McAfee Security for Mac OS X
The McAfee Security suite on Mac OS X has presented unique challenges for Radmind management over the years. The following recipe provides a starting point for managing McAfee Security and McAfee VirusScan 9 in an environment where McAfee ePolicy Orchestrator (ePO) is not used to manage Mac OS X clients.
 Application-specific command file
One way you might manage the McAfee Security suite — including the standalone VirusScan antimalware component — is to start with an application-specific command-in-command (k-in-k) file:
k mcafee-security-1.0-excludes-kink.K n mcafee-security-1.0-antimalware-negative.T
The contents of the exclusion command file and negative transcript were initially determined by installing the software, capturing an initial transcript, waiting for a period of time, and then attempting to upload to the Radmind server. Any paths that failed upload for any reason during the lcreate phase were considered candidates for exclusion or negative transcripts. Consider the following information to be a starting point, and please add to it if you can make improvements.
Note that, like McAfee VirusScan before it, McAfee Security may continue to install components that are architecture-specific. You may not be able to create a single application command file that works for both Intel and PowerPC Macs, if your environment requires support of both.
Examining the installer packages for McAfee Security or VirusScan will reveal that a number of changes are made to the filesystem in scripts, which further complicates system administrators’ understanding of how to best install and manage the software.
 Group deployment with positive transcript
McAfee VirusScan and McAfee Security both create a new group named “Virex” in the local Mac OS X directory service at installation time. This takes place in one of the installation scripts.
Unlike all bundled Mac OS X groups, the name of the “Virex” group is capitalized — and with the rebadging of Virex as VirusScan (and then McAfee Security), it no longer reflects the product’s name.
If you have standardized on non-NetInfo versions of Mac OS X, you can create this group on all of your managed systems by distributing a DSLocal property list file via Radmind. It is suggested that you create the group to your liking — customizing the GID, for example — before you install the software. This ensures that the files laid down by the McAfee Security installation — and your positive transcript of the software — will reflect your customizations to the group.
AppleMetaNodeLocation: /Local/Default GeneratedUID: [automatically generated] PrimaryGroupID: [insert your GID here] RecordName: Virex RecordType: dsRecTypeStandard:Groups
Once you have created the group, or accepted the one created for you by the McAfee Security installer, you can capture it in a positive transcript. You will have to capture this explicitly with the Radmind tools (“fsdiff -1” is suggested to get this single file), as the DSLocal database is normally in negative space.
f /private/var/db/dslocal/nodes/Default/groups/Virex.plist 0600 0 0 1232396936 407 8cs+HcMBq1Cf3FHTncUoXOIMxf0=
Once you have captured a transcript for the Virex group, you can update the application-specific command file:
k mcafee-security-1.0-excludes-kink.K n mcafee-security-1.0-antimalware-negative.T p mcafee-security-1.0-virexgroup.T
 Exclusion patterns
Exclusion patterns are useful for completely ignoring a path when it would otherwise appear in a transcript. In the case of McAfee Security, the exclusion patterns are intended to match files that the software uses in the process of running. Candidate paths represent files do not need to be installed or maintained — it may be detrimental to the functioning of the software to do so.
Some of these patterns attempt to match very specific paths for directory contents, where a negative transcript line for the directory might have been used instead. This is done to reduce the overall number of directories that are left unmanaged because they are in negative.
The exclusion command file’s contents are:
# Exclude PID file x /Library/McAfee/cma/scratch/.cma.pid # Pre-emptively exclude generate_guid file on a hunch x /Library/McAfee/cma/scratch/.generate_guid # Exclude DAT directories, 0000-9999 # Will specifically include 0000 directory, based on first number in pattern x /usr/local/McAfee/AntiMalware/dats/ # Exclude DAT update files, avv*.dat in the directories above # Will also specifically include the contents of the 0000 directory x /usr/local/McAfee/AntiMalware/dats//avv*.dat
 Negative transcript
For McAfee Security, negative transcript lines indicate files and directories which do need to exist, but may change over time during the operation of the software. The negative command file’s contents are:
f /Library/McAfee/cma/bin/randseed.rnd 0644 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/etc/McScript.log 0644 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/etc/log 0644 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/update/Current/AUENGINEMETA/AUEngineContentDetection.McS 0744 0 0 1252960665 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/update/Current/MSCANENG1000/V2datdet.mcs 0744 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/update/Current/MSCANENG1000/V2engdet.mcs 0744 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/update/Current/VSCANDAT1000/V2datdet.mcs 0744 0 0 1252960665 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/update/Current/VSCANDAT1000/randseed.rnd 0644 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/update/UpdateHistory.ini 0644 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/update/catalog.z 0744 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/McAfee/cma/scratch/update/randseed.rnd 0644 0 0 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /Library/Preferences/com.mcafee.ssm.antimalware.plist 0644 0 80 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= d /Quarantine 0770 0 499 f /usr/local/McAfee/AntiMalware/var/AntiMalwareTraces.log 0666 0 499 1252954684 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /usr/local/McAfee/AntiMalware/var/VSMacDatabase.db 0774 0 499 1252955747 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= d /usr/local/McAfee/AntiMalware/var/tmp 0775 0 499 f /usr/local/McAfee/AntiMalware/var/tmp/LSOFOutput.txt 0644 0 499 1252955122 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= f /usr/local/McAfee/fmp/var/FMP.db 0644 0 499 1252954681 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk= s /usr/local/McAfee/fmp/var/fmpdsocket 0777 0 499 f /usr/local/McAfee/fmp/var/fmpdtraces.log 0644 0 499 1258384994 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
 Positive transcripts
After you have the Virex group positive transcript, exclusion command file, and negative transcript captured, you can begin to create a standard positive transcript for McAfee Security.
If you find improvements that can be made to the recipe above, please edit this page!