Professional Documents
Culture Documents
Mcafee
Mcafee
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Preface 7
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1 Introduction 9
Why you need security for Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How McAfee Endpoint Security for Mac protects your system . . . . . . . . . . . . . . . . 10
Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5 Troubleshooting 61
Run the repairMSC utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
8 Managing the software with McAfee ePO and McAfee ePO Cloud 75
Using Endpoint Security extensions as common extensions . . . . . . . . . . . . . . . . . 75
Manage policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Create or modify policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Assign policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Monitor the McAfee Agent status . . . . . . . . . . . . . . . . . . . . . . . . 77
Common policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring client interface access . . . . . . . . . . . . . . . . . . . . . . . . 78
Preventing client software uninstallation . . . . . . . . . . . . . . . . . . . . . 78
Self Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configuring debug logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Default Client Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configure the Common policy . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Threat Prevention policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Configure On-Access Scan policy . . . . . . . . . . . . . . . . . . . . . . . . 81
Configure On-Demand Scan policy (Full Scan) . . . . . . . . . . . . . . . . . . . 83
Configure an On-Demand Scan policy (Quick Scan) . . . . . . . . . . . . . . . . . 85
Exclude files or directories from scanning . . . . . . . . . . . . . . . . . . . . . 87
Schedule a full or quick scan on managed Mac . . . . . . . . . . . . . . . . . . . 88
Schedule a custom on-demand scan . . . . . . . . . . . . . . . . . . . . . . . 89
Schedule the DAT update . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configure a firewall rules policy . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configure a Firewall Options policy . . . . . . . . . . . . . . . . . . . . . . . . 94
Configure location awareness options . . . . . . . . . . . . . . . . . . . . . . 95
Configure DNS blocking options . . . . . . . . . . . . . . . . . . . . . . . . . 96
Web Control policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Enable or disable Web Control . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configure site rating actions . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring actions for unverified sites . . . . . . . . . . . . . . . . . . . . . . 98
Define Block and Allow List . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configure browser events . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configure Web Control Options policy . . . . . . . . . . . . . . . . . . . . . . 99
Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Queries for Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . 100
Queries for Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Queries for Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Other queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Index 105
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
• Users — People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.
®
McAfee Endpoint Security for Mac is a comprehensive security solution that protects your Mac and
minimizes the risk of exposure to threats.
You can use the software on standalone and managed Mac systems.
• For a standalone Mac — You or your Mac administrator can install the software and configure
settings using the interface.
• For a managed Mac — Your system administrator sets up and configures security policies using
these servers.
• McAfee ePolicy Orchestrator (McAfee ePO )
® ® ™
Contents
Why you need security for Mac
How McAfee Endpoint Security for Mac protects your system
Product features
The targeted security threats devised by cyber criminals and hackers are evolving consistently and
increasing the risk consistently. The analyst reports say that the overall malware samples reached
more than 450 million implying the importance of securing your Mac from the threats.
The list of threats and reported vulnerabilities that can harm your Mac are:
Spyware Tracks every key you type to access sensitive information, such as user name
and password and other personal details.
Example: Keyloggers
Botnet breakdowns Infects your system or network and controls it remotely to spread malware.
Web-based threats Infects your Mac when you access malicious sites.
Based on the modules that you have installed and enabled, McAfee Endpoint Security for Mac protects
your Mac from malware, network threats, and web-based threats.
Threat Prevention
The Threat Prevention module protects your Mac from malware proactively with the predefined actions
upon detecting malware and suspicious items.
When enabled, Threat Prevention checks for viruses, trojans, unwanted programs, and other threats
by scanning items. The software scans files, folders on local, network-mounted volumes, and
removable media whenever you create or access them. You can also run scans on demand.
• Compares them with the known signatures stored in the DAT files to identify malware.
® ™
In addition, McAfee Global Threat Intelligence (McAfee GTI) (heuristic network check for suspicious
files) looks for suspicious files and programs running on client systems that Threat Prevention
protects.
Firewall
The Firewall module filters incoming and outgoing network traffic, to allow or block traffic as defined in
the rules. Each rule defines a set of conditions that the network traffic must meet and executes the
rule's associated action.
Stateful filtering and packet inspection identify data packets for different types of connections and hold
the connection attributes in memory until the end of the session. When the first data packet of a new
session arrives, Firewall matches the packet against the rules list. If the data packet matches an
existing allow rule, a new entry is added to the state table and the traffic is allowed, and its
subsequent packets are allowed without further verification for that session. When the session is
completed or timed out, the entry is removed from the table.
If the data packet does not match existing rules, firewall blocks the network traffic.
• Regular mode — When the network packet adheres to a rule’s condition, the associated action
defined in the rule is executed. If no matching rule is found, the network packet is blocked.
• Adaptive mode — When the network packet matches a rule’s conditions, the associated action
defined in the rule is executed. If no matching rule is found, the packet is allowed and a rule is
created to allow similar packets later.
Controlled network access protection permits the Mac to access only authorized networks, minimizing
the risk from network threats.
Web Control
Web Control protects your Mac from online threats, called web-based threats, when you browse sites.
The software monitors each site that you access or browse, validates its safety ratings, and allows or
blocks the site according to the configuration.
Web Control provides safety ratings at two levels. In the browser, the software:
• Displays a safety rating icon for each site that the search engine lists
The default setting blocks access to malicious sites that can harm your Mac.
Product features
This release of the software includes these features.
Threat Prevention
• On-Access Scan — Scans files and directories for threats whenever users access them.
• On-Demand Scan — Schedules a scan on files and directories at specific times. Each on-demand
scan contains its own policy settings. You can also run Full Scan or Quick Scan on a Mac.
• McAfee GTI — Supports McAfee GTI, a heuristic network look up for suspicious files for on-access
and on-demand scanning.
• Policy-Based On-Demand Scan client tasks — Run a Quick Scan or Full Scan on the Endpoint
Security Client from McAfee ePO. Configure the behavior of these scans in the policy settings for
On-Demand Scan.
• 5800 Engine support — Pre-packaged with the latest 5800 engine that provides enhanced
detection capabilities.
• Product Update client tasks — Update the engine and content files automatically from the
McAfee download website.
• Extra.DAT files — Download and install Extra.DAT files to provide protection from a major virus
outbreak.
• Scheduled tasks — Modify client tasks (such as Product Update) and scan times to improve
performance by running them during non peak times.
• Content repositories — Reduce network traffic over the enterprise Internet or intranet by moving
the content file repository closer to the clients.
• Scan policies — Analyze log files or queries and modify policies to increase performance or virus
protection, if necessary. For example, you can improve performance by configuring exclusions.
• Additional options when scheduling on-demand scans — Allows you to run an on-demand
scan when the system is idle or not running on battery power.
• Exclusion of files and directories from scanning — Excludes specific files and directories from
on-access scanning and on-demand scanning using criteria such as file type, extension, file age, or
wildcards.
• Option to scan network volumes, compressed files, and Apple emails — Exclude or include
mounted network volumes, compressed files, and Apple emails from scanning.
• Option to retain client-side exclusions — Overwrites or retains the client exclusion list for
on-access scanning in a managed environment.
Firewall
• Regular mode — Executes the associated action defined in the rule, when the network packet
adheres to a rule's condition. If no matching rule is found, the network packet is blocked.
• Adaptive mode — Executes the associated action defined in the rule, when the network packet
adheres to a rule's condition. If no matching rule is found, the network packet is allowed and a rule
is created to allow similar packets later.
• Stateful firewall — Validates each packet for different connections against predefined rules,
holding the connection attributes in memory from beginning‑to‑end.
• Domain Name System (DNS) blocking — Blocks access to networks that can include unwanted
domains.
• Defined networks — Define networks including subnets, ranges, or a single IP address that can
be used while creating firewall rules. You can also configure Firewall to trust networks.
• Stateful FTP inspection — Creates dynamic rules automatically for FTP data connections, by
actively monitoring the FTP commands on the control channel.
• Location awareness — Create separate rules for locations, such as office or home network.
• Firewall events — Send Allow and Block events to McAfee ePolicy Orchestrator (McAfee ePO ) .
® ® ™
Web Control
• Support for Google Chrome browser — Protects your Mac from web-based threats, when you
browse sites using the Google Chrome browser.
• Safety ratings button — Displays the safety rating in the upper-left corner of the browser when
you access the site. The color of the button indicates the risk associated with the site.
The software supports Safari 7.1 and later, 8.0 and later, and 9.0 and later, and Google Chrome 49
and later browser versions.
• Search Annotation — Displays the safety rating icon next to each site listed by the search engine.
The color of the icon indicates the risk associated with the site.
• Web category blocking — Configure access to sites based on their content type.
• Block and Allow List — Create a list of sites to allow or block based on URLs and domains.
• Logging events — Monitor and regulate browser activity and log events for:
• Sites configured in the Block and Allow List
Common Policy
• Self Protection — Protects the security software files and folders from malware and from being
changed or deleted.
• Password protection for client interface — Configure different access levels for users as
needed. You can also prevent users from changing the protection preferences.
• Password protection for uninstallation — Set password protection for the client software to
prevent removal of the software from the Mac.
General
• Common extensions to manage Windows, Macintosh, and Linux systems — Use McAfee
®
Endpoint Security extensions as common extensions to manage policies for your Windows, Mac,
and Linux systems.
• Common McAfee ePO Dashboard and queries — Use the McAfee ePO dashboard to view the
status of managed Mac and Windows systems.
• Turn off protection using the command-line option during product deployment — You can
disable Threat Prevention and Firewall protection using the command-line option from the McAfee
ePO server when deploying the software on managed Mac systems. For more information about
using the command-line option, see McAfee KnowledgeBase article KB85505.
• Support for McAfee® ePolicy Orchestrator® Cloud (McAfee ePO™ Cloud) — Support for
McAfee ePO Cloud to manage policies for your Mac.
• Option to select protection modules — You can install one or all protection modules on a
standalone Mac as needed.
• McAfee Agent status monitor — Displays information, and initiates communication with McAfee
®
• Menulet for easy access of the software interface — Easy access to the user interface by
clicking the McAfee menulet from the status bar.
• Enable debug logging from client interface — Enable debug logging for the modules that you
have installed using the client interface.
Install the software on a standalone Mac using the wizard or from the command line.
Contents
Hardware and software requirements
Install the software
Test the installation
Upgrading the software
Default settings
Recommended post-installation tasks
Uninstall the software from a standalone Mac
Component Requirement
Hardware Mac that can run the supported operating system configuration.
Operating system • El Capitan 10.11.x (client and server)
®
If you are using McAfee Agent 5.x on your Mac, you must upgrade it to McAfee
Agent 5.0.2 with Hotfix HF1085179 before upgrading the operating system to El
®
Capitan. Otherwise, the communication between the McAfee ePolicy
® ™
Orchestrator (McAfee ePO ) server and the Mac fails, and you would be unable
to manage the Mac from the McAfee ePO server. For more information about the
McAfee Agent 5.0.2 known issues with El Capitan, see McAfee KnowledgeBase
article KB83895.
Tasks
• Install the software using wizard on page 18
The wizard guides you through the steps to install the software on your standalone Mac.
• Install the software from the command line (silent installation) on page 18
You can use the command line to install the software without user intervention.
Task
1 Download McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.dmg to
a temporary location on your Mac, then double-click it to mount.
2 Double-click McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg
to open the wizard.
During the installation, the installer prompts you to select modules for installation. You can select
one or multiple modules. To install a module later, you must start the installation wizard. If the
modules are grayed out, it indicates that the installer has detected the competitor software on your
Mac. You must uninstall it before installing the module. For more information, see McAfee
Knowledgebase article KB78192.
To install the module that you have already installed, you must start the installation wizard, then
select the module as needed. When you re-install the module, the protection settings that you
configured previously are retained.
Task
1 Download McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.dmg to
a temporary location on your Mac, then double-click it to mount
McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg.
3 Open a Terminal window and change the working directory to the one where you saved the
McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg file.
5 Type the administrator password, then press return. The following message appears.
To install individual protection module using the command-line, see McAfee KnowledgeBase article
KB84772.
Tasks
• Test the Threat Prevention feature on page 19
Access the EICAR standard anti-virus test file to test the Threat Prevention feature.
• Test the Firewall feature on page 19
Test the Firewall feature by creating a rule. Consider a scenario where you want to create
an allow rule for www.intelsecurity.com.
• Test the Web Control feature on page 20
Make sure that the Web Control extension is added to the Safari browser, and appropriate
rating appears for sites.
Task
1 Go to the EICAR website http://www.eicar.org.
3 From the Download area using the standard protocol http section, click the file eicar.com.txt.
For the test to be successful, McAfee Endpoint Security for Mac displays a Notification 1 detection(s)
found on your system. with the relevant details.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
2 Click Firewall.
3
Click , type the administrator password, then click OK.
5
Click in the bottom left corner of the console to create a firewall rule.
a Type a name of the rule in the Rule Name text box.
b
Click , select Fully Qualified Domain Name for Remote, then type the Domain Name.
8 Open the browser, type the website name, then press return.
Tasks
• Verify the extension installation on page 20
Make sure that the Web Control extension is added to the Safari browser.
• Test the site rating feature on page 20
Make sure that the Web Control feature displays the appropriate rating for sites.
Task
1 Start the Safari browser.
3 In the Extension dialog box, you can see McAfee Web Control 10.1 with Enable Web Control selected.
Task
1 Start the Safari browser.
3
You must see the Green rating on the left top of the browser page.
When you upgrade the software from the previous version, the existing software is removed completely
but the preferences for all modules are saved. When you install a module, the respective preferences
are migrated.
For example:
Since Application Protection module is not part of McAfee Endpoint Security for Mac, the Application
®
Protection preferences are migrated only when you install the McAfee Application Protection 2.3.0
software. For more information, see McAfee Application Protection product guide.
When you migrate the preferences from McAfee Endpoint Protection for Mac or McAfee VirusScan for
Mac, the Quarantine scan action is migrated to Delete, and the Notify scan action is migrated to Deny.
Task
1 Install the software using the wizard.
For more information, see Install the software using wizard.
2 Make sure that all existing preferences are migrated to the new version.
Default settings
Once installed, McAfee Endpoint Security for Mac starts protecting the Mac immediately based on the
default configurations defined. Refer to these default settings, and configure them for your
environment.
General
Threat Prevention
On-Demand Scan:
• When a virus is found — Clean
• If clean fails — Delete
• When a spyware is found — Clean
• If clean fails — Delete
• Enable McAfee GTI — Enabled.
• Sensitivity Level — Medium.
• Archives & Compressed Files — Enabled
• Apple Mail messages — Enabled
• Network Volumes — Disabled
Exclusions — None
Firewall
Web Control
Update
Logging
Task Description
Update the After installation, McAfee Endpoint Security for Mac automatically updates the
content files content files to protect the Mac from the latest threats. By default, this update is
scheduled at 4.45 pm local time every day. When the files are updated for the first
time, it may take longer time to download the full content. The subsequent updates
will be incremental.
You can view the content files last update details in the Console page.
Perform an Run an on-demand-scan to scan the local volumes, after you install the software to
on-demand clean the infected files that are not accessed by but reside in the Mac.
scan
Configure the On-Demand Scan task to define:
• The items to scan (files, folders, and drives)
• Set frequency of scan (daily, weekly, monthly, or immediately)
• Define the action when malware is found (Delete or Clean)
Threat McAfee Endpoint Security for Mac comes with the default settings. Verify that the
Prevention default settings are consistent with your organization policies and provides
complete protection against malware.
Firewall McAfee Endpoint Security for Mac comes with the stateful Firewall enabled, which
protects your Mac from the moment the product is installed. The firewall comes
with a set of default rules that enable your Mac to access the necessary services.
We recommend that you review the default rules to make sure that your Mac can
access the necessary services according to your organization policies.
The rules are processed using a top-down approach with the implicit default block
rule that denies all traffic. This rule can't be modified.
Web Control Review the default Web Control settings and update the Block and Allow List in such a
way that you can access business-critical sites and block unwanted sites.
The Block and Allow List overrides other settings such as Enable Web Category Blocking and
Rating Actions for Sites.
Task
1 Open a Terminal window.
When Uninstallation is enabled in Endpoint Security Common policy, uninstalling the software using the
command line prompts you to type the password set by your McAfee ePO server administrator.
When you uninstall the software, the McAfee Agent is not uninstalled from the system. This is
because that it might be used by other products. Refer to the product guide of your McAfee Agent
version for more information.
Access the McAfee Endpoint Security for Mac Console page to view your Mac security status and events
details.
You can also view the quarantined items, configure scan schedules, and update the DAT and engine.
Contents
Security status
View your Mac security status
Recent events summary
View event log
Remove event log
View the quarantined items
Remove or restore the quarantined item
Update the DAT and Engine
Run a system scan
Configure custom scan tasks
Security status
View the security status and the protection features that are enabled or disabled on your Mac.
Use the dashboard to know the status of:
• Threat Prevention
• Firewall
• Web Control
To view your Mac security status and the protection modules installed:
Task
• Click the McAfee menulet on the status bar, then select Console | Status.
The Status page also displays the protection modules that are installed on your Mac and its status.
• Status of scan task with number of malware detected from on-demand scan.
Recent events displays only the summary of events. To view the complete details of events, navigate to
the Event Log page, then double-click the particular event.
Task
1 Click the McAfee menulet on the status bar, then select Console.
Twenty events are listed per page and you can use arrow keys to navigate through pages.
• On-Access Scan — Displays the application that accessed the malware, status of detection found,
and total number of detections with the details.
• On-Demand Scan — Displays number of files scanned, name and location of infected files, if found,
and action taken.
You can sort events based on Event, Type or Date & Time.
Task
1 Click the McAfee menulet on the status bar, then select Console.
3
Click , type the administrator password, then click OK
You can't restore the events once you remove them from the list.
6
Click to prevent further changes.
Task
1 Click the McAfee menulet on the status bar, then select Console.
The quarantine page displays the original path of items quarantined with date and time of the event.
Before restoring an item, we recommend that you send it to McAfee Labs for testing. To
submit a sample to McAfee Labs, see McAfee KnowledgeBase article KB68030.
Task
1 Click the McAfee menulet on the status bar, then select Console.
3
Click , type the administrator password, then click OK.
• To restore, select the quarantined item, click Restore, then click OK to confirm.
• To remove, select the quarantined item, click Delete, then click OK to confirm.
You can't restore the items that are deleted from the quarantined list.
4
Click to prevent further changes.
Task
1 Click the McAfee menulet on the status bar, then select Console.
Upon completion, the update summary appears with the engine version, DAT version, update status,
and DAT creation date in the Threat Prevention Update section. You can view the status and details of
Threat Prevention update event in the Event Log page.
Task
1 Click the McAfee menulet on the status bar, then select Console.
3 From the What to scan drop-down list, select items, then click Start Scan.
Tasks
• Create a scan task on page 31
Create scan tasks that automatically run at scheduled periods with the defined parameters.
• Change settings in an existing scan task on page 31
Change an existing scan schedule to add or remove locations or change the date and time.
• Remove an existing scan schedule on page 32
Remove the scan schedule when you no longer need it.
Task
1 Click the McAfee menulet on the status bar, then select Console.
4 From the What to scan drop-down list, select the items you want scan. Click or - to remove the
location.
• Documents — Scans the user documents folder.
5 In the When to scan section, select a schedule for the scan task, then click Schedule Scan.
• Immediately — Starts a scan task immediately. If you select to scan items immediately, click Start Scan.
• Once — Scans the defined locations once at the scheduled date and time.
• Daily — Scans the defined locations every day at the scheduled time. You can define the number
of occurrence to run the daily scan task or select No End Date to run the schedule without any
limit.
• Weekly — Scans the defined locations on a scheduled day and time of every week. You can define
the number of occurrence to run the weekly scan task or select No End Date to run the schedule
without any limit.
• Monthly — Scans the defined locations on a scheduled date and time of every month. You can
define the duration or select No End Date to continue the schedule without any limit.
6 When you see a message that the scan task is scheduled, click OK.
Task
1 Click the McAfee menulet on the status bar, then select Console.
2 On the console dashboard under Activity, click the scheduled task you want to modify. The scheduled
task displays the Last Scan Time and Next Scan Time.
3 Click Modify Scan, make the needed changes, then click Schedule Scan.
Task
1 Click the McAfee menulet on the status bar, then select Console.
2 On the console dashboard, select an existing scan schedule in the left pane.
3
In the bottom left corner of the console, click to remove the selected item.
Contents
General protection options
Threat Prevention
Firewall
Web Control
Configure an update schedule
Debug logging
• Firewall
• Web Control
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
2
On the General tab, click .
5
Click to prevent further changes.
Threat Prevention
Threat Prevention protects your Mac from malware threats.
Configure the Threat Prevention settings to define actions for on-access scanning and on-demand
scanning, and to exclude files and paths from scanning.
McAfee Endpoint Security for Mac uses the latest engine that:
• Performs complex analysis using the malware definition files (DATs)
• Compares them with the known signatures stored in the DAT files to identify malware
In addition, McAfee GTI (heuristic network check for suspicious files) looks for suspicious files and
programs running on client systems that Threat Prevention protects.
Use Threat Prevention preferences to configure actions for on-access scan, on-demand scan, or to
exclude files or paths from scanning.
Types of scan
The software scans files on Mac in two ways, on-demand and on-access.
On-access scan — Scans files and folders for malware threats and unwanted programs whenever you
access them, and takes actions according to the configuration.
On-demand scan — Scans files and folders for malware threats and unwanted programs at any time
or at scheduled time. You can run on-demand scan in two ways.
• Scan all files — Scans files and directories immediately for the locations you have selected in What to
Scan.
• Schedule Scan — Scans files and directories configured in What to Scan at the scheduled time.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
2 On the Threat Prevention tab, click , type the administrator password, then click OK.
3 From the Scan files while drop-down list, select one of these options:
• Read — Scans items when they are read from the hard disk.
• Write — Scans items when they are written to the hard disk.
• Read & Write — Scans items when they are read from or written to the hard disk.
4 In Maximum scan time (in seconds), specify the duration allowed to scan each file.
You can specify a value between 10 and 9999. The default value is 45. When scanning exceeds the
defined time, the software stops scanning the file.
5 From the When a virus is found drop-down list, select one of these options:
• Clean — Clean the item that contains malware. Use the If clean fails drop-down list, to select a
secondary action (Delete or Deny).
• Deny — Prevents the user from accessing files with detected threats.
Although the software denies access to the file, it still resides in the system.
Whenever you select the primary action as Clean or Delete, the item is quarantined by default.
6 From the When a spyware is found drop-down list, select one of these options:
• Clean — Cleans the item that contains spyware. Use the If clean fails drop-down list, to select a
secondary action (Deny, Delete, or Allow).
• Deny — Prevents the user from accessing files with detected threats.
Although the software denies access to the file, it still resides in the system.
Whenever you select the primary action as Clean or Delete, the item is quarantined by default.
• Network Volumes
When these options are selected, McAfee Endpoint Security for Mac detects the threat. But, the
primary and secondary actions might vary depending on the options selected.
• Low — This setting is the minimum recommendation for systems with a strong security footprint.
• Medium — Use this level when the regular risk of exposure to malware is greater than the risk of
a false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely to
be malware. However, some detections might result in a false positive. With this setting, McAfee
Labs checks that popular applications and operating system files don't result in a false positive.
• High — Use this setting for deployment to systems or areas which are regularly infected.
• Very high — Detections found with this level are presumed malicious, but haven't been fully tested
to determine if they are false positives. McAfee recommends to use this level for systems that
require highest security.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
3
Click , type the administrator password, then click OK to open the On-Demand Scan page.
4 From the When a virus is found drop-down list, select one of these options:
• Clean — Cleans the item that contains malware. Use the If clean fails drop-down list, to select a
secondary action (Delete, Continue scanning)
5 From the When a spyware is found drop-down, select one of these options:
• Clean — Cleans the item that contains spyware. Use the If clean fails drop-down list, to select a
secondary action (Delete, Continue scanning).
• Low — This setting is the minimum recommendation for systems with a strong security footprint.
• Medium — Use this level when the regular risk of exposure to malware is greater than the risk of
a false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely to
be malware. However, some detections might result in a false positive. With this setting, McAfee
Labs checks that popular applications and operating system files don't result in a false positive.
• High — Use this setting for deployment to systems or areas which are regularly infected.
• Very high — Detections found with this level are presumed malicious, but haven't been fully tested
to determine if they are false positives. McAfee recommends to use this level for systems that
require highest security.
• Network Volumes
• Scan anytime
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
3
Click , type the administrator password, then click OK.
5 Select the path of the required files and folders, then click Open.
6 Select or deselect the On-Access Scan and On-Demand Scan options as needed.
• Double-click an item to change the name or path that appears in the exclusion list.
• Use regular expressions to exclude items from scanning. For example, to exclude all files in the
desktop from scanning, specify the path as /Users/user/Desktop/*
•
To remove the item from the exclusions list, select it, then click in the bottom left corner of
the page (or press fn+delete).
If you deselect the On-Access Scan and On-Demand Scan options for a path added to the exclusion list, the
path is removed from the exclusion list immediately.
7
Click to prevent further changes.
• Enable the scan option for the Network Volumes when needed, to scan files copied from or written to
any network volumes.
• When scheduling an on-demand scan for the first time, schedule a full on-demand scan of your
entire hard disk.
Exclusions
You can add regular expressions that match required patterns to exclude multiple files and folders
from being scanned.
• Encrypted files
• To exclude each user's Outlook Database files of different Microsoft Office versions, use /Users/*/
Documents/Microsoft\ User\ Data/Office\ *\ Identities/*\ Identity/*
• To exclude files with the extensions jar, rar, or war under /private/var/tmp, use /
private/var/tmp/*.?ar
Firewall
The Firewall component provides a scalable solution to protect your Mac from unauthorized network
traffic.
The firewall comes with a stateful engine that provides flexibility in defining allowed network traffic for
your Mac. You can define rules based on various traffic parameters and group them for easier
management.
• Regular mode — When the network packet adheres to a rule’s condition, the associated action
defined in the rule is executed. If no matching rule is found, the network packet is blocked.
• Adaptive mode — When the network packet matches a rule’s conditions, the associated action
defined in the rule is executed. If no matching rule is found, the network packet is allowed and a
rule is created to allow similar packets later.
In both these modes, the status of the TCP/UDP/ICMP connection is tracked to identify whether the
incoming packet is part of the existing connection.
• New rules and grouping rules — You can create rules and group them for easier management.
• Location awareness — Creates separate rules for locations, such as office or home network.
Stateful filtering automatically tracks the reverse traffic for existing connections eliminating the need
for another firewall rule. Firewall performs stateful filtering on TCP, UDP, and ICMP protocols.
When the traffic matches the rule condition, firewall does not try to apply any further rules from the
list.
To change the firewall protection from Regular mode to Adaptive mode, click | Preferences | Firewall |
Adaptive Mode.
If the IP destination is a broadcast, multicast, loopback, or ICMP protocol, the network packet is
blocked. No additional rules are created for these types of traffic.
For security reasons, when Adaptive mode is enabled, incoming pings are blocked unless an explicit
allow rule is created for incoming ICMP traffic.
This diagram shows how network packets are handled in Adaptive mode.
To change the firewall protection from Adaptive mode to Regular mode, click | Preferences | Firewall |
Regular Mode.
You can create rules to block a Fully Qualified Domain Name (FQDN) using the client interface. The
Domain Name System (DNS) blocking can be configured only using Firewall policy in McAfee ePO.
If the firewall host has not initiated any DNS queries for the blocked domains or FQDN, the DNS
blocking and FQDN-based rules do not work.
When a client connects to an FTP server, the control channel is established on FTP destination Port 21,
and an entry is made in the state table. If the option for FTP inspection was set with the Firewall
Options policy, when the firewall encounters a connection opened on Port 21, it knows to perform
stateful packet inspection on the packets coming through the FTP control channel.
Firewall monitors the PORT, EPRT, PASV, and EPSV commands on the control channel, and determines
which dynamic rules must be created for subsequent FTP data connections.
The combination of the control connection and one or more data connections is called a session. When
the data transfer is complete, the dynamic rules created for data transfer are removed.
When the control connection is terminated, Firewall makes sure that all corresponding data
connections are also removed.
• ePO Rules — Defined and enforced by administrators if your Mac is managed by McAfee ePO.
The ePO Rules group also contains list of rules that firewall creates automatically at run time for
business continuity. These rules can't be modified.
• ePO Rules are displayed and applied only when the Mac is managed by McAfee ePO.
• When rules are created from a client Mac, they are added after the existing rules in the Client
Rules section.
• ePO Rules are the first rules processed to match the network packet.
• Adaptive Rules — Created automatically, when Firewall is running in Adaptive mode to allow a
non-matching network packet.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
2 Click Firewall.
5 Click in the bottom left corner of the console to open the rule page.
The rules appear as grayed out in the rules list, when their status is set to Disabled.
Logging • Enabled — To make an entry in the system log, when a network packet matches a
rule.
• Disabled — To avoid making an entry in the system log when the network packet
matches a rule.
Enabling the logging feature can impact the system performance. We recommend
that you enable Logging only for troubleshooting and learning purpose.
Transport Select All Protocols to apply the rule for all protocols.
Protocol
For Select Protocol, define the parameters for:
• TCP
• UDP
• ICMP
Add specific rules at the top of the list, and generic rules at the bottom to filter the traffic most
efficiently.
7
Click to prevent further changes.
To edit an existing Firewall rule, select the rule, then click to open the rule page.
Create a rule to allow DHCP outgoing on UDP local port 68 to remote port 67
To create a firewall rule that allows you to get an IP address on an interface, we
recommend creating two rules. First create a rule to allow DHCP outgoing on UDP local
port 68 and remote port 67, then create a rule to allow DNS queries.
• Status — Enabled
• Action — Allow
• Direction — Outgoing
• Status — Enabled
• Action — Allow
• Direction — Outgoing
• Status — Enabled
• Action — Allow
• Direction — Outgoing
• Status — Enabled
• Action — Allow
• Direction — Outgoing
• In Network Protocol (IPv4), select Remote | Subnet, then type the Subnet Mask value
You can type a single port number, or series of port numbers using a comma, or a range of
ports using a hyphen.
• If your organization does not have a firewall policy or if this is the first time your organization uses
a firewall policy, we recommend that you use the default corporate policy. After, you can use the
Adaptive mode for further fine tuning.
• Remember that Adaptive mode must be used to fine-tune the firewall rule sets. So, run Adaptive
mode only for short duration to identify the organizational requirements.
• Configure the DNS blocking feature to block the known unwanted domains.
• Always use firewall rule groups to organize the rules in an efficient way.
• Use more specific rules on the top of the rules set and the generic one toward the end.
For example, to give access to a particular website for all Mac users in the organization except one
system, create a specific deny rule to block the website on that particular system first.
• Because Firewall validates rules using a top-down approach, we recommend that you always revisit
the rules completely to avoid the loopholes.
Web Control
Web Control protects your Mac from online threats, called web-based threats, when you access or
browse website.
The software monitors sites that you access or browse, checks for their safety ratings, and allows or
blocks the sites according to the configuration.
• Displays a safety rating for each site that the search engine lists
The software allows you to configure access permission to sites based on their rating or content
category defined by McAfee GTI.
For a standalone Mac, you can configure the security preferences to:
• Enable or disable the Web Control feature
• Downloading files to check for viruses and potentially unwanted programs bundled with the
download.
• Entering contact information into sign-up forms and checking for resulting spam or a high volume
of non-spam email sent by the site or its affiliates.
The team compiles test results into a safety report that can also include:
• Feedback submitted by site owners, which might include descriptions of safety precautions used by
the site or responses to user feedback about the site.
• Feedback submitted by site users, which might include reports of phishing scams or bad shopping
experiences.
The McAfee GTI server stores site ratings. The server is updated periodically with the latest rating and
site details.
Color-coded buttons
Each color button indicates the safety rating category of the site.
Yellow Sites are suspicious and they might pose security issues. You must access
these sites with caution.
Red Sites contain potential security risks. You must access these sites with
extreme caution. However, by default, the software denies access to red-rated
sites.
Gray No rating is available for this site. By default, Web Control allows sites when a
rating is not available.
Orange Communication with the McAfee GTI server is unavailable to display the site
rating.
Black This site is a phishing site, or the site is explicitly blocked by Web Control
settings.
For Chrome browser, the rating button appears on the right side of the address bar.
The safety rating applies to HTTP and HTTPS protocol URLs only.
Color icons
When users type keywords in the Google search engine, the color-coded icon appears next to each
site listed in the search results.
Tests revealed some issues that users must know about. For example, the site tried to
change browser defaults, displayed pop-ups, or sent testers a significant amount of
non-spam email.
This site has some serious issues that users must consider carefully before accessing.
For example, the site sent spam email or bundled adware with a download.
The site safety information is available when you access a site, and access sites through the Google
search engine.
• Safety rating at search engine — Displays the safety rating balloon that summarizes the safety
report for a site. The Read Site Report link provides the safety report summary of the site.
• Safety rating at site level — Displays the safety rating at the left top of the browser. You can
view the test result report in the McAfee website.
Web Control does not scan files that are downloaded from allowed sites. However, if you installed the
Threat Prevention module and enabled on-access scanning, files are scanned for threats.
Enable Web Category Blocking overrides the Rating Actions for Sites configuration. For example, the Rating Actions
for Sites is set to Allow for yellow-rated sites with Enable Web Category Blocking enabled for all categories. If
you visit a yellow-rated site that belongs to the blocked category, the software blocks the site although
the Rating Actions for Sites configuration allows access to yellow-rated sites.
• Spyware/Adware/Keyloggers
Block and Allow List configuration overrides the Enable Web Category Blocking and Rating Actions for Sites
configuration. You can allow sites that are blocked by other settings, or block sites that are allowed by
other settings. Using Block and Allow List option, you can define access for sites regardless of their rating.
Use this option to allow access to business-specific sites and block unwanted sites.
Task
1 Click the McAfee Menulet on the status bar, then select Preferences.
4
Under Block and Allow List, click
5 Type the URL in the Site area and define the permission in the Action field.
To add another URL, click then define the settings. To remove the URL from the list, click .
To change the permission for an existing URL, click the URL, then change the permission. You can
use ? and * wildcards to define sites.
Task
1 Click the McAfee menulet on the status bar, select Preferences, then click the Web Control tab.
2
Click , type the administrator password, then click OK.
3
Under Block and Allow List, click , type the URL in the Site column, then select an action from the
Action drop-down list.
• Allow — Allows access to the site
The action set for sites in the Block and Allow List overrides the actions defined in Enable Web Category
Blocking and Rating Actions for Sites.
5 In Rating Actions for Sites, define the action for Red, Yellow, Unrated, and Unverified sites.
• Allow — Allows access to the site
• Warn — Displays a warning message with the option to Continue or Cancel navigation to the site
6
Click to prevent further changes.
Tasks
• Configure the repository list on page 58
Always keep your DAT file up to date to secure your Mac from the latest threats.
• Configure proxy settings on page 58
Configure Proxy settings if you use proxy servers to connect to the Internet for retrieving
packages.
• Configure the DAT update schedule on page 59
Periodic DAT updates secure your Mac from latest threats.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
2 Click Update.
3
Click , type the administrator password, then click OK.
•
— To delete an existing repository.
•
— To deprioritize repositories.
•
— To prioritize repositories.
5 In Repository Type, select FTP, HTTP, or a Local repository from where the latest DATs can be
downloaded.
6 Specify a Repository URL, Port, User Name, and Password for the repository.
8
Click to prevent further changes.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
3
Click , type the administrator password, then click OK.
5 Select Use these settings for all proxy types to specify the same IP address and port number for all proxy
types.
6 Select FTP or HTTP server, then type the IP address and port number of the selected server.
7 Select Use authentication, then type the user name and password for the server.
8 To bypass a proxy server for specific domains, select the Specify exceptions, then type the domain
name.
9
Click to prevent further changes.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
3
Click , type the administrator password, then click OK.
4 Click the drop-down list to select the update frequency, then click Apply.
• Never — Never run the update
We recommend not to select this option. Always keep your DAT files and Engine up to date to
protect your Mac from the latest threats.
5
Click to prevent further changes.
Debug logging
Debug logs provide important information that you can use for troubleshooting purposes.
Enabling debug logs for a module logs details for all components of the module.
For example, if you enable logging for Threat Prevention, logs are stored for on-access scanning and
on-demand scanning activity.
• You can find the Threat Prevention logs at /var/log/system.log and /var/log/
McAfeeSecurity.log. You can identify and filter the Threat Prevention logs by its name MFE_AV.
• You can find the Firewall logs at /var/log/system.log. You can identify and filter the firewall logs
by its name MFE_FW.
• You can find the Web Control logs at /var/log/McAfeeSecurity.log. You can identify and filter
the Web Control specific log by its name MFE_WC.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
3
Click , type the administrator password, then click OK.
5
Click to prevent further changes.
Identify and troubleshoot issues when using the standalone version of McAfee Endpoint Security for
Mac .
Task
1 Open a Terminal window, type the following command, then press return.
/usr/local/McAfee/repairMSC
A consolidated diagnostic report is generated in home directory for issue analysis. A list of issues
appears with each category relating to a number from 1 to 8.
4 Type a number that best describes the issue, then press return. The repairMSC runs a repair utility
based on the number selected and provides a solution.
5 Type y or n to confirm whether the issue was fixed, then follow the on-screen instructions.
The report file repairMSC.zip is available in your home directory. (Users/<user>).
Install the software on the McAfee ePO server and deploy it to your managed Mac.
Contents
System requirements
Check in the package to the McAfee ePO server
Install the extensions on the McAfee ePO server
Install the client software on a managed Mac using the installation URL
Deploy the software from McAfee ePO
Test the installation
Remove the software from a managed Mac
System requirements
Make sure that these requirements are met and you have administrator permission.
Component Requirements
Hardware Mac that can run with the supported operating system configuration.
Operating system • El Capitan 10.11.x (client and server)
®
If you are using McAfee Agent 5.x on your Mac, you must upgrade it to
McAfee Agent 5.0.2 with Hotfix HF1085179 before upgrading the operating
®
system to El Capitan. Otherwise, the communication between the McAfee
® ™
ePolicy Orchestrator (McAfee ePO ) server and the Mac fails, and you would
be unable to manage the Mac from the McAfee ePO server. For more
information about the McAfee Agent 5.0.2 known issues with El Capitan, see
McAfee KnowledgeBase article KB83895.
McAfee Agent McAfee Agent 5.0.2 with Hotfix HF1085179 and later
McAfee ePolicy 5.1.1 and later
Orchestrator
Tasks
• Check in the package using Software Manager on page 66
Check in, update, or remove McAfee Endpoint Security for Mac using the Software Manager.
• Check in the package manually on page 66
Check in the McAfee Endpoint Security for Mac deployment package to the McAfee ePO
Master Repository.
Task
For details about product features, usage, and best practices, click ? or Help.
3 From the Product Categories list under Software (By Label), select Endpoint Security, select the package file,
then click Check in All.
4 On the summary page, accept the McAfee End User License Agreement, then click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Download the .zip file to a temporary location on the McAfee ePO server.
b Click Choose File, select the file, click Choose, then click Next.
Tasks
• Install the extensions using Software Manager on page 67
Install the extensions using the Software Manager.
• Install the extensions manually on page 67
Install Endpoint Security extensions on the McAfee ePO server manually.
Task
For details about product features, usage, and best practices, click ? or Help.
3 From the Software Manager | Product Categories | Software (By Label), select Endpoint Security | McAfee Endpoint
Security 10.2.0, select from the right pane, then check in the extensions.
Task
For details about product features, usage, and best practices, click ? or Help.
3 Click Choose File and select the file that contains the extension, then click OK.
After installing the Endpoint Security extensions, you can use the migration tasks to migrate McAfee
Endpoint Protection for Mac 2.3 or McAfee VirusScan for Mac 9.8 policies and tasks. For more
information, see Endpoint Security migration help.
Tasks
• Create an installation URL on page 67
Create an installation URL and send it to the user to install McAfee Agent on a managed
Mac.
• Install the software with an installation URL on a managed Mac on page 68
The Mac user can access the URL to install the client software on a managed Mac.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select Menu | Dashboards, then select Getting Started with ePolicy Orchestrator from the drop-down list.
3 On the Product Deployment page, click Start Deployment, define these settings, then click Deploy.
• System Tree Group
• McAfee Agent
• Auto Update
5 Email the URL with instructions to install the client software on the Mac to the user.
After successful installation, McAfee Agent checks back with the McAfee ePO server for assigned
tasks for that system group, then installs the software accordingly.
You must have an installation URL that you created or received from your administrator.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Open a browser window, paste the installation URL in the address bar, then press Enter.
2 Follow the on screen instructions. If the installation does not start automatically, click Install.
Task
For details about product features, usage, and best practices, click ? or Help.
3 On the Assigned Client Tasks tab, click Actions, then click New Client Task Assignment.
c In Products and components, select the product , select Install as the action, then click Save.
b Schedule the task to run immediately, click Next to view a summary of the task, then click Save.
7 In the System Tree, select the systems or groups where you assigned the task, then click Wake Up
Agents.
8 Select Force complete policy and task update, then click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Wait for client systems to report back to the McAfee ePO server (typically after an hour).
2 On the McAfee ePO console, select Menu | Dashboards, then select Endpoint Security: Installation Status for a
complete list of managed Mac and their installation status.
Tasks
• Remove the software extensions on page 69
Remove the McAfee Endpoint Security for Mac extensions from the McAfee ePO server.
• Remove the software on page 70
Create a client task on the McAfee ePO server to remove McAfee Endpoint Security for Mac
from the managed Mac.
Task
For details about product features, usage, and best practices, click ? or Help.
4 Select Force removal, bypassing any checks or errors, then click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
3 Click the Assigned Client Tasks tab, then click New Client Task Assignment.
c In Products and components, select the product, select Remove as the action, then click Save.
b Schedule the task to run immediately. Click Next to view a summary of the task, then click Save.
7 In the System Tree, select the systems or groups for which you assigned the task, then click Wake Up
Agents.
8 Select Force complete policy and task update, then click OK.
Install and manage the software on a Mac that is managed with McAfee ePO Cloud.
McAfee ePO Cloud is an extensible management platform that enables centralized policy management
and enforcement of your security products and the systems where they are installed.
It also provides comprehensive reporting and product deployment capabilities, all through a single
point of control. Using McAfee ePO Cloud, you can deploy security products, patches, and service
packs to the managed systems in your network.
Contents
McAfee ePO Cloud components
System requirements
Accessing the McAfee ePO Cloud account
Install the client software on a managed systems using the installation URL
Deploy the client software from McAfee ePO Cloud
• McAfee Agent — A vehicle of information and enforcement between the McAfee ePO Cloud and
each managed Mac. The agent retrieves updates, ensures task implementation, enforces policies,
and forwards events for each managed Mac.
• Master Repository — The central location for all McAfee updates and signatures, residing on
McAfee ePO Cloud. The Master Repository retrieves user-specified updates and signatures from
McAfee.
System requirements
Make sure that your managed Mac meet these requirements, and you have a valid account with the
McAfee ePO Cloud.
Component Requirements
Hardware Mac that can run with the supported operating system configuration.
Operating system • El Capitan 10.11.x (client and server)
®
If you are using McAfee Agent 5.x on your Mac, you must upgrade it to McAfee
Agent 5.0.2 with Hotfix HF1085179 before upgrading the operating system to El
®
Capitan. Otherwise, the communication between the McAfee ePolicy
® ™
Orchestrator (McAfee ePO ) server and the Mac fails, and you would be unable
to manage the Mac from the McAfee ePO server. For more information about the
McAfee Agent 5.0.2 known issues with El Capitan, see McAfee KnowledgeBase
article KB83895.
2 McAfee emails the McAfee ePO Cloud URL and logon information to the enterprise administrator.
Tasks
• Create an installation URL on page 72
Create an installation URL to install the software on managed Mac.
• Install the software with an installation URL on page 73
The managed Mac user can install the software on a local Mac with an installation URL.
Task
For details about product features, usage, and best practices, click ? or Help.
3 On the Customize Software Installation page, define these settings, then click Done.
• Group Name — Type a name of the group.
• Software and Policies — Select McAfee Endpoint Security software modules as required.
• Auto Update — Select this option to download updates for the software.
The default policies and tasks of the module are selected by default.
4 Click Done.
5 From the Dashboards drop-down list, select Getting Started with ePolicy Orchestrator.
On the right side pane under Getting Started, the URL that you created appears.
After successful installation, McAfee Agent checks back with the McAfee ePO server for assigned
tasks for that system group, then installs the software accordingly.
• You must have an installation URL that you created or received from your administrator.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Open a browser window, paste the installation URL in the address bar, then press Enter.
Task
For details about product features, usage, and best practices, click ? or Help.
3 In the Product Deployment page, define these settings, then click Save.
• Name • Language
• Description • Branch
Integrate and manage McAfee Endpoint Security for Mac using McAfee ePO or McAfee ePO Cloud.
The primary differences in managing policies in two environments are:
• McAfee ePO — Organizations maintain McAfee ePO server in their premises and administrators
check in and install the software on the server, create policy settings, and enforce them on multiple
managed Mac systems using deployment tasks.
• McAfee ePO Cloud — McAfee or the service provider maintains the McAfee ePO server including
checking in and installing the software. After setting up the cloud account from McAfee or other
service providers, local administrators create policies and enforce them on managed Mac systems
using deployment tasks.
For instructions about setting up and using McAfee ePO and McAfee Agent, see the product guide for
your version of the product.
Contents
Using Endpoint Security extensions as common extensions
Manage policies
Common policy
Threat Prevention policy
Firewall policy
Web Control policy
Queries and reports
• Windows and Mac only — Applies only to Windows and Macintosh-based systems.
• Windows and Linux only — Applies only to Windows and Linux-based systems.
The policy options that don't contain any tag are applicable for Windows, Mac, and Linux systems.
To view the Windows only tag in the policy and task options, you must have installed the licensing
extension on your McAfee ePO.
For the list of features supported for Microsoft Windows, Macintosh, and Linux operating system, see
McAfee KnowledgeBase article KB84410.
Manage policies
McAfee Endpoint Security for Mac policies provide options to configure features, feature
administration, and to log details on managed systems.
You can find these policies on the Policy Catalog page under Product:
• Endpoint Security Threat Prevention
Configure these policies with your preferences, then assign them to groups of the managed Mac. For
generic information about policies, see the product guide for your version of McAfee ePO.
Task
For details about product features, usage, and best practices, click ? or Help.
3 Click OK.
4 Click Save.
Assign policies
When you have created or modified policies, assign them to the systems that are managed by McAfee
ePO.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Navigate to System Tree, select a group or systems, then click the Assigned Policies tab.
3 Select a product from the product list, select a policy, then click Edit Assignment.
4 Select the policy to assign, select appropriate inheritance options, then click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
1 On the managed Mac, click the McAfee menulet on the status bar, then select McAfee Agent Status
Monitor.
• Check New Policies — Trigger the agent to communicate with the server to update policy and tasks.
• Enforce Policies — Enforce all configured policies on the managed system on demand.
• Save Contents to Desktop — Save the content of the McAfee Agent log to desktop.
Common policy
The Common policy options can be used to configure protection settings for your managed Mac.
Configure the Options page settings in the Common policy to:
• Enable self-protection for software files.
For the list of features supported for Microsoft Windows and Macintosh operating systems, see McAfee
KnowledgeBase article KB84410.
Contents
Configuring client interface access
Preventing client software uninstallation
Self Protection
You can provide Full access to users for whom you don't want to restrict any action.
• Standard access — Allows the managed Mac users to run software updates and to run scheduled
scans. To view or change the protection preferences, the managed Mac user must provide the
password defined by the McAfee ePO administrator. The default password is mcafee.
• Lock client interface — The user is prompted for the McAfee ePO administrator password to start the
client console.
If the managed Mac user changes the protection preferences locally, the subsequent policy enforcement
overrides the changes.
Self Protection
The Self Protection option protects the security software files from threats.
One of the first things that malware attempts to do during an attack is to change, delete, or disable
your system security software. Configure the Self Protection settings to protect Endpoint Security for Mac
files and its module files from being changed or deleted. We recommend that you enable this option
always because malware attacks primarily target the software files first.
For managed Mac, deselecting Enable Self Protection or Files and folders disables Self Protection.
Endpoint Security for Mac supports only the Files and Folders option in Self Protection.
For example, if you enable debug logging for Threat Prevention, events are logged for on-access
scanning, and on-demand scanning at user level and at the kext level.
By default, the software checks for updates at 4:45 p.m every day. When you deselect Enable default
update task schedule in the client, the update schedule is set to Never in the client interface.
After deselecting Enable default update task schedule in the client, if you select it again, the user must configure
the update schedule.
Whichever options you select under What to update, the software updates the DAT files and Engine, and
the product.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Common as the product, then Options as the category.
3 Click New Policy, type a name for the policy, then click OK.
4 On the Policy Catalog page, click Show Advanced, then define these options:
Self Protection Enable Self Files and Folders — Protects the Endpoint Security for Mac software
Protection files from threats.
• Block and Report — Prevents the user from changing or deleting the
software files. An event is sent to the McAfee ePO server.
• Block only — Prevents the user from changing or deleting the
software files. No McAfee ePO events are generated for this
activity.
• Report only — Allows the managed Mac user to delete or change the
software files. An event is sent to the McAfee ePO server.
The default option is Block and Report.
Default Client Enable Default Update task schedule in the client — Enables or disables the
Update update task on managed Mac.
5 Click Save.
7 In the right pane, click the Group Details tab, then click Wake Up Agents.
8 In Force policy update, select Force complete policy and task update, then click OK.
On-Demand Scan • Run full scan and quick scan on managed Mac.
For the list of features supported for Microsoft Windows and Macintosh operating system, see McAfee
KnowledgeBase article KB84410.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Access Scan
as the category.
3 Click New Policy, type a name for the policy, then click OK.
In... Configure...
On-Access • Enable On-Access Scan — Enables or disables on-access scanning on managed Mac.
Scan
• Specify maximum number of seconds for each file scan — Specify the scan timeout value to scan
each item. If you unselect this option, the value is set to 45 seconds.
McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network look up for suspicious
files.
Select the Sensitivity level as required:
• Very low — The detections and risk of false positives are the same as with regular DAT
content files. A detection is made available to Threat Prevention when McAfee Labs
publishes it instead of waiting for the next DAT content file update.
• Low — This setting is the minimum recommendation for systems with a strong
security footprint.
• Medium — Use this level when the regular risk of exposure to malware is greater than
the risk of a false positive. McAfee Labs proprietary, heuristic checks result in
detections that are likely to be malware. However, some detections might result in a
false positive. With this setting, McAfee Labs checks that popular applications and
operating system files don't result in a false positive.
• High — Use this setting for deployment to systems or areas which are regularly
infected.
• Very high — Detections found with this level are presumed malicious, but haven't been
fully tested to determine if they are false positives. McAfee recommends to use this
level for systems that require highest security.
Process Use Standard settings for all processes — Applies standard settings when performing
Settings on-access scanning.
In... Configure...
In the Standard process type:
• In Specify when to scan:
• When writing to disk — Scans files when they are written to.
• When reading from disk — Scans all files when they are read.
• Let McAfee decide — Scans files when written to or read.
• On network drives — Scans files in mounted-network volumes.
• In File type to scan:
• All files — Scans files with any extension.
• Default and specified file types — Scans files with extensions defined in the software, and
the extensions you specify. For the list of the default file types, see McAfee
KnowledgeBase article KB 84411.
• Also scan for macros in all files — Scans macros in the files.
• Specified file types only — Scans only files with extensions that you specify, and
optionally, files with no extension.
• In Specify what to scan:
• Compressed archive files — Scans the contents of compressed archive files.
In... Configure...
Enable Overwrite exclusions configured on the client to overwrite the exclusions list created by
the managed Mac user.
For more information about configuring exclusions, see Exclude files or directories
from scanning.
6 Click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Demand Scan
as the category.
3 Click New Policy, type a name for the policy, then click OK.
4 Click the policy that you created, click the Full Scan tab, then define these settings.
In... Configure...
Full Scan • Detect unwanted programs — Enables the scanner to detect potentially unwanted
programs.
• Decode MIME encoded files — Scans Apple mail messages.
• Scan inside archives — Scans the contents of compressed archive files.
• Find unknown program threats — Detects files that contain code resembling malware.
• Find unknown macro threats — Detects unknown macro threats.
Scan • Scan subfolders — Examines all subfolders in the specified volumes when any of these
Locations options are selected.
• Home folder • All local drives
• Temp folder • All fixed drives
• User profile folder • All removable drives
• File or folder • All mapped drives
You can add locations by clicking . Click to remove the locations from scanning.
In... Configure...
File Types to • All files — Scans all files regardless of extension.
Scan
McAfee strongly recommends that you enable All files to make sure that no malware
threat resides in your managed Mac systems.
• Default and specified file types — Scans files with extensions defined in the software and
extensions you specify. For the list of the default file types, see McAfee
KnowledgeBase article KB 84411.
Also scan for macros in all files — Enables scanning for macros in all files.
• Specified file types only — Scans only files with extensions that you specify. Select Include
files with no extension to scan files that contains no extension.
McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network look up for suspicious
files.
Select the Sensitivity level as required:
• Very low — The detections and risk of false positives are the same as with regular
DAT content files. A detection is made available to Threat Prevention when McAfee
Labs publishes it instead of waiting for the next DAT content file update.
• Low — This setting is the minimum recommendation for systems with a strong
security footprint.
• Medium — Use this level when the regular risk of exposure to malware is greater than
the risk of a false positive. McAfee Labs proprietary, heuristic checks result in
detections that are likely to be malware. However, some detections might result in a
false positive. With this setting, McAfee Labs checks that popular applications and
operating system files don't result in a false positive.
• High — Use this setting for deployment to systems or areas which are regularly
infected.
• Very high — Detections found with this level are presumed malicious, but haven't
been fully tested to determine if they are false positives. McAfee recommends to
use this level for systems that require highest security.
In... Configure...
Actions In Threat detection first response:
• Continue scanning — Continues scanning files when a threat is detected. The scanner
doesn't move items to the quarantine.
• Clean files — Removes the threat from the detected file.
• Delete files — Delete the file that contains malware.
You can also configure a secondary response using the If first response fails option, in case
the primary response is unsuccessful.
In Unwanted program first response:
• Continue scanning — Continues scanning files when a threat is detected. The scanner
doesn't move items to the quarantine.
• Clean files — Removes the threat from the detected file.
• Delete files — Delete the file that contains malware.
You can also configure a secondary response using the If first response fails option, in case
the primary response is unsuccessful.
Scheduled • Scan only when the system is idle — Runs the scan only when the system is idle. The
Scan Options system is considered as idle when there is no keyboard or mouse activity for 5
minutes.
The User can resume paused scans option is not supported for Mac systems.
• Scan anytime — Runs the scan even if the user is active and specifies options for the
scan.
The User can defer scans, User can pause and cancel scans, and Do not scan when the system is in
presentation mode options are not supported for Mac systems.
• Do not scan when the system is on battery power — Postpones the scan when the system is
using battery power.
5 Click Save.
For scheduling the task, see the product guide for your version of McAfee ePO.
Endpoint Security for Mac does not support the Right-Click Scan option.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Demand Scan
as the category.
3 Click New Policy, type a name for the policy, then click OK.
4 Click the policy that you created, click the Quick Scan tab, then define these settings.
In... Configure...
Quick Scan • Detect unwanted programs — Enables the scanner to detect potentially unwanted
programs.
• Decode MIME encoded files — Scans Apple mail messages.
• Scan inside archives — Scans the contents of compressed archive files.
• Find unknown program threats — Detects files that contain code resembling malware.
• Find unknown macro threats — Detects unknown macro threats.
Scan • Scan subfolders — Examines all subfolders in the specified volumes when any of these
Locations options are selected.
• Home folder
• Temp folder
• File or folder
• All removable drives
Select the directory from the Specify locations drop-down list. You can add directories by
clicking . Click to remove the directory from scanning.
• Default and specified file types — Scans files with extensions defined in the software and
extensions you specify. For the list of the default and specified file types, see
McAfee KnowledgeBase article KB 84411.
Also scan for macros in all files — Enables scanning for macros in all files.
• Specified file types only — Scans only files with extensions that you specify. Select Include
files with no extension to scan files that contains no extension.
McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network check for suspicious
files.
In... Configure...
Actions In Threat detection first response:
• Continue scanning — Continues scanning files when a threat is detected. The scanner
doesn't move items to the quarantine.
• Clean files — Removes the threat from the detected file.
• Delete files — Deletes the file that contains malware.
You can also configure a secondary response using the If first response fails option, in
case the primary response is unsuccessful.
In Unwanted program first response:
• Continue scanning — Continues scanning files when a threat is detected. The scanner
doesn't move items to the quarantine.
• Clean files — Removes the threat from the detected file.
• Delete files — Deletes the file that contains malware.
You can also configure a secondary response using the If first response fails option, in
case the primary response is unsuccessful.
Scheduled • Scan only when the system is idle — Runs the scan only when the system is idle.
Scan Options
The User can resume paused scans option is not supported for Mac.
• Scan anytime — Runs the scan even if the user is active and specifies options for the
scan.
The User can defer scans, User can pause and cancel scans, and Do not scan when the system is in
presentation mode options are not supported for Mac.
• Do not scan when the system is on battery power — Postpones the scan when the system is
using battery power.
5 Click Save.
For scheduling the task, see the product guide of your version of McAfee ePO.
Endpoint Security for Mac does not support the Right-Click Scan option.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Access Scan
or On-Demand Scan as required.
If you haven't created a policy, click New Policy, type a name for the policy, then click OK.
4 In the Exclusion area under Process Settings, click Add and define these settings as required, then click
Save.
In... Configure...
What to • Pattern (can include wildcards * or ?) — Specifies the file pattern to exclude.
exclude
For example, to exclude all files in the desktop from scanning, specify the path as /
Users/user/Desktop/*
• Also exclude subfolders — Excludes files and directories from the specified location.
• File type (can include wildcard ?) — Excludes files that contains the extension.
• File Age — Excludes files based on their age in terms of creation date and modified
date.
• Modified — Excludes files that were edited earlier to the days specified in the Minimum
age in days field.
• Created — Excludes files that were created earlier to the days specified in the
Minimum age in days field.
• Accessed —Excludes files that were accessed earlier to the days specified in the
Minimum age in days field.
Select the option Overwrite exclusions configured on the client to overwrite the client exclusion
list.
You can apply this option for On-Access Scan policies only.
These two options are applicable for On-Access Scan policies only.
Task
For details about product features, usage, and best practices, click ? or Help.
3 Click the Assigned Client Tasks tab, then click Actions | New Client Task Assignment.
a For Product, select Endpoint Security Threat Prevention.
b For Task Type, select Policy Based On-Demand Scan, then select the task from the Task Name list.
4 Click Next.
7 In the System Tree, select the systems or groups where you assigned the task.
8 In the right pane, click the Group Details tab, then click Wake Up Agents.
9 In Force policy update, select Force complete policy and task update, then click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
3 In Client Task Types, expand Endpoint Security Threat Prevention, select Custom On-Demand Scan, then click New
Task.
4 Select Custom On-Demand Scan from the Task Type drop-down list.
• Description • Exclusions
6 On the Client Task Catalog page, select the custom scan that you created, click Assign, select a group to
assign the task, then click OK.
7 On the Select Task page, define the settings, then click Next.
Task
For details about product features, usage, and best practices, click ? or Help.
3 On the Assigned Client Tasks tab, click Actions, then select New Client Task Assignment.
a For product, select McAfee Agent.
d Type a name for the task, select Mac Engine and DAT in Signatures and engines from Package types, then
click Save. The task is listed under Task Name.
6 In the right pane, select Group Details, then click Wake Up Agents.
7 In Force policy update, select Force complete policy and task update, then click OK.
Firewall policy
Define firewall policies and rules and enforce them on a managed Mac to control incoming and
outgoing network traffic.
McAfee Endpoint Security for Mac uses the McAfee Endpoint Security Firewall extension to manage the
Mac.
This table lists the policies that you can create under each product category.
Because Firewall uses McAfee Endpoint Security Firewall extensions as common extensions, the features
specific to McAfee Endpoint Security are marked as Windows only.
Use Endpoint Security Firewall policy to create and enforce firewall rules, rule groups, to block access
to domains, and to create location-specific rules for your managed Mac systems.
For the list of features supported for Microsoft Windows and Macintosh operating system, see McAfee
KnowledgeBase article KB84410.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Rules as the category.
3 Click New Policy, type a name for the policy, then click OK.
4 On the Policy Catalog page, click the policy that you created, then define these settings.
6 On the Firewall Rules page, configure these options, then click Save.
• Move Up — Move up the selected rule one row.
If the item previous to the selected rule is a rule group, make sure that the rule group is not
expanded. Otherwise, the rule is added to the rule group.
If the item after the selected rule is a rule group, make sure that the rule group is not expanded.
Otherwise, the rule is added to the rule group.
• Duplicate — Copy the rule settings in a new name in the Firewall rules list.
• Add Group from Catalog — Add rule group from the catalog.
• Export — Export the rules as a .xml file. You can select multiple rules by using the Ctrl key.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Rules as the category.
3 Click New Policy, type a name for the policy, then click OK.
4 On the Policy Catalog page, click the policy that you created, then define these settings:
5 Click Add Rule to create a Firewall rule, define these settings, then click Save.
Task
1 Log on to the McAfee ePO server as an administrator.
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Rules as the category.
3 Click Add Group to create a Firewall group, define these settings, then click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Rules as the category.
3 Click New Policy, type a name for the policy, then click OK.
4 On the Policy Catalog page, click the policy that you created.
5 In the Firewall Rules page, click Add Group, then define these settings, then click Save.
• Description
• Location
• Network
• Transport
6 Verify the configuration details, then click Save. The rule group appears on the Firewall Rules page.
7
Select the rule group, then click to expand the rule group.
8 Select the rule that you want to move to the rule group, then click Move Up or Move Down according to
the rule's position toward the rule group, until the rule is moved into the rule group.
• Click Move Up if the rule appears after the rule group.
• Click Move Down if the rule appears before the rule group.
Always expand the rule group before moving rules into the group. Otherwise, the rules are not
placed inside the rule group.
• Define maximum time limit for TCP, UDP, and ICMP connections time out.
• Define networks
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Options as the
category.
3 Click New Policy, type a name for the policy, then click OK.
4 On the Policy Catalog page, click the policy that you created, then define these settings.
In... Configure...
Firewall Enable Firewall — Enables or disables Firewall protection on managed Mac.
Tuning Options • Enable Adaptive mode (create rules on the clients automatically — Enables Adaptive mode on
managed Mac.
• Retain existing user added rules and Adaptive mode rules when this policy is enforced — Retains rules
created locally on the managed Mac and the Adaptive mode rules.
• Use FTP Protocol Inspection — Creates dynamic rules for FTP data connections by
actively monitoring the FTP commands on the control channel.
5 Click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Rules as the category.
3 Click the policy that you want to configure location awareness settings. .
To create a new policy, click New Policy, type a name for the policy, then click OK to open the policy
page.
5 Type a name for the Group, select Enable group, then select Direction options.
• Require that ePolicy Orchestrator be reachable — Enable the group to match only if there is
communication with the McAfee ePO server and the FQDN of the server is resolved.
• Location criteria
• Connection-specific DNS suffix — Specify a connection-specific DNS suffix in the format:
domain.com.
• Default gateway — Specify a single IP address for a default gateway in IPv4 format.
• DHCP server — Specify a single IP address for a DHCP server in IPv4 format.
• DNS server — Specify a single IP address for a domain name server in IPv4 format.
• Primary WINS — Specify a single IP address for a primary WINS server in IPv4 format.
• Secondary WINS — Specify a single IP address for a secondary WINS server in IPv4 format.
You can use the Add from Catalog option to add settings from the catalog.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Options as the
category.
3 Click New Policy, type a name for the policy, then click OK to open the policy page.
To configure the DNS settings for the policy that you have already created , click the policy.
4 In the DNS Blocking section, click Add, type the domain name, then click Save.
• Add — To add domains to the list.
When enabled, the software monitors each site that you access or browse, verifies its safety ratings,
and allows or blocks navigation to the site according to the configuration. You can also block access to
sites based on the content of the site.
Use Endpoint Security Web Control policies to configure protection settings for your managed Mac.
For the list of features supported for Microsoft Windows and Macintosh operating systems, see McAfee
KnowledgeBase article KB84410.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then select Options as the
category.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then Content Actions as the
category.
3 Click New Policy, type a name for the policy, then click OK.
4 In Rating Actions, define Rating actions for sites, then click Save.
For more information about site rating and its descriptions, see Color-coded buttons.
Web Control does not scan files that are downloaded from allowed sites. However, if you installed
the Threat Prevention module and enabled on-access scanning, files are scanned for threats.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then select Block and Allow
List as the category.
4 On the Create a New Policy dialog box, type a name and description for the policy.
5 On the Policy Catalog page, click the policy that you created.
• Search — Search the Block and Allow List. This feature is useful for finding sites in large lists.
• Test Pattern — Test whether specific sites match the patterns in the Block and Allow List.
• Enable allowed sites to take precedence over blocked sites — By default, when a site is set to both Allow and
Block, the block action takes precedence and the site is blocked. Select this option to override
the default behavior and make sure that users can access allowed sites, even if they are also
blocked.
When selecting this option, make sure that allowed sites are safe so that client systems remain
protected from web-based threats.
8 Click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then select Options as the
category.
3 Click New Policy, type a name for the policy, then click OK.
• Log events for allowed sites configured in the Block and Allow List
5 Click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then select Options as the
category.
3 Click New Policy, type a name for the policy, then click OK.
4 On the Policy Catalog page, click the policy that you created, then define these settings.
In ... Configure...
Web Control Enable Web Control — Enables or disables Web Control on managed Mac systems.
Event Logging • Log web categories for green rated sites — Logs content category details for the
green-rated sites that you access.
• Log events for allowed sites configured in the Block and Allow List — Logs events for sites listed
in the Block and Allow List with Allow permission.
Action Apply this action to sites not yet verified by McAfee GTI:
Enforcement
• Allow — Allows access to unverified sites
• Block — Blocks access to unverified sites
• Warn — Displays a warning for unverified sites. You can either select Continue or
Cancel the navigation.
• Blocks site by default if McAfee GTI ratings server is not reachable — Blocks access to sites if
McAfee GTI is not reachable for site rating.
• Blocks phishing pages for all sites (Includes Allowed sites and overrides content rating actions) —
Blocks access to phishing sites although the Block Allow List allows access to the site
and the content rating is enabled.
Exclusions Allow all IP addresses in the local network — Allows the IP addresses of the local network.
Specify IP addresses or ranges to exclude from Web Control rating or blocking — Excludes the IP
addresses from Web Control rating and blocking.
Specify only a single IP address or the IP address range. The software doesn't
support Classless Inter-Domain Routing (CIDR) IP address format.
5 Click Save.
Query... Displays...
Endpoint Security Threat Prevention: Hotfixes Installed The hotfixes installed for the software.
Endpoint Security Threat Prevention: On-Access Scan This is the On-Access Scan compliance status.
Compliance Status
Endpoint Security Threat Prevention: Duration of The duration of completed Full Scan in the last seven
Completed Full Scans in the Last 7 Days days.
Endpoint Security Threat Prevention: Systems Not The number of systems that have not completed a Full
Completed a Full Scan in the Last 7 Days Scan in the last seven days but within the last month.
Endpoint Security Threat Prevention: Systems Not The number of systems that have not completed a Full
Completed a Full Scan in the Last Month Scan in the last month.
Endpoint Security Threat Prevention: Duration of The duration of completed Quick Scan in the last seven
Completed Quick Scans in the Last 7 Days days.
Endpoint Security Threat Prevention: Detection The number of threats on which an action was taken
Response Summary (Clean, or Delete), versus the number threats on which
no action was taken, in the last three months.
Query... Displays...
Endpoint Security Threat Prevention: Threats Detected The threats detected in the previous two quarters. No
Over the Previous 2 Quarters cookies.
Endpoint Security Threat Prevention: Threat Count by Slice count is the number of events. Slices are the
Severity different event severities. All in the last three months.
Endpoint Security Threat Prevention: Top 10 Detected The top 10 detected items in the last three months.
Threats
Endpoint Security Threat Prevention: Top 10 Threat The top 10 computers which are the source for a threat
Sources in the last three months.
Endpoint Security Threat Prevention: Top 10 Computers The 10 ten computers with the most detections in the
with the Most Detections last three months.
Endpoint Security Threat Prevention: Top 10 Threats The top 10 threats per threat category in the last three
Per Threat Category months, grouped by threat category then by threat
name.
Endpoint Security Threat Prevention: Top 10 Users with The top 10 users with the most detections in the last
the Most Detections three months.
Endpoint Security Threat Prevention On-Access Scan This reports displays the McAfee GTI sensitivity level for
McAfee GTI Sensitivity level On-Access Scans.
Endpoint Security Threat Prevention On-Demand Scan This reports displays the McAfee GTI sensitivity level for
Full Scan GTI sensitivity level On-Demand Full Scans.
Endpoint Security Threat Prevention On-Demand Scan This reports displays the McAfee GTI sensitivity level for
Quick Scan GTI sensitivity level On-Demand Quick Scans.
Query... Displays...
Endpoint Security Firewall : Intrusion events in the last 24 The number of intrusion events in the last twenty-four
hours hours.
Endpoint Security Firewall : Traffic Block events in the last The number of traffic blocked events in the last
24 hours twenty-four hours.
Endpoint Security Firewall: Hotfixes Installed The hotfixes installed for Endpoint Security software.
Endpoint Security Firewall Status The Endpoint Security Firewall status.
Endpoint Security Firewall : Compliance Status Whether the firewall status is enabled or disabled on
managed Mac.
Endpoint Security Firewall : Count of Firewall Client Rules The number of Firewall client rules created over time.
Endpoint Security Firewall : Client Rules By Protocol/ Firewall client rules listed by protocol and system
System Name name.
Endpoint Security Firewall : Events in the last 24 hours The number of Firewall events in the last twenty-four
hours.
Query... Displays...
Endpoint Security Web Control: Visit Log The detailed event log for site navigation log activity for
the last thirty days.
Endpoint Security Web Control: Top 100 Blocked Red The top 100 red category sites that were blocked in the
Sites last thirty days.
Query... Displays...
Endpoint Security Web Control: Top 100 Blocked The top 100 blocked sites that were blocked in the last
Sites thirty days.
Endpoint Security Web Control: Top 100 Visited Red The top 100 red category sites visited in the last thirty
Sites days.
Endpoint Security Web Control: Top 100 Red Sites on The top 100 red category sites allowed because of Allow
Allow List or Block list policy in the last thirty days.
Endpoint Security Web Control: Top 100 Sites on The top 100 sites allowed because of Allow or Block list
Allow List policy in the last thirty days.
Endpoint Security Web Control: Top 100 Sites on The top 100 sites blocked because of Allow or Block list
Block List policy in the last thirty days.
Endpoint Security Web Control: Top 100 Visited The top 100 unrated sites visited in the last thirty days.
Unrated Sites
Endpoint Security Web Control: Top 100 The top 100 sites that were warned-cancelled in the last
Warned-Cancelled Sites thirty days.
Endpoint Security Web Control: Top 100 The top 100 sites that were warned-continued in the last
Warned-Continued Sites thirty days.
Endpoint Security Web Control: Top 100 Visited The top 100 yellow category sites visited in the last thirty
Yellow Sites days.
Endpoint Security Web Control: Top Sites Grouped The top sites grouped by contents in the last thirty days.
by Content
Endpoint Security Web Control: Visits by Action The chart depicting the number of visits to each content
Grouped by Content category in the last thirty days, grouped by policy-based
actions.
Endpoint Security Web Control: Visits by Action The chart depicting number of visits in the last thirty
days, grouped by policy-based actions.
Endpoint Security Web Control: Visits by Content The chart depicting number of visits in the last thirty
days, grouped by site content.
Endpoint Security Web Control: Visits by Rating The chart depicting number of visits in the last thirty
days, grouped by site rating.
Endpoint Security Web Control: Web Content The web content category with the most infections in the
Categories that Caused the Most Infections in the last seven days.
Last 7 Days
Endpoint Security Web Control: Compliance Status The Web Control Compliance Status report.
Endpoint Security Web Control: Hotfixes Installed The hotfixes installed for Endpoint Security.
Other queries
Run these queries to generate reports, or modify them to generate custom reports.
Query.. Displays...
Endpoint Security: Top Infected Users in the Last 7 The list of top infected users in the last seven days.
Days
Endpoint Security: Primary Vectors of Attack in the The list of Primary Vectors of Attack in the last seven
Last 7 Days days.
Endpoint Security: Top Threats in the Last 48 Hours The list of top threats in the last forty-eight hours.
Endpoint Security: Threats Detected in the Last 24 The number of threat events generated in the last
Hours twenty-four hours.
Endpoint Security: Threats Detected in the Last 7 The number of threat events generated in the last seven
Days days.
Query.. Displays...
Endpoint Security: Summary of Threats Detected in The summary of threats detected in the last twenty-four
the Last 24 Hours hours.
Endpoint Security: Summary of Threats Detected in The summary of threats detected in the last seven days.
the Last 7 Days
Endpoint Security: Currently Enabled Technology The list of technology that are currently enabled on each
managed Mac.
Endpoint Security: Policy Compliance by Computer Two lists of computers which do and do not have the
Name latest policy applied.
Endpoint Security: Policy Compliance by Policy Name A boolean pie chart showing which policies have and have
not been updated on the client Mac.
Endpoint Security: Self Protection Compliance Status The list of self-protection compliance status report.
Endpoint Security Platform: Hotfixes Installed The list of hot fixes installed for the software.
Endpoint Security: Installation Status Report The stacked bar chart of multiple modules and their
installation status.
H policies (continued)
create 76
how the software works 10
management 76
I modify 76
policy creation
installation
DNS blocking 96
client software 67, 68, 72
location awareness 95
command line 18
post installation tasks 25
extensions 66
protection
silent 18
browser-based threats 52
testing 19
enabling web control 97
using software manager 67
online threats 52
using url 68
using URL 73
using urls 67
Q
using wizard 18 quarantine
installation URLs malware 29
McAfee ePO cloud 72 removing malware 29
installation, standalone Mac restoring malware 29
command line 18
wizard 18 R
rating color
M configuring permissions 55
malware default permissions 55
quarantine 29 regular firewall protection 41
removing quarantined items 29 removal of quarantined item 29
restoring quarantined items 29 removal of software 70
managed environment removal of software extension 69
hardware requirements 65 requirements
software requirements 65 browser 17
McAfee ServicePortal, accessing 8 hardware 17, 65
operating system 17
N software 65
rule group
need for security 9
grouping rules 93
O
S
on-access scan 36
on-demand scan 30 safety rating
configuring preferences 38 calculating criteria 53
creating a task 31 description 54
removing scan task 32 icons 55
scheduling custom scans 89 scan
scheduling for standalone Mac 31 scheduling custom scans 89
scheduling from ePolicy Orchestrator 88 scan task
on-demand-scan create 31
viewing detection details 28 modify 31
search engine
P viewing site rating 52
ServicePortal, finding product documentation 8
package
silent installation 18
checking in 66
site category
packages
blocking sites 56
checking in 66
site rating
policies
viewing safety rating 52
assign 76