McAfee Security for Mac OS X

From radmind

The McAfee Security suite on Mac OS X has presented unique challenges for Radmind management over the years. The following recipe provides a starting point for managing McAfee Security and McAfee VirusScan 9 in an environment where McAfee ePolicy Orchestrator (ePO) is not used to manage Mac OS X clients.

Contents 1 Application-specific command file 2 Group deployment with positive transcript 3 Exclusion patterns 4 Negative transcript 5 Positive transcripts

[edit] Application-specific command file

One way you might manage the McAfee Security suite — including the standalone VirusScan antimalware component — is to start with an application-specific command-in-command (k-in-k) file:

k mcafee-security-1.0-excludes-kink.K
n mcafee-security-1.0-antimalware-negative.T

The contents of the exclusion command file and negative transcript were initially determined by installing the software, capturing an initial transcript, waiting for a period of time, and then attempting to upload to the Radmind server. Any paths that failed upload for any reason during the lcreate phase were considered candidates for exclusion or negative transcripts. Consider the following information to be a starting point, and please add to it if you can make improvements.

Note that, like McAfee VirusScan before it, McAfee Security may continue to install components that are architecture-specific. You may not be able to create a single application command file that works for both Intel and PowerPC Macs, if your environment requires support of both.

Examining the installer packages for McAfee Security or VirusScan will reveal that a number of changes are made to the filesystem in scripts, which further complicates system administrators’ understanding of how to best install and manage the software.

[edit] Group deployment with positive transcript

McAfee VirusScan and McAfee Security both create a new group named “Virex” in the local Mac OS X directory service at installation time. This takes place in one of the installation scripts.

Unlike all bundled Mac OS X groups, the name of the “Virex” group is capitalized — and with the rebadging of Virex as VirusScan (and then McAfee Security), it no longer reflects the product’s name.

If you have standardized on non-NetInfo versions of Mac OS X, you can create this group on all of your managed systems by distributing a DSLocal property list file via Radmind. It is suggested that you create the group to your liking — customizing the GID, for example — before you install the software. This ensures that the files laid down by the McAfee Security installation — and your positive transcript of the software — will reflect your customizations to the group.

AppleMetaNodeLocation: /Local/Default
GeneratedUID: [automatically generated]
PrimaryGroupID: [insert your GID here]
RecordName: Virex
RecordType: dsRecTypeStandard:Groups

Once you have created the group, or accepted the one created for you by the McAfee Security installer, you can capture it in a positive transcript. You will have to capture this explicitly with the Radmind tools (“fsdiff -1” is suggested to get this single file), as the DSLocal database is normally in negative space.

f /private/var/db/dslocal/nodes/Default/groups/Virex.plist	0600     0     0 1232396936     407 8cs+HcMBq1Cf3FHTncUoXOIMxf0=

Once you have captured a transcript for the Virex group, you can update the application-specific command file:

k mcafee-security-1.0-excludes-kink.K
n mcafee-security-1.0-antimalware-negative.T
p mcafee-security-1.0-virexgroup.T

[edit] Exclusion patterns

Exclusion patterns are useful for completely ignoring a path when it would otherwise appear in a transcript. In the case of McAfee Security, the exclusion patterns are intended to match files that the software uses in the process of running. Candidate paths represent files do not need to be installed or maintained — it may be detrimental to the functioning of the software to do so.

Some of these patterns attempt to match very specific paths for directory contents, where a negative transcript line for the directory might have been used instead. This is done to reduce the overall number of directories that are left unmanaged because they are in negative.

The exclusion command file’s contents are:

# Exclude PID file
x /Library/McAfee/cma/scratch/.cma.pid

# Pre-emptively exclude generate_guid file on a hunch
x /Library/McAfee/cma/scratch/.generate_guid

# Exclude DAT directories, 0000-9999
# Will specifically include 0000 directory, based on first number in pattern
x /usr/local/McAfee/AntiMalware/dats/[123456789][0123456789][0123456789][0123456789]

# Exclude DAT update files, avv*.dat in the directories above
# Will also specifically include the contents of the 0000 directory
x /usr/local/McAfee/AntiMalware/dats/[123456789][0123456789][0123456789][0123456789]/avv*.dat

[edit] Negative transcript

For McAfee Security, negative transcript lines indicate files and directories which do need to exist, but may change over time during the operation of the software. The negative command file’s contents are:

f /Library/McAfee/cma/bin/randseed.rnd  0644     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/etc/McScript.log 0644     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/etc/log   0644     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/update/Current/AUENGINEMETA/AUEngineContentDetection.McS 0744     0     0 1252960665       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/update/Current/MSCANENG1000/V2datdet.mcs 0744     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/update/Current/MSCANENG1000/V2engdet.mcs 0744     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/update/Current/VSCANDAT1000/V2datdet.mcs 0744     0     0 1252960665       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/update/Current/VSCANDAT1000/randseed.rnd 0644     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/update/UpdateHistory.ini 0644     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/update/catalog.z 0744     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/McAfee/cma/scratch/update/randseed.rnd 0644     0     0 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /Library/Preferences/com.mcafee.ssm.antimalware.plist 0644     0    80 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
d /Quarantine                          	0770     0   499
f /usr/local/McAfee/AntiMalware/var/AntiMalwareTraces.log	0666     0   499 1252954684       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /usr/local/McAfee/AntiMalware/var/VSMacDatabase.db 0774     0   499 1252955747       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
d /usr/local/McAfee/AntiMalware/var/tmp	0775     0   499
f /usr/local/McAfee/AntiMalware/var/tmp/LSOFOutput.txt	0644     0   499 1252955122       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
f /usr/local/McAfee/fmp/var/FMP.db     	0644     0   499 1252954681       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
s /usr/local/McAfee/fmp/var/fmpdsocket 	0777     0   499
f /usr/local/McAfee/fmp/var/fmpdtraces.log	0644     0   499 1258384994       0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=

[edit] Positive transcripts

After you have the Virex group positive transcript, exclusion command file, and negative transcript captured, you can begin to create a standard positive transcript for McAfee Security.

If you find improvements that can be made to the recipe above, please edit this page!