier versions of
 netshield and virusscan. you can configure
earlier versions of these software programs to
send alerts to an installation of alert manager
4.7.x.

2. when installing alert manager on a windows 2003

(.net) server, alert messages do not
automatically display in virusscan enterprise
8.0. you must manually start the messenger
service:

a. from the start menu, select

settings | control panel | administrative tools | services | messenger

b. open the messenger properties dialog box.

c. on the general tab under "startup type,"

select "automatic."

d. on the general tab under "service status,"

click "start."

e. click "ok" to apply the changes and close the

messenger properties dialog box.

common management agent

1. installing virusscan enterprise 8.0 in epolicy

orchestrator 3.0.x does not automatically
upgrade the common management agent from an
earlier version to 3.5. if you are using epolicy
orchestrator 3.0.x and virusscan enterprise 7.x,
then add the virusscan enterprise 8.0
installation package to the epolicy orchestrator
repository, the common management agent is not
upgraded to version 3.5.

to upgrade the common management agent from an

earlier version to version 3.5, you must install
common management agent version 3.5, then push
it to the clients or perform an update task.

note:
common management agent 3.5 is not required
when using epolicy orchestrator to manage
virusscan enterprise 8.0. the only
differences between common management agent
version 3.5 and earlier versions are:

- common management agent 3.5 has the ability

to perform selective updating and earlier
versions perform updating as a whole.
selective updating allows you to
individually update just a dat, scanning
engine, patch, etc.

- common management agent 3.5 does not filter

events on the client side.
2. installing epolicy orchestrator 3.0.x fails if
common management agent 3.5 is already
installed. if you attempt to install epolicy
orchestrator 3.0.x on the same computer where
you installed virusscan 8.0, the epolicy
orchestrator installation fails due to an issue
with upgrading the common management agent.
since virusscan enterprise 8.0 installs common
management agent version 3.5 and epolicy
orchestrator 3.0.x installs an earlier version
of the common management agent, the agent cannot
be upgraded and the installation fails.

to resolve this issue, follow these steps:

a. remove virusscan enterprise 8.0.

b. install epolicy orchestrator 3.0.x.

c. re-install virusscan enterprise 8.0.

d. to upgrade the common management from an

earlier version to version 3.5 in epolicy
orchestrator 3.0.x, install common management
agent 3.5 in epolicy orchestrator 3.0.x, then
push it to the clients or perform an update
task.

epolicy orchestrator

1. if you are planning to use epolicy orchestrator

to manage virusscan enterprise 8.0, you must use
epolicy orchestrator version 3.0 with service
pack 1 or a later version.

2. selective updating. to use the new selective

updating feature, you must be using epolicy
orchestrator 3.5 or later to manage virusscan
enterprise. earlier versions of epolicy
orchestrator perform updates but do not support
selective updating of just a dat file, scanning
engine, etc.

3. this version of virusscan enterprise 8.0

provides two .nap files that must be added to
the epolicy orchestrator repository. in
addition, if you are running epolicy
orchestrator version 3.0.x, you must run an
update executable to fix an issue related to
registering the event parser, after you add both
of the .nap files.

note:
it is not necessary to run the update
executable if you are using epolicy
orchestrator version 3.5 or later.
 these files are included in the virusscan
enterprise 8.0 installation package and can be
found in the location where you downloaded the
files:

- vse800.nap

- vse800reports.nap. this file is an extended

reports .nap file.

- vse800updateforepo30.exe. this file is an

update executable.

a. add both .nap files to the epolicy

orchestrator repository.

note:
we recommend that you install the
vse800reports.nap file before you install
the vse800.nap. installing the .nap files
in this order prevents an issue with the
virusscan enterprise english description
that is displayed under managed products.
see known issue number 8 in this section
for more information.

b. if you are using epolicy orchestrator version

3.0.x, execute the vse800updateforepo30.exe
on the computer where epolicy orchestrator
3.x is installed.

this executable registers the event parser

.dll on epolicy orchestrator 3.0.x servers.
this update fixes an issue with epolicy
orchestrator that causes the event parser to
not be correctly registered when the extended
reports .nap is added.

note:
see the virusscan enterprise 8.0
configuration guide for use with epolicy
orchestrator for details.

4. checking the vsereports.nap file into the

epolicy orchestrator version 3.01 or 3.02
repository may result in an "unspecified
error."

this is a console time-out error which can be

ignored. the server completes the execution of
all of the sql scripts in the .nap file even if
the console timed out.

5. if you are using microsoft sql server version

7.0 with epolicy orchestrator 3.01 or later,
on-demand scan tasks are not preserved when you
check the vse800.nap file into the epolicy
orchestrator repository. you must have microsoft
 sql server version 2000 or later installed to
preserve on-demand scan tasks.

6. a replicated repository may become corrupted

when replicating via unc from an epolicy
orchestrator server to a server that has these
file blocking rules enabled in the access
protection properties:

- "prevent remote modification of files

(.exe)"
- "prevent remote modification of files
(.dll)"
- "prevent remote
creation/modification/deletion of anything in
the system root"
- "prevent remote
creation/modification/deletion of files
(.exe)"

when these rules are enabled, some file

replications are blocked because the epolicy
orchestrator server remotely opens the files for
write access and modifies their contents in the
same way that a share-hopping worm performs.

if you plan to replicate a repository via unc

from an epolicy orchestrator server, be certain
to disable these file blocking rules on the
target server before you perform the
replication.

7. the epolicy orchestrator compliance baseline

does not recalculate compliance when you remove
items from the repository.

for example, when you check virusscan enterprise

8.0 into the epolicy orchestrator repository, it
is flagged as the new compliance baseline for
the environment. all computers with virusscan
enterprise versions earlier than 8.0 are flagged
as non-compliant. however, if you remove
virusscan enterprise 8.0 from the repository,
rather than recalculate compliance, the
compliance baseline remains at version 8.0. the
compliance baseline only increases
incrementally, even if you re-check virusscan
enterprise 7.1 into the repository.

8. the english description for virusscan enterprise

8.0 may not be available in the epolicy
orchestrator repository under managed products |
windows | virusscan enterprise | 8.0.0 depending
on the order in which you installed the two
virusscan enterprise 8.0 .nap files.

- if you installed the vse800.nap to the

repository before you installed the
 vse800reports.nap, the english description is
not available.

- if you installed the vse800reports.nap before

you installed the vse800.nap, the english
description is available.

9. disable event filtering in the epolicy

orchestrator event filtering policy. virusscan
enterprise generates many event ids that are not
listed in the epolicy orchestrator filter list.
to ensure that all virusscan enterprise events
are sent, disable event filtering in the
policy:

a. log on to the epolicy orchestrator console.

b. under "reporting," select "epo databases" and

expand it.

c. select the server and log in.

d. select "events."

e. in the right pane, select "do not filter

events."

f. click "apply" to save these settings.

groupshield

1. if you plan to use groupshield in addition to

virusscan enterprise 8.0 and alert manager
4.7.1, be certain to install groupshield before
you install alert manager. this installation
sequence is required to ensure alerting works
correctly.

protectionpilot

1. if you plan to use protectionpilot to manage

virusscan enterprise 8.0i, you must use
protection pilot version 1.0 with patch 1 or
later.

2. checking the vsereports.nap file into the

protectionpilot repository may result in an
"unspecified error."

this is a console time-out error which can be

ignored. the server completes the execution of
all of the sql scripts in the .nap file even if
the console timed out.

3. selective updating does not work with

protectionpilot. this feature is only available
in epolicy orchestrator 3.5 or later.
third party software

1. spy sweeper. if you are using spy sweeper to

scan the virusscan enterprise installation
folder, a false detection occurs when it detects
bho.dll. this file is not spyware; it is a
component of scriptscan that is installed as
part of virusscan enterprise.

2. microsoft windows xp with service pack 2. if you

are using microsoft windows xp with service pack
2 and plan to manage virusscan enterprise with
epolicy orchestrator, the windows xp firewall
will block the ability to do so unless you add
frameworkservice.exe to the windows xp firewall
exclusions whitelist. for information about how
to do this, refer to the microsoft knowledge
base article 842242.

3. these third party products are not compatible

with the buffer overflow feature of virusscan
enterprise 8.0. if you find it necessary to use
these products, we recommend that you disable
the virusscan enterprise buffer overflow
feature:

- tiny personal firewall

- cyberarmour firewall

- zone alarm pro

note:
when virusscan enterprise 8.0 and zone alarm
pro are both installed on the same computer,
zone alarm pro crashes.

- blackice firewall

note: install virusscan enterprise 8.0 before

you install blackice firewall to ensure they
are compatible.

access protection

1. ports associated with known vulnerabilities and

exploits. use this link to access a web site
that provides top lists of exploited tcp ports.

http://www.us-cert.gov/current/services_ports.html

note:
if you cannot access this link by clicking on
it, copy and paste it into your web browser
to access the site.

2. if you disable the on-access scanner, you also

 disable the port blocking rules and the file,
share, and folder rules that you have
configured.

3. if you are using access protection in a

non-english or localized environment, the
default rules may contain references to folders
that do not exist on the localized operating
system. for information about how to fully
utilize these default rules in this scenario,
see the virusscan enterprise best practices
guide.

adding file type extensions

1. if you are using wildcards to specify file type

extensions in either the additional file types
or specified file types dialog boxes, you cannot
use an asterisk (*) as the wildcard. you must
use a question mark (?) as the wildcard when
specifying file type extensions in these
scenarios.

autoupdate

1. updating from a mapped drive only works if you

are logged on when the update occurs and you
have at least read rights to that mapped drive
location. if no one is logged on to the system,
or if you are logged on but do not have at least
read rights to the mapped location, the update
fails.

2. when editing the repository list to use a unc

path, the "edit autoupdate repository list"
dialog box does not validate that the path
entered is in fact a valid unc share before
accepting it. be sure that you enter a valid unc
server, share, and path name. entering an
invalid unc path could cause problems when
updating from this location.

3. extra.dat information in virusscan enterprise

product guide. this corrects information in the
updating section of the virusscan enterprise
product guide.

in the updating section under "activities that

occur during an update task" it incorrectly
states:

"by default, detection for the new virus in

the extra.dat is ignored once the new virus
definition is added to the weekly dat
files."
 this should be corrected to state:

"by default, detection for the new virus in

the extra.dat is deleted once the extra.dat
expires."

4. if updating an extra.dat file manually, for

example by copying it to the engine folder, you
must restart the virusscan enterprise e-mail,
on-demand, and on-access scanners before they
can detect and use the new extra.dat file.

- for e-mail scan, close and then restart

microsoft outlook or lotus domino.

- for on-demand scan, stop and restart the

on-demand scanner if it is running, using the
virusscan enterprise console.

- for on-access scan, disable and then

re-enable the on-access scanner using the
virusscan enterprise console.

note:
updating extra.dat files using autoupdate
does not require manually restarting
scanners.

5. if you are using content scanning and filtering

software on your network, you may experience
some problems with updating. this can occur if
your content filtering software modifies a
mcafee update package.

buffer overflow protection

1. when the sasser worm or any other malware that

uses ms04-011 infects your system, the infection
may result in an exploited buffer overflow. the
buffer overflow protection feature can detect
and prevent the buffer overflow code from
executing on your computer. although the
execution of malicious code is prevented, the
actual buffer overflow is not stopped. if a
buffer overflow occurs as a result of the sasser
worm, the lsass.exe becomes unstable and the
computer automatically restarts.

2. these third party products are not compatible

with the buffer overflow feature of virusscan
enterprise 8.0. if you find it necessary to use
these products, we recommend that you disable
the virusscan enterprise buffer overflow
feature:

- tiny personal firewall

 - cyberarmour firewall

- zone alarm pro

note:
when virusscan enterprise 8.0 and zone alarm
pro are both installed on the same computer,
zone alarm pro crashes.

- blackice firewall

note: install virusscan enterprise 8.0 before

you install blackice firewall to ensure they
are compatible.

log file format

1. the default format for all of the log files is

unicode utf8 except when installing virus
enterprise 8.0 on windows nt operating systems.
the default format for log files on windows nt
operating systems is ansi.

lotus notes

1. when accessing a local database on windows 2000

server, windows 2003 server, or windows xp, the
user is prompted for a password. when the user
types the password, the text search dialog is
initiated and the password is inserted into the
text search dialog instead of being inserted
into the password dialog. the password dialog
box is not completely modal. selecting the
dialog box again allows the user to input the
password.

when using lotus client release version 6 or

later, we recommend that you do not prompt for a
password from other notes-based programs. to
select this option follow these steps:

a. from lotus notes, select file | preferences |

security | user security | dialog.

b. select "don�t prompt for a password from

other notes-based programs."

note:
this option is not available on other
versions of the lotus client.

2. if you are using microsoft windows xp and lotus

notes, you will receive a "file not found" error
when launching lotus notes from the start menu
or any shortcut that calls upon the default
e-mail client. for more information about this
 issue see mcafee knowledge base article
kb37774.

mirror tasks

1. if you are using a virusscan enterprise 8.0

mirror task to mirror the naiftp site, the task
may fail in two ways. first, the task does not
mirror 100% of the files on the ftp site. for
example, if a file is missing on the naiftp
site, the task does not replicate anything other
than the "current" folder. second, if you
configured the schedule to do so, it will
execute the task again, but will not execute any
programs that were specified to run after
successful completion of the task.

note:
if the scheduled mirror task is manually
executed in this scenario, the programs that
are specified to run after successful
completion of the task will run.

we recommend that you use mcafee autoupdate

architect to create a task to mirror the naiftp
site.

scanning

1. on-delivery scanning. when microsoft outlook is

configured to deliver new e-mail to a personal
folder and rules are used to move e-mails, the
on-delivery scanner may not detect infected
e-mails. we do not recommend that you configure
microsoft outlook to deliver new e-mails to a
personal folder if you use rules to move e-mails
to other folders in microsoft outlook.

2. on-demand or right-click scanning of compressed

files. if you are performing an on-demand scan
or a right-click scan on an infected compressed
file with the primary action set to "continue"
(this is the default for right-click scan) and
the secondary action is set to delete or move,
the secondary action fails.

unwanted programs policy

1. wildcards are not supported when configuring

user-defined unwanted programs.

__________________________________________________________
documentation

documentation is included on the product cd and/or

is available with a valid grant number from the
mcafee download site:

https://secure.nai.com/us/forms/downloads/upgrades/login.asp

note:
electronic copies of all product manuals are
saved as adobe acrobat .pdf files. the product
cd includes the latest version of acrobat
reader, or you can download any version from the
adobe web site:

www.adobe.com/prodindex/acrobat/readstep.html

virusscan enterprise documentation

- installation guide.
provides system requirements and instructions
for installing the software.

- product guide.
introduces the product, describes product
features, provides detailed instructions for
configuring the software, deployment, and
ongoing operation and maintenance.

- help system.
a help file, accessed from within the software
application, provides quick access to concepts,
definitions, and procedures for using the
software. includes field-level what's this?
topics (right-click on a feature), full topic
search, indexing, and page-level
context-sensitive help.

- configuration guide.
for use with epolicy orchestrator(r). procedures
for configuring, deploying, and managing mcafee
and third-party products through epolicy
orchestrator management software.

- a license agreement.
the terms under which you may use the product.
read it carefully. if you install the product,
you agree to the license terms.

- this readme file.

- a contact file.
contact information for mcafee services and
resources: technical support, customer service,
avert, beta program, and training. it also
includes a list of phone numbers, street
addresses, web addresses, e-mail addresses, and
fax numbers for the company's worldwide
offices.
__________________________________________________________
participating in the mcafee beta program

to download new beta software or to read about the

latest beta information, visit the beta web site:

http://www.networkassociates.com/us/downloads/beta/mcafeebetahome.htm

to submit your feedback on any mcafee beta product,

send e-mail to:

avbeta@nai.com

mcafee is devoted to providing solutions based on

your input.

__________________________________________________________
contact information

technical support
home page
http://www.networkassociates.com/us/support/

knowledgebase search
https://knowledgemap.nai.com/phpclient/homepage.aspx

primesupport service portal

https://mysupport.nai.com

login credentials required.

mcafee beta program

beta web site
http://www.networkassociates.com/us/downloads/beta/mcafeebetahome.htm

e-mail
avbeta@nai.com

security headquarters: avert

(anti-virus & vulnerability emergency response
team)
home page
http://www.networkassociates.com/us/security/home.asp

virus information library

http://vil.nai.com

avert webimmune
https://www.webimmune.net/default.asp

submit a virus sample

http://vil.nai.com/vil/submit-sample.asp

avert dat notification service

 http://vil.nai.com/vil/join-dat-list.asp

download site
home page
http://www.networkassociates.com/us/downloads/

dat file and engine updates

http://www.networkassociates.com/us/downloads/updates/

ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

product upgrades
https://secure.nai.com/us/forms/downloads/upgrades/login.asp

valid grant number required.

contact customer service

training
mcafee security university
http://www.networkassociates.com/us/services/education/mcafee/university.ht
m

customer service
us, canada, and latin america toll-free:
phone: +1-888-virus no or +1-888-847-8766
monday-friday, 8am-8pm, central time

e-mail: https://secure.nai.com/us/forms/support/request_form.asp

web: http://www.nai.com/us/index.asp
http://www.networkassociates.com/us/support/default.asp

for additional contact information (including

addresses and toll-free numbers for worldwide
offices), see the contact file that accompanied your
original product release.

_____________________________________________________
copyright and trademark attributions

copyright (c) 2004 networks associates technology,

inc. all rights reserved. no part of this
publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or
translated into any language in any form or�by�any
means without the written permission of networks
associates technology, inc., or its suppliers or
affiliate companies. to obtain this permission,
write to the attention of the network associates
legal department at: 5000 headquarters drive, plano,
texas 75024, or call +1-972-963-8000.

trademarks
active firewall, active security, activesecurity (in
katakana), activehelp, activeshield, antivirus
anyware and design, bomb shelter, certified network
expert, clean-up, cleanup wizard, clicknet, cnx, cnx
certification certified network expert and design,
covert, design (stylized e), design (stylized n),
disk minder, distributed sniffer system, distributed
sniffer system (in katakana), dr solomon's, dr
solomon's label, entercept, enterprise securecast,
enterprise securecast (in katakana), epolicy
orchestrator, ez setup, first aid, forcefield, gmt,
groupshield, groupshield (in katakana), guard dog,
homeguard, hunter, intrushield, intrusion prevention
through innovation, intruvert networks, languru,
languru (in katakana), m and design, mcafee, mcafee
(in katakana), mcafee and design, mcafee.com, mcafee
virusscan, na network associates, net tools, net
tools (in katakana), netcrypto, netoctopus, netscan,
netshield, netstalker, network associates, network
associates coliseum, netxray, notesguard, nuts &
bolts, oil change, pc medic, pcnotary, primesupport,
recoverkey, recoverkey - international, registry
wizard, ringfence, router pm, securecast,
secureselect, sniffer, sniffer (in hangul),
spamkiller, stalker, tis, tmeg, total network
security, total network visibility, total network
visibility (in katakana), total virus defense,
trusted mail, uninstaller, virex, virus forum,
viruscan, virusscan, webscan, webshield, webshield
(in katakana), websniffer, webstalker, webwall,
what's the state of your ids?, who's watching your
network, wingauge, your e-business defender, zip
manager are registered trademarks or trademarks of
network associates, inc. and/or its affiliates in
the us and/or other countries. sniffer(r) brand
products are made only by network associates, inc.
all other registered and unregistered trademarks
herein are the sole property of their respective
owners.

_____________________________________________________
license & patent information

license agreement

notice to all users: carefully read the appropriate

legal agreement corresponding to the license you
purchased, which sets forth the general terms and
conditions for the use of the licensed software. if
you do not know which type of license you have
acquired, please consult the sales and other related
license grant or purchase order documents that
accompanies your software packaging or that you have
received separately as part of the purchase (as a
booklet, a file on the product cd, or a file
available on the web site from which you downloaded
the software package). if you do not agree to all of
the terms set forth in the agreement, do not install
the software. if applicable, you may return the
product to network associates or the place of
purchase for a full refund.

license attributions

this product includes or may include:

*software developed by the openssl project for use
in the openssl toolkit (http://www.openssl.org/).
*cryptographic software written by eric a. young and
software written by tim j. hudson. *some software
programs that are licensed (or sublicensed) to the
user under the gnu general public license (gpl) or
other similar free software licenses which, among
other rights, permit the user to copy, modify and
redistribute certain programs, or portions thereof,
and have access to the source code. the gpl requires
that for any software covered under the gpl which is
distributed to someone in an executable binary
format, that the source code also be made available
to those users. for any such software covered under
the gpl, the source code is made available on this
cd. if any free software licenses require that
network associates provide rights to use, copy or
modify a software program that are broader than the
rights granted in this agreement, then such rights
shall take precedence over the rights and
restrictions herein. *software originally written
by henry spencer, copyright 1992, 1993, 1994, 1997
henry spencer. *software originally written by
robert nordier, copyright (c) 1996-7 robert nordier.
*software written by douglas w. sauder. *software
developed by the apache software foundation
(http://www.apache.org/). a copy of the license
agreement for this software can be found at
www.apache.org/licenses/license-2.0.txt.
*international components for unicode ("icu")
copyright (c) 1995-2002 international business
machines corporation and others. *software
developed by crystalclear software, inc., copyright
(c) 2000 crystalclear software, inc. *fead(r)
optimizer(r) technology, copyright netopsystems ag,
berlin, germany. *outside in(r) viewer technology
(c) 1992-2001 stellent chicago, inc. and/or outside
in(r) html export, (c) 2001 stellent chicago, inc.
*software copyrighted by thai open source software
center ltd. and clark cooper, (c) 1998, 1999, 2000.
*software copyrighted by expat maintainers.
*software copyrighted by the regents of the
university of california, (c) 1989. *software
copyrighted by gunnar ritter. *software copyrighted
by sun microsystems(r), inc. (c) 2003. *software
copyrighted by gisle aas. (c) 1995-2003. *software
copyrighted by michael a. chase, (c) 1999-2000.
*software copyrighted by neil winton, (c) 1995-1996.
*software copyrighted by rsa data security, inc.,
(c) 1990-1992. *software copyrighted by sean m.
burke, (c) 1999, 2000. *software copyrighted by
martijn koster, (c) 1995. *software copyrighted by
brad appleton, (c) 1996-1999. *software copyrighted
by michael g. schwern, (c) 2001. *software
copyrighted by graham barr, (c) 1998. *software
copyrighted by larry wall and clark cooper, (c)
1998-2000. *software copyrighted by frodo
looijaard, (c) 1997. *software copyrighted by the
python software foundation, copyright (c) 2001,
2002, 2003. a copy of the license agreement for this
software can be found at www.python.org. *software
copyrighted by beman dawes, (c) 1994-1999, 2002.
*software written by andrew lumsdaine, lie-quan lee,
jeremy g. siek (c) 1997-2000 university of notre
dame. *software copyrighted by simone bordet &
marco cravero, (c) 2002. *software copyrighted by
stephen purcell, (c) 2001. *software developed by
the indiana university extreme! lab
http://www.extreme.indiana.edu/). *software
copyrighted by international business machines
corporation and others, (c) 1995-2003. *software
developed by the university of california, berkeley
and its contributors. *software developed by ralf
s. engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/). *software
copyrighted by kevlin henney, (c) 2000-2002.
*software copyrighted by peter dimov and multi media
ltd. (c) 2001, 2002. *software copyrighted by david
abrahams, (c) 2001, 2002. see
http://www.boost.org/libs/bind/ bind.html for
documentation. *software copyrighted by steve
cleary, beman dawes, howard hinnant & john maddock,
(c) 2000. *software copyrighted by boost.org, (c)
1999-2002. *software copyrighted by nicolai m.
josuttis, (c) 1999. *software copyrighted by jeremy
siek, (c) 1999-2001. *software copyrighted by
daryle walker, (c) 2001. *software copyrighted by
chuck allison and jeremy siek, (c) 2001, 2002.
*software copyrighted by samuel krempp, (c) 2001.
see http://www.boost.org for updates, documentation,
and revision history. *software copyrighted by doug
gregor (gregod@cs.rpi.edu), (c) 2001, 2002.
*software copyrighted by cadenza new zealand ltd.,
(c) 2000. *software copyrighted by jens maurer, (c)
2000, 2001. *software copyrighted by jaakko j�rvi
(jaakko.jarvi@cs.utu.fi), (c) 1999, 2000. *software
copyrighted by ronald garcia, (c) 2002. *software
copyrighted by david abrahams, jeremy siek, and
daryle walker, (c) 1999-2001. *software copyrighted
by stephen cleary (shammah@voyager.net), (c) 2000.
*software copyrighted by housemarque oy
<http:// www.housemarque.com>,�(c) 2001. *software
copyrighted by paul moore, (c) 1999. *software
copyrighted by dr. john maddock, (c) 1998-2002.
*software copyrighted by greg colvin and beman
dawes, (c) 1998, 1999. *software copyrighted by
peter dimov, (c) 2001, 2002. *software copyrighted
by jeremy siek and john r. bandela, (c) 2001.
*software copyrighted by joerg walter and mathias
koch, (c) 2000-2002.

patent information

protected by us patents 6,006,035; 6,029,256;

6,035,423; 6,151,643; 6,230,288; 6,266,811;
6,269,456; 6,457,076; 6,496,875; 6,542,943;
6,594,686; 6,611,925; 6,622,150.

dbn 010-en

v3.0.0