McAfee Endpoint Security Migration Guide. (McAfee epolicy Orchestrator)

Transcription

1 McAfee Endpoint Security Migration Guide (McAfee epolicy Orchestrator)

2 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Endpoint Security Migration Guide

3 Contents 1 Migration overview 5 Product settings that you can migrate Types of migration What happens to policies during migration Upgrade legacy software with migrated settings workflow Overview of migration tasks Planning and preparation 11 Preparing to migrate Choosing a migration path Install the Migration Assistant Migrating your settings automatically 15 Automatic migration workflow Migrate settings automatically Verify automatically migrated objects How repeated automatic migrations are handled Migrating your settings manually 21 Manual migration workflow Migrate policies manually Migrate client tasks manually Migrate the Host IPS Catalog manually Verify manually migrated objects How repeated manual migrations are handled Changes to migrated product settings 27 McAfee Default policy and product default settings Policy names and notes Multiple-instance policies and tasks Multiple-platform and single-platform policies How policies are merged during migration Migrating legacy settings to the Common Options policy Migrating VirusScan Enterprise policies to Threat Prevention Migration notes for VirusScan Enterprise settings Merging on-access scan settings from Windows, Mac, and Linux Migrating IPS Rules to Threat Prevention Migration notes for IPS Rules settings Merging Access Protection and Buffer Overflow Protection settings Migrating Host IPS Firewall policies to Endpoint Security Firewall Migration notes for McAfee Host IPS Firewall settings Migrating SiteAdvisor Enterprise policies to Web Control Migration notes for SiteAdvisor Enterprise settings Migrating legacy Mac policies to Threat Prevention Migration notes for McAfee Endpoint Security for Mac settings McAfee Endpoint Security Migration Guide 3

4 Contents Migrating legacy Linux policies to Threat Prevention Migration notes for VirusScan Enterprise for Linux settings A Troubleshooting 53 Error messages Resolving blocked applications with Adaptive mode B IPS Rules migration 55 Signature-level settings in migrated IPS Rules Subrule-level settings in migrated IPS Rules Exceptions Application Protection Rules C Creating Firewall rules to replace predefined Access Protection port-blocking rules 61 Create rule to prevent mass mailing worms from sending mail Create rule to prevent IRC communication Create rule to prevent FTP communication Create rule to prevent HTTP communication D Maps of migrated policies 67 Policy maps E Changes to migrated settings 75 Changes to VirusScan Enterprise settings Changes to IPS Rules settings in Host Intrusion Prevention Changes to Firewall settings Changes to SiteAdvisor Enterprise settings Changes to McAfee Endpoint Security for Mac settings Changes to McAfee VirusScan Enterprise for Linux settings Index 97 4 McAfee Endpoint Security Migration Guide

5 1 Migration overview When you upgrade your legacy products to McAfee Endpoint Security, McAfee Endpoint Security for Mac, and McAfee Endpoint Security for Linux, you can also migrate your custom settings and assignments. The Endpoint Migration Assistant guides you through the migration process. The Migration Assistant migrates settings in environments managed with McAfee epolicy Orchestrator (McAfee epo ) version or later. Contents Product settings that you can migrate Types of migration What happens to policies during migration Upgrade legacy software with migrated settings workflow Overview of migration tasks Product settings that you can migrate Endpoint Security enables you to migrate settings for the most recent versions of supported McAfee legacy products installed on your Windows, Mac, and Linux platforms. Migration requires a Threat Prevention License extension for the operating system platform. The Migration Assistant checks for a macos and Linux License extension before enabling the option to migrate macos and Linux settings. You can migrate these objects for the following legacy products. Product versions that migrate (all patch levels) McAfee VirusScan Enterprise 8.8 McAfee Host Intrusion Prevention Firewall 8.0 Settings that migrate Policies You can migrate workstation policies, server policies, or both if you have both defined. Client tasks Host IPS Catalog Renamed Firewall Catalog in Endpoint Security. Firewall and General policies McAfee Endpoint Security Migration Guide 5

6 1 Migration overview Types of migration Product versions that migrate (all patch levels) McAfee Host Intrusion Prevention 8.0 McAfee SiteAdvisor Enterprise 3.5 McAfee Endpoint Protection for Mac 2.3 McAfee VirusScan for Mac 9.8 McAfee VirusScan Enterprise for Linux Settings that migrate IPS Rules policy: Excluded Application Protection Rules (Windows and Linux) IPS Exceptions (Windows and Linux) Custom signatures (Windows and Linux) McAfee-defined signatures supported by the Exploit Prevention policy IPS Protection policy (Windows and Linux) Policies Client tasks Anti-malware policy: On-access Scan Exclusions: On-access Scan On-Access Scanning policy On-Demand Scanning client tasks If unsupported product versions are installed, upgrade them to supported versions before proceeding with migration. See the legacy product documentation for upgrade instructions. Types of migration You can let Migration Assistant migrate all your settings and assignments automatically, based on your current settings and new product defaults, or you can select and configure them manually. Automatic migration Migrates the entire System Tree or a single group and its subgroups. Migrates these settings and retains assignments: Host IPS Catalog Policies and client tasks for all supported Windows products (Optional) Some policy settings for supported Mac products (Optional) Some policy settings and client tasks for supported Linux products Manual migration Lets you select the Host IPS Catalog, policies, or client tasks to migrate. Best practice: Migrate the Host IPS Catalog immediately before the McAfee Host IPS Firewall policies to ensure that they remain synchronized. Lets you edit policies during the migration process, if needed. 6 McAfee Endpoint Security Migration Guide

7 Migration overview What happens to policies during migration 1 What happens to policies during migration Endpoint Security optimizes and consolidates legacy products into an integrated, efficient new platform. In addition to new and enhanced features that leverage the latest developments in security technology, a new McAfee Endpoint Security Platform (also known as McAfee Endpoint Security Common) module centralizes the shared protection features so they are easily accessible by all product modules. As a result, some of the policy settings you are familiar with in legacy products have changed. The Endpoint Migration Assistant ensures that the settings in your legacy policies are moved to the correct policies in Endpoint Security. In some cases, they are merged with other Endpoint Security settings, and in others, new default settings are applied to support updated technologies. New and revised categories reflect new and shared features. New settings represent new functionality. Some settings are removed, moved to a different category or policy, or merged with settings for other features. Some settings for multiple operating system platforms can be migrated to separate single-platform policies or one multi-platform policy. Settings shared by multiple product modules and features are moved to the Options policy in the Common module. In some cases, settings are duplicated in multiple policies for use by functionality that is split across modules. McAfee Endpoint Security Migration Guide 7

8 1 Migration overview Upgrade legacy software with migrated settings workflow See the Changes to migrated settings appendix for details about settings that are removed, moved, renamed, or merged. Figure 1-1 Source and target policies Upgrade legacy software with migrated settings workflow When upgrading legacy products to Endpoint Security, you can optionally save (or migrate) your custom settings using Endpoint Migration Assistant. Migration tasks integrate into the basic workflow for upgrading to a new version of the software. See the McAfee Endpoint Security 10.6 Installation Guide for more information about the upgrade workflow tasks. 1 Confirm that your upgrade path is supported. 2 Review your legacy settings and prepare them for migration. 3 Check in the product package files and the McAfee Agent package files to the McAfee epo server. 4 Upgrade McAfee Agent. 5 Manually update your McAfee epo server with the latest content files required for Endpoint Security: AMCore, Exploit Prevention, and Adaptive Threat Protection content files. 6 Migrate policies, client tasks, and other settings from supported legacy products. 8 McAfee Endpoint Security Migration Guide

9 Migration overview Upgrade legacy software with migrated settings workflow 1 7 Deploy the client software with default or custom settings to managed systems in one of these ways: Remotely to multiple managed systems with deployment tasks. Locally on managed systems with an installation URL. 8 Verify that the client software is installed and up to date on all managed systems. 9 Verify that the settings migrated successfully. 10 (Optional) Configure settings as needed. McAfee Endpoint Security Migration Guide 9

10 1 Migration overview Overview of migration tasks Overview of migration tasks As part of the workflow for upgrading a legacy version of the software, use McAfee Endpoint Migration Assistant to migrate your custom settings to Endpoint Security policies before upgrading your legacy software. 1 Review your custom settings and prepare them for migration. 2 Download and install the Migration Assistant extension on the McAfee epo server. 3 Open Migration Assistant, select an automatic or manual path, then follow the instructions on the screen. Automatic migration Migrates all supported legacy settings for all supported Windows products installed on all your managed systems or only the systems in one group. Optionally migrates all supported settings for supported Mac and Linux products. Keeps assignments. Manual migration Lets you select the settings to migrate, then edit the policies if needed. Does not keep assignments. 4 (Manual migration only) Repeat step 3 to select and migrate additional settings. 5 Verify that your settings were migrated successfully. See also Preparing to migrate on page 11 Install the Migration Assistant on page 13 Choosing a migration path on page McAfee Endpoint Security Migration Guide

11 2 Planning 2 and preparation Contents Preparing to migrate Choosing a migration path Install the Migration Assistant Preparing to migrate To streamline the migration process and minimize conflicts or duplication in migrated settings, follow these best practices before migrating. Check system requirements Make sure that the environment and managed systems where you want to install Endpoint Security meet all requirements described in: Windows KB82761 and the McAfee Endpoint Security Installation Guide Macintosh KB84934 and the McAfee Endpoint Security for Mac Product Guide Linux KB87073 and the McAfee Endpoint Security for Linux Product Guide Check product licensing requirements Migration requires a Threat Prevention License extension for the operating system platform. The Migration Assistant checks for a macos and Linux License extension before enabling the option to migrate macos and Linux settings. Install the Endpoint Migration Assistant The Migration Assistant is a self-contained McAfee epo extension that you need to install on the McAfee epo server. Review and revise objects you plan to migrate Review legacy settings and assignments. Consolidate them where possible. Remove duplicates and unused objects. Review VirusScan Enterprise exclusion rules for unsupported characters. Wherever the ; character is used as a delimiter to separate include and exclude processes, replace it with the, character. Best practice: See KB66909 for links to frequently used Technical Articles about file and folder exclusions for Endpoint Security 10.x.x and VirusScan Enterprise 8.x. Notify others not to make changes to the Policy Catalog, Client Task Catalog, and Host IPS Catalog during migration If objects change while you're migrating them, the migrated objects don't reflect those changes. Locate unassigned policies and client tasks for migration (Automatic migration only) During automatic migration, only policies and client tasks that are assigned to at least one group or managed system are migrated. Use manual migration to migrate unassigned policies or client tasks. McAfee Endpoint Security Migration Guide 11

12 2 Planning and preparation Choosing a migration path What to do next Once you install the Migration Assistant and review the settings you want to migrate, you are ready to begin migration. See the Maps of migrated policies appendix for illustrations of how legacy policies are migrated to Endpoint Security policies. See the Changes to migrated settings appendix for details about settings that are removed, moved, renamed, or merged. See also Policy maps on page 67 Choosing a migration path Decide which migration path to follow by considering the characteristics of your network or managed systems and your migration goals. 1 Decide whether you need to migrate. Do you want to retain any current settings or assignments for your legacy products? No Install Endpoint Security without migrating. See the product installation guide for instructions. Yes Use the Endpoint Migration Assistant to migrate your settings before deploying the Endpoint Security Client to systems. 2 If you want to migrate your settings, decide whether to migrate automatically or manually. Automatic migration is a "hands-off" process. The Migration Assistant makes most migration decisions "behind the scenes." Recommended if you: Have a network with fewer than 250 managed systems Use default policy settings or a minimum number of custom policies Best practice: You can test and verify automatic migration on a single group in your System Tree before migrating settings for all your managed systems. Manual migration is a "hands-on" process. You make most of the migration decisions by selecting the objects to migrate and editing their settings, if needed. Recommended if you: Have a network with more than 250 managed systems Use multiple custom policies Want to fine-tune existing policy settings during the migration process Want to fine-tune assignments Want to migrate settings to single-platform policies Want to personally supervise and approve each step of the migration process 12 McAfee Endpoint Security Migration Guide

13 Planning and preparation Install the Migration Assistant 2 Table 2-1 Choosing a migration path Automatic migration Manual migration Pros Requires minimal input from you. Migrates settings for the entire System Tree or a single group and its subgroups. Migrates all policies, client tasks, and the Host IPS Catalog for Windows products. Migrates IPS Trusted Applications settings where Mark Trusted with IPS is enabled. Optionally migrates policies for Mac and Linux products. Optionally migrates Linux on-demand scan client tasks. Creates multi-platform target policies combining Windows, Mac, and Linux settings. Retains policy and client task assignments. Lets you select objects to migrate. Lets you edit policies before migrating. Lets you create both single-platform and multi-platform target policies. Cons You can't select specific objects to migrate. You can't edit target policies. You can't create single-platform target policies. Does not migrate unassigned policies. Requires input from you. Does not retain assignments. You need to assign policies and client tasks to managed systems. Does not migrate IPS Trusted Applications settings where Mark Trusted with IPS is enabled. See also How repeated automatic migrations are handled on page 19 Automatic migration workflow on page 15 Manual migration workflow on page 21 Install the Migration Assistant The Migration Assistant extension is required only for migrating legacy settings to Endpoint Security. It is not part of the Endpoint Security product extension package. You must install it on your McAfee epo server as a separate extension if you plan to migrate. Task 1 In McAfee epo, select Menu Software Manager Software Not Checked In. 2 On the left side of the Software Manager screen, under Product Categories, select Licensed, then: a In the Software Not Checked In table, select McAfee Endpoint Security Migration Assistant. The description and the extension for the Migration Assistant are displayed in the table at the bottom of the screen. b Click Check In to check in the Migration Assistant extension to your McAfee epo. When installation is complete, the Migration Assistant is listed on the Extensions screen. McAfee Endpoint Security Migration Guide 13

14 2 Planning and preparation Install the Migration Assistant 14 McAfee Endpoint Security Migration Guide

15 3 3 Migrating your settings automatically Contents Automatic migration workflow Migrate settings automatically Verify automatically migrated objects How repeated automatic migrations are handled Automatic migration workflow Automatic migration migrates all the supported settings for all the supported products you have installed on your Windows, Mac, and Linux systems. This migration path requires minimal input from you. Use automatic migration to migrate all the policies and client tasks for the legacy products on your Windows systems. It also migrates the entries in your legacy Host IPS Catalog to the new Endpoint Security Firewall Catalog. Optionally, you can migrate on-demand scan client tasks and some IPS rules for Linux, and on-access scan policy settings for Mac and Linux. The Endpoint Migration Assistant creates and assigns the new Endpoint Security policies and client tasks automatically, based on your current product settings. 1 Run the Endpoint Migration Assistant and select Automatic migration. 2 Select the systems to migrate. You can migrate the entire System Tree or a single group and its subgroups. 3 If Mac or Linux products are installed, specify whether to migrate them. 4 If there are VirusScan Enterprise policies to migrate, specify whether to migrate policies for workstations, servers, or both. 5 Preview and save the proposed policies. A server task runs and completes the policy migration. It also migrates client tasks and the Host IPS Catalog. McAfee Endpoint Security Migration Guide 15

16 3 Migrating your settings automatically Automatic migration workflow Automatic migration retains assignments for migrated policies and client tasks. After automatic migration completes, you can deploy Endpoint Security 10.6 to managed systems. Best practice: Test migration by migrating a single System Tree group. View the migrated policies for a preview of how settings are merged and assigned. Migrate additional groups as needed, then migrate the entire System Tree when you are ready. Settings created for a group during previous automatic migrations are deleted when you migrate the group automatically again. Figure 3-1 Automatic migration workflow 16 McAfee Endpoint Security Migration Guide

17 Migrating your settings automatically Migrate settings automatically 3 For these objects... Policies Client Tasks (Windows and Linux) Host IPS Catalog The Migration Assistant... Creates the new policies, adds them to the Endpoint Security Policy Catalog, and assigns them to the same managed systems. You can preview the new policies before they are created. Migrates policies for the entire System Tree or a single group. Migrates policies for Windows products automatically. Migrates supported policies for Mac and Linux products, if selected. When similar settings for Windows and non-windows products are migrated, Windows settings take precedence. On-access scan exclusions are merged. Migrates VirusScan Enterprise settings for workstations, servers, or both. If you don't like the previewed policies, you can cancel the migration and begin a manual migration instead. Creates new tasks, adds them to the Endpoint Security Client Task Catalog, and assigns them to the same managed systems. Client tasks for Windows products are migrated automatically. If VirusScan Enterprise for Linux is installed, select whether to migrate its on-demand scan client tasks. Migrates legacy catalog entries to the Endpoint Security Firewall Catalog. Migrate settings automatically Use automatic migration to migrate your currently assigned policies and client tasks and the Host IPS Catalog with minimal interaction. Before you begin Verify that the products to migrate are supported. Install the Endpoint Migration Assistant extension on the McAfee epo server. Do not allow others to make changes to the objects you are migrating until migration is complete. Task 1 In McAfee epo, select Menu Policy Endpoint Migration Assistant. 2 For Mode, select Automatic migration. 3 Select the systems to migrate. Migrate entire System Tree Migrates settings for all systems. Migrate a single System Tree group Migrates settings for a single System Tree group and its subgroups. McAfee Endpoint Security Migration Guide 17

18 3 Migrating your settings automatically Verify automatically migrated objects 4 If VirusScan Enterprise is installed, select which policies to migrate. Workstation Migrates only workstation policies. (Default) Server Migrates only server policies. Workstation and server Migrates both workstation and server policies. The type of policy you select is created and assigned to the type of system where it was previously assigned. If you migrate only workstation or server policies, you can migrate the other policies manually at a later time. 5 If supported non-windows products are installed, select whether to migrate them. Mac Migrates on-access scan policy settings from McAfee Endpoint Security for Mac. Linux Migrates on-access scan policy settings and on-demand scan client tasks from VirusScan Enterprise for Linux. Automatic migration creates multi-platform policies shared by all operating system platforms. If you want to migrate at a later time, or create single-platform policies, use manual migration to migrate these products. 6 Click Next to generate a preview of the new Endpoint Security policies. A progress bar appears and lets you know how many policies are being included in the preview. 7 Review the new policies. a Under New Categories in the left pane, select a category, then preview the new policies for that category in the right pane. b (Optional) For every new policy that is created under Endpoint Security, click Rename and Edit Notes to rename the policy or edit the policy notes, if needed. 8 Click Save to run a server task to complete the migration. The Migration Assistant runs a server task in the background to migrate your policies. Client tasks and the Host IPS Catalog are also migrated. You can check its status in the Server Task Log. You must wait for the server task to complete before starting another migration session. Verify automatically migrated objects Check that objects were migrated successfully before deploying Endpoint Security to managed systems. Before you begin You have used the Endpoint Migration Assistant to manually migrate legacy product settings to Endpoint Security. Task 1 Verify migrated policies. a In McAfee epo, select Menu Policy Policy Catalog. b Select each product module, then check that the migrated policies were created. 18 McAfee Endpoint Security Migration Guide

19 Migrating your settings automatically How repeated automatic migrations are handled 3 2 Verify migrated policy assignments. a In McAfee epo, select Menu Systems Section System Tree. b c View the Assigned Policies for the groups and systems where the source policies were assigned. Verify that the new Endpoint Security policies are assigned to those groups and systems. 3 Verify migrated client tasks. a In McAfee epo, select Menu Policy Client Task Catalog. b Select each product module where you migrated client tasks, then select the category for each task you migrated, and verify that the migrated client task was created. 4 Verify migrated client task assignments. a In McAfee epo, select Menu Systems Section System Tree. b c Review the Client Task Assignments for the groups and systems where the source client tasks were assigned. Verify that the migrated client tasks have the same schedule and settings as the source client tasks. 5 Verify the migrated Firewall Catalog. a In McAfee epo, select Menu Policy Firewall Catalog. b Verify that the migrated entries appear in the migrated Firewall Catalog. How repeated automatic migrations are handled Running automatic migration after you have already migrated some or all of your settings affects the new objects created during the previous migration session. When you run automatic migration after migrating previously, the Migration Assistant: Deletes objects created during a previous automatic migration session for the same systems. First migration Single group Entire System Tree Entire System Tree Second migration Same single group Entire System Tree Entire System Tree Single group Policies in Policy Catalog after second migration Only the new policies created in the most recent migration session. (The policies created in the first migration session are replaced.) For the group Only the new policies created in the most recent migration session. (The policies created in the first migration session are replaced.) For other systems in the System Tree Policies created in the first migration session. (The policies created in the first migration session are not changed.) Retains objects created during a previous manual migration, but does not retain their assignments. Assigns the new policies to managed systems. For example, if you have assigned policies that you migrated manually to managed systems, the new policies are assigned instead. McAfee Endpoint Security Migration Guide 19

20 3 Migrating your settings automatically How repeated automatic migrations are handled These actions also apply to the Common Options policies created during previous migrations. 20 McAfee Endpoint Security Migration Guide

21 4 4 Migrating your settings manually Contents Manual migration workflow Migrate policies manually Migrate client tasks manually Migrate the Host IPS Catalog manually Verify manually migrated objects How repeated manual migrations are handled Manual migration workflow Manual migration migrates selected settings for the supported products you have installed on your Windows, Mac, and Linux systems. This is an interactive migration path that requires your input. Use manual migration to migrate selected policies, client tasks, or the Host IPS Catalog for your legacy products. The Endpoint Migration Assistant lets you select specific objects to migrate and edit the policies if needed. Manual migration does not retain assignments for migrated objects. 1 Run the Endpoint Migration Assistant and select Manual migration. 2 Select the type of objects to migrate. If you select the Host IPS Catalog, a server task runs and completes the Catalog migration. If you select Policies or Client Tasks, select what you want to migrate from the categories, then save your selections. You can edit policies, if needed. You can also edit notes for policies and client tasks. Your selections are migrated in the background. Best practice: Migrate the Host IPS Catalog immediately before the McAfee Host IPS Firewall policies to ensure that they remain synchronized. 3 Run the Migration Assistant again to migrate additional objects. McAfee Endpoint Security Migration Guide 21

22 4 Migrating your settings manually Migrate policies manually After manual migration, you must assign the new policies and client tasks to managed systems as part of product deployment. See the McAfee epolicy Orchestrator Installation Guide for more information. Figure 4-1 Manual migration workflow Migrate policies manually Use manual migration to select the policies to migrate, then edit them if needed. Once the new policies are created, you need to assign them to managed systems. Before you begin Verify that the products to migrate are supported. Install the Endpoint Migration Assistant extension on the McAfee epo server. Do not allow others to make changes to the objects you are migrating until migration is complete. 22 McAfee Endpoint Security Migration Guide

23 Migrating your settings manually Migrate policies manually 4 Task 1 In McAfee epo, select Menu Policy Endpoint Migration Assistant. 2 For Mode, select Manual migration. 3 For Objects to Migrate, select Policies, then click Next. Only the objects that you have permission to view are listed. 4 Under Available Policies in the left pane, select policy categories for your products. The legacy policies within those categories are listed on the right side of the screen. Best practice: Click View Endpoint Security policy mapping, located at the top of the page, to view policy maps that show where legacy policies migrate in Endpoint Security. a If you select VirusScan Enterprise policies, the Workstation settings are listed by default. To display Server policy settings instead, click Edit, then select an option: Workstation settings Server settings Both Workstation and Server settings b c If a category contains multiple policies, select the name of the policy to migrate from the drop-down list that appears next to the category name. If settings in a selected policy are merging with policies from other categories, the Migration Assistant displays the other categories. For each of these categories: Select the name of the policy to migrate. If you don't want to migrate settings in that category now, select None. If you select None for all the merging categories, no new policy is created for these categories. d If you're migrating similar products from multiple operating system platforms, select or deselect Create Multi-Platform Policy. This checkbox appears only when migrating two or more of these products: VirusScan Enterprise, McAfee Endpoint Security for Mac or McAfee VirusScan for Mac, and VirusScan Enterprise for Linux. Selected The Migration Assistant creates one On-Access Scan policy that can be shared by Windows, macos, and Linux systems. If product settings conflict, Windows settings take precedence over all others, and macos settings take precedence over Linux. On-Access Scan exclusions are merged. This is the default setting. 5 Click Next. Deselected The Migration Assistant creates up to three On-Access Scan policies: migrated VirusScan Enterprise settings for the Windows platform, migrated McAfee Endpoint Security for Mac or McAfee VirusScan for Mac settings, and migrated VirusScan Enterprise for Linux settings. The Migration Assistant displays the source policies on the left side of the screen. At the top of the screen, you see tabs for each Endpoint Security policy to be created. Each tab gives a preview of the new policies created when the selected source policies are migrated. The left pane shows the selected source policies. 6 Click Next to start the manual migration wizard. 7 On the open tab, type a name for the policy, type notes to describe it, and configure its options, then click Next to proceed to the next tab. Repeat this step until you have configured all the selected policies, then click Next. McAfee Endpoint Security Migration Guide 23

24 4 Migrating your settings manually Migrate client tasks manually 8 Review the summary of changes, then click Save to create the new policies and add them to the Policy Catalog. 9 Select whether to migrate more objects. Yes Displays the screen where you can select additional objects to migrate. No Displays the first screen with default settings. Migrate client tasks manually Use manual migration to select the client tasks to migrate. Once the new client tasks are created, assign them to managed systems. Only client tasks for Windows and Linux products are migrated. Before you begin Verify that the products to migrate are supported. Install the Endpoint Migration Assistant extension on the McAfee epo server. Do not allow others to make changes to the objects you are migrating until migration is complete. Task 1 In McAfee epo, select Menu Policy Endpoint Migration Assistant. 2 For Mode, select Manual migration. 3 For Objects to Migrate, select Client Tasks, then click Next. Only the objects that you have permission to view are listed. 4 Under Available Tasks in the left pane, select the task types to migrate. The legacy tasks of that type are listed on the right side of the screen. You can type a name or partial name in the Filter list box at the top of the left pane to filter the listing. a If you have created multiple tasks of the same type, a drop-down list appears next to the task type name. Select the name of the task to migrate. b (Optional) To migrate another task of the same type, click + and select the task from the new drop-down list, then repeat for all the tasks to migrate. This option is available only when another task of the same type exists. 5 Click Next to start the manual migration wizard. At the top of the screen, you see tabs for each Endpoint Security client task to be created. Each tab gives a preview of the new tasks when the selected source tasks are migrated. The left pane shows the selected source task. 6 (Optional) For each new task to create, type a new name and edit settings, if needed. 7 Click Next, review the summary of changes, then click Save to create the new client tasks and add them to the Client Task Catalog. 24 McAfee Endpoint Security Migration Guide

25 Migrating your settings manually Migrate the Host IPS Catalog manually 4 8 Select whether to migrate more objects. Yes Displays the screen where you can select additional objects to migrate. No Displays the first screen with default settings. Migrate the Host IPS Catalog manually Use manual migration to select and migrate the Host IPS Catalog. Migrate the Catalog immediately before migrating the associated policies, to ensure that they remain synchronized. Before you begin Verify that the products to migrate are supported. Install the Endpoint Migration Assistant extension on the McAfee epo server. Do not allow others to make changes to the objects you are migrating until migration is complete. Task 1 In McAfee epo, select Menu Policy Endpoint Migration Assistant. 2 For Mode, select Manual migration. 3 For Objects to Migrate, select Catalog, then click Next. All the items in the Catalog will be migrated. 4 Click Next to start the migration. The Migration Assistant displays a message that a server task is migrating the Catalog. When the migration is complete, the selection screen appears for you to select additional objects to migrate. Verify manually migrated objects Check that objects were migrated successfully before deploying Endpoint Security to managed systems. Before you begin You have used the Endpoint Migration Assistant to manually migrate legacy product settings to Endpoint Security. Task 1 Verify migrated policies. a In McAfee epo, select Menu Policy Policy Catalog. b Select each product module where you migrated policies, then check that the migrated policies were created. McAfee Endpoint Security Migration Guide 25

26 4 Migrating your settings manually How repeated manual migrations are handled 2 Verify migrated client tasks. a In McAfee epo, select Menu Policy Client Task Catalog. b c Select each product module where you migrated client tasks. Select the category for each task you migrated, and verify that the migrated client task was created. 3 Verify the migrated Firewall Catalog. a In McAfee epo, select Menu Policy Firewall Catalog. b Verify that the migrated entries appear in the migrated Firewall Catalog. How repeated manual migrations are handled Manual migration has no effect on objects migrated during a previous migration session. For example, if you migrate some policies for a product module, then migrate the same policies again: The new policies are created in the Policy Catalog. If the target policy name already exists, the Migration Assistant appends a digit to the newer policy name (for example, My Policy, My Policy-1, My Policy-2). The previously migrated policies still appear in the Policy Catalog. If you migrate McAfee Host IPS Firewall policies again, you need to migrate the Host IPS Catalog again. (The Migration Assistant shows the date and time when the Catalog was last migrated, if applicable.) Best practice: Migrate the Host IPS Catalog immediately before the McAfee Host IPS Firewall policies to ensure that they remain synchronized. Manual migration does not retain assignments for migrated objects. You must assign the migrated objects manually. You also must manually delete the objects created during the previous migration session that you no longer want. If you have assigned objects that you created during a previous manual migration session, these assignments are not affected if you migrate the same objects again. 26 McAfee Endpoint Security Migration Guide

27 5 Changes 5 to migrated product settings Endpoint Security includes new policies, categories, options, and default settings that are designed to leverage the latest protection technologies and optimize product performance. During the migration process, legacy settings for policies, options, rules, and tasks might be renamed, removed, or reset to default values, depending on how the features work in Endpoint Security. Some settings are moved to new categories or policies, or merged with other settings. Similar settings from products running on multiple operating system platforms can be migrated to separate, single-platform policies or shared multi-platform policies. Contents McAfee Default policy and product default settings Policy names and notes Multiple-instance policies and tasks Multiple-platform and single-platform policies How policies are merged during migration Migrating VirusScan Enterprise policies to Threat Prevention Migrating IPS Rules to Threat Prevention Migrating Host IPS Firewall policies to Endpoint Security Firewall Migrating SiteAdvisor Enterprise policies to Web Control Migrating legacy Mac policies to Threat Prevention Migrating legacy Linux policies to Threat Prevention McAfee Default policy and product default settings The McAfee Default policy does not migrate. If you currently use the McAfee Default policy for legacy products, the Migration Assistant assigns the new Endpoint Security McAfee Default policy. If a source policy with default settings (McAfee Default, My Default (unedited), or Typical Corporate Environment) is assigned to any group or managed system, the Migration Assistant assigns the new Endpoint Security McAfee Default policy during automatic migration. Policy names and notes The Endpoint Migration Assistant uses these general conventions for naming migrated Endpoint Security policies and creating policy notes. You can edit the policy names and notes before saving the new policies or after they are created. Policy names Automatic migration McAfee Endpoint Security Migration Guide 27

28 5 Changes to migrated product settings Policy names and notes Migrated policy type Target policy name Examples Single product migration One-to-one policy migration One-to-multiple policy migration Migrated [legacy product abbreviation] Policy-[n] where: Legacy product abbreviation is VSE, HIPS, SAE, EPM, or VSELinux. n is incremented each time a new policy is migrated for the same module. Migrated VSE Policy Migrated VSE Policy-1 Migrated VSE Policy-2 Migrated HIPS Policy Migrated HIPS Policy-1 Migrated SAE Policy Migrated EPM Policy Migrated VSELinux Policy Multiple product migration (includes multi-platform policies) Multiple-to-one policy migration Common Options Merged Policy-[n] where n is incremented each time a new policy of the same type is migrated. Merged Policy-[n] where n is incremented each time a new Common Options policy is created. Merged Policy Merged Policy-1 Merged Policy-2 Merged Policy Merged Policy-1 Merged Policy-2 Manual migration Migrated policy type Target policy name Examples One-to-one or one-to-multiple policy migration Same as the source name. If the target policy name already exists, the Migration Assistant appends a digit that is incremented each time a new policy is created using that name. You can type a different policy name before saving the new policy. My Policy My Policy-1 My Policy-2 Multiple-to-one policy migration Multi-platform policy You must specify a name for the target policy. You must specify a name for the target policy. Policy and task notes During migration, the Migration Assistant creates notes that include the name (and type, if applicable) of the source policy or task, the migration date and time, and the name of the user who migrated the policy or task. 28 McAfee Endpoint Security Migration Guide

29 Changes to migrated product settings Multiple-instance policies and tasks 5 For example: Source: VirusScan Enterprise Access Protection Policies > My Default; Type: Server; 6/20/ PM - Automatic Migration; User: admin Multiple-instance policies and tasks Multiple-instance policies and client tasks, also known as multi-slot, allow you to assign more than one instance of a policy or client task to a managed system, resulting in one combined, effective policy. Multiple-instance policies Multiple-instance policies from different legacy products migrate differently. McAfee Host IPS Multiple-instance policies from one or more source policies are merged into one target policy for the respective policy type. Table 5-1 How multiple-instance McAfee Host IPS policies are migrated Source policies Target product module Target policy IPS Rules Threat Prevention Access Protection and Exploit Prevention General (Trusted Applications) Threat Prevention Access Protection Firewall Options (Trusted Applications) SiteAdvisor Enterprise Multiple-instance SiteAdvisor Enterprise policies are migrated to separate instances of the target policies. Table 5-2 How multiple-instance SiteAdvisor Enterprise policies are migrated Source policies Target product module Target policy Prohibit List and Authorize List Web Control Block and Allow List Content Actions Web Control Content Actions Multiple-instance client tasks Multiple-instance client tasks migrate to separate instances of target client tasks. Table 5-3 How multiple-instance client tasks are migrated Source product module VirusScan Enterprise VirusScan Enterprise for Linux Source client tasks On-Demand Scan and Restore From Quarantine Target product module Threat Prevention Target client tasks Custom On-Demand Scan Custom Restore From Quarantine On-Demand Scan Threat Prevention Custom On-Demand Scan SiteAdvisor Enterprise Send Web Reporter Web Control Send Web Reporter Logs Inheritance for migrated settings Multiple-instance policies obey the McAfee epo laws of inheritance within a System Tree. See the McAfee epo documentation for more information. McAfee Endpoint Security Migration Guide 29

30 5 Changes to migrated product settings Multiple-platform and single-platform policies Multiple-platform and single-platform policies During manual migration, you can select whether to migrate settings from different operating system platforms to separate policies or merge them into one policy for multiple platforms. Table 5-4 Migration for settings from multiple operating system platforms When you select these products to migrate... The Migration Assistant creates these Threat Prevention policies... Create Multi-Platform Policy selected Create Multi-Platform Policy deselected VirusScan Enterprise McAfee Endpoint Security for Mac VirusScan Enterprise VirusScan Enterprise for Linux VirusScan Enterprise McAfee Endpoint Security for Mac VirusScan Enterprise for Linux McAfee Endpoint Security for Mac VirusScan Enterprise for Linux One On-Access Scan policy for Windows and Mac systems Merged on-access scan exclusions For duplicate or conflicting settings, Windows settings take precedence over Mac settings. One On-Access Scan policy for Windows and Linux systems One Options policy for Windows and Linux systems Merged on-access scan exclusions For duplicate or conflicting settings, Windows settings take precedence over Linux settings. One On-Access Scan policy for Windows, Mac, and Linux systems One Options policy for Windows and Linux systems Merged on-access scan exclusions For duplicate or conflicting settings, Windows settings take precedence over other settings. One On-Access Scan policy for Mac and Linux systems One Options policy for Linux systems Merged on-access scan exclusions For duplicate or conflicting settings, Mac settings take precedence over Linux settings. Two On-Access Scan policies: One for Windows systems One for Mac systems Separate on-access scan exclusions Two On-Access Scan policies: One for Windows systems One for Linux systems Two Options policies: One for Windows systems One for Linux systems Separate on-access scan exclusions Three On-Access Scan policies: One for Windows systems One for Mac systems One for Linux systems Two Options policies: One for Windows systems One for Linux systems Separate on-access scan exclusions Two On-Access Scan policies: One for Mac systems One for Linux systems One Options policy for Linux systems Separate on-access scan exclusions Automatic migration creates multi-platform target policies. You must use manual migration to create single-platform policies. 30 McAfee Endpoint Security Migration Guide

31 Changes to migrated product settings How policies are merged during migration 5 How policies are merged during migration Sometimes, source policies from one or more legacy products are merged into a single target policy. Table 5-5 Policies merged during migration to Threat Prevention Source product module Source policies Threat Prevention policy VirusScan Enterprise Quarantine Manager Unwanted Programs Options VirusScan Enterprise for Linux VirusScan Enterprise McAfee Endpoint Security for Mac VirusScan Enterprise for Linux On-Access Scanning High-Risk Processes Low-Risk Processes On-Access Default Processes On-Access General Anti-malware (on-access scan settings) On-Access Scanning On-Access Scan VirusScan Enterprise Access Protection Access Protection McAfee Host IPS (Windows and Linux) IPS Rules IPS Protection General (Trusted Applications) Automatic migration only VirusScan Enterprise Buffer Overflow Protection Exploit Prevention McAfee Host IPS IPS Rules IPS Protection Table 5-6 Policies merged during migration to Firewall Source product module Source policies Firewall policy McAfee Host IPS Firewall (Options and DNS Blocking) General (Trusted Applications, Trusted Networks, and Client UI) Options McAfee Endpoint Security Migration Guide 31

32 5 Changes to migrated product settings How policies are merged during migration Table 5-7 Policies merged during migration to Web Control Source product module Source policies SiteAdvisor Enterprise Content Actions Rating Actions Authorize List Hardening Content Actions Rating Actions Authorize List Prohibit List Enable or Disable Event Tracking General (some settings) Web Control policy Content Actions Options Block and Allow List Migrating legacy settings to the Common Options policy Features shared by multiple product modules reside in the Common (Endpoint Security Platform) module, which is installed with other Endpoint Security product modules. Settings for these shared features are defined in the Options policy for the Common module. Figure 5-1 Legacy settings migrated to the Common Options policy The Migration Assistant migrates legacy settings for these policy categories to the Common Options policy. 32 McAfee Endpoint Security Migration Guide

33 Changes to migrated product settings How policies are merged during migration 5 Table 5-8 Legacy settings migrated to the Common Options policy Source settings VirusScan Enterprise Alert policy VirusScan Enterprise Access Protection policy, Common Standard Protection category VirusScan Enterprise General Options policy, Display Options category Host Intrusion Prevention General policy, Client UI category: Client UI language setting Firewall logging SiteAdvisor Enterprise General policy, Proxy Server tab Migrated Common Options policy categories Client Logging Self Protection Client Interface Language (Windows only) Managed Tasks (Windows only) Client Interface Language (Windows only) Client Logging Proxy Server for McAfee GTI (Windows only) Enable HTTP proxy authentication McAfee Endpoint Security Migration Guide 33

34 5 Changes to migrated product settings Migrating VirusScan Enterprise policies to Threat Prevention Migrating VirusScan Enterprise policies to Threat Prevention This overview shows where migrated policy settings for McAfee VirusScan Enterprise appear in Endpoint Security policies. Figure 5-2 Where VirusScan Enterprise settings migrate Migration notes for VirusScan Enterprise settings During the migration process to Endpoint Security 10.6, the Endpoint Migration Assistant adjusts the migrated settings in your target policies to address differences between the legacy product and the new product. Therefore, some of the target policy settings don't match your legacy settings. Client tasks that are migrated Custom scheduled On-Demand Scan and Restore From Quarantine client tasks are migrated to the Client Task Catalog. 34 McAfee Endpoint Security Migration Guide

35 Changes to migrated product settings Migrating VirusScan Enterprise policies to Threat Prevention 5 These are multiple-instance tasks. Each instance of the source task migrates to a separate instance of the client task in Threat Prevention. Workstation and server settings In VirusScan Enterprise, policies include settings for servers and workstations. For Threat Prevention policies, you must specify which type of settings to migrate: Workstation, Server, or Workstation and Server. The default is Workstation. If you migrate only workstation or server policies, you can migrate the other policies manually at a later time. If you migrate both types of policies, the number of target assignments might increase, depending on your System Tree structure. If a group contains both workstations and servers, the policy assigned to the greatest number of systems is assigned to the group, and the policy assigned to fewer systems is assigned to individual systems within the group as needed. Best practice: To minimize the number of assignments, place workstations and servers in separate groups. Quarantine folder The path for the quarantine folder is limited to 190 characters, but VirusScan Enterprise allowed 256 characters. During client migration, if the migrated quarantine folder path contains more than 190 characters, the path automatically reverts to the default location, <SYSTEM_DRIVE>\Quarantine. Access Protection port-blocking rules Endpoint Security Firewall provides more advanced port-blocking capabilities than the predefined Access Protection rules for VirusScan Enterprise 8.8. Access Protection port-blocking rules, either predefined or user-defined, are not migrated. User-added inclusions and exclusions for predefined rules are also not migrated. If you want to continue using legacy rules that don't migrate from VirusScan Enterprise, you can create firewall rules in Endpoint Security Firewall to replicate their behavior. You can create firewall rules to: Define the same behavior as one or more of the predefined Access Protection port-blocking rules. Block the same ports as one or more custom Access Protection port-blocking rules. See the Creating Firewall rules to replace Access Protection port-blocking rules appendix for more information. Self Protection settings When you migrate Access Protection rules (except port-blocking rules): Self Protection settings move from the Access Protection policies to the Common Options policy. Self Protection is enabled by default, regardless of the legacy setting. McAfee Endpoint Security Migration Guide 35

36 5 Changes to migrated product settings Migrating VirusScan Enterprise policies to Threat Prevention User-defined exclusions configured for each legacy product module are migrated as global exclusions for Endpoint Security. User-defined exclusions for three predefined rules in the Common Standard Protection category are migrated as global Self Protection exclusions in the Common Options policy: User-defined exclusions for this legacy rule Prevent modification of McAfee files and settings Prevent termination of McAfee processes Prevent hooking of McAfee processes Migrate to the Self Protection exclusions for Processes Processes Processes Best practice: Review your exclusions after migration, then revise or remove them as needed. Also review exclusions configured for any third-party applications to access VirusScan Enterprise registry or file locations, because these locations have changed in Endpoint Security. Exploit Prevention (Buffer Overflow Protection) In Endpoint Security, Buffer Overflow Protection settings are renamed Exploit Prevention. After migration, the protection level for Exploit Prevention is set to the default Standard Protection, which detects and blocks only high-severity buffer overflow exploits identified in the Exploit Prevention content file and stops the detected threat. Best practice: Use this setting for a limited time only, then review the log file during that time to determine whether to change to Maximum Protection. Scan exclusions for root-level folders Threat Prevention supports the exclusion of root-level folders from on-access scan and on-demand scans if the path starts with wildcard characters such as "?" or '"/". Threat Prevention supports the following exclusion patterns, and the Migration Assistant does not change them during migration: Environmental variables Patterns that begin with % (for example, %systemroot%\test\ ) UNC paths Patterns that begin with \\ (for example, \\Test ) Full paths Patterns that include an absolute drive designator (for example, C:\Test\ ) Patterns that begin with **\ Patterns that begin with a single wildcard character (for example, use?:\test, *:\test, *\test, or \test to exclude C:\test, D:\test, and E:\test. Migrating unsupported characters in exclusions The Migration Assistant migrates exclusion rules in VirusScan Enterprise to Access Protection rules in Threat Prevention. In exclusion rules, VirusScan Enterprise allows the semi-colon ( ; ) character to separate include and exclude processes. The Migration Assistant recognizes only the comma (, ) character to separate include and exclude processes. When you migrate an exclusion rule that uses ; to separate multiple include and exclude processes, the Migration Assistant migrates them as a single process. The result is that migrated policies do not contain all the exclusions that were in the original policy. Example 36 McAfee Endpoint Security Migration Guide

37 Changes to migrated product settings Migrating VirusScan Enterprise policies to Threat Prevention 5 In the source policy, two executable files are excluded. They are separated by a ; instead of a, character. \users\*\appdata\roaming\*.exe ; *\Documents and Settings\*Application Data\*.exe* The Migration Assistant does not recognize the ; character. It migrates both files as a single exclusion. As a result, the migrated policy does not exclude either file. You can correct this issue in any of these ways: 1 Before migration Review source VirusScan Enterprise policies. Locate unsupported ; characters and change them to, before migrating. 2 During manual migration The Migration Assistant notifies you that one or more policies have unsupported characters. You have the opportunity to cancel the migration, revise the policies in VirusScan Enterprise, then begin manual migration again. 3 After migration Edit your migrated policies to replace each ; character with a, character. McAfee Endpoint Security Migration Guide 37

38 5 Changes to migrated product settings Migrating VirusScan Enterprise policies to Threat Prevention Merging on-access scan settings from Windows, Mac, and Linux On-access scan settings from supported Mac and Linux products also migrate to the On-Access Scan and Options policies in Threat Prevention. These migrated policies can be multi-platform or single-platform. Figure 5-3 Migrating on-access scan settings from Windows, Mac, and Linux 38 McAfee Endpoint Security Migration Guide

39 Changes to migrated product settings Migrating IPS Rules to Threat Prevention 5 Migrating IPS Rules to Threat Prevention This overview shows where migrated settings for the IPS Rules and IPS Protection policies from McAfee Host IPS appear in Endpoint Security policies. Figure 5-4 Where IPS Rules settings migrate Migration notes for IPS Rules settings During the migration process to Endpoint Security, the Endpoint Migration Assistant moves your migrated IPS Rules and IPS Protection policy settings into Threat Prevention policies. See the IPS Rules migration appendix for more information about how IPS Rules are migrated to Endpoint Security policies. Policy settings that are migrated These settings are migrated: IPS signatures (Windows and Linux) IPS Application Protection rules (Windows and Linux) IPS exceptions (Windows and Linux) IPS Expert rules IPS signatures The Severity level and Log status settings from the IPS Rules policy merge with the Reaction setting from the IPS Protection policy to determine the Block/Report settings for migrated Rules in Threat Prevention. IPS custom signatures IPS custom signatures with IDs in the range migrate to Access Protection custom rules. IPS custom signature subrules for files, registry, programs, and services migrate. Each subrule of a signature migrates as an individual Access Protection custom rule in Threat Prevention. The same signature settings (name, severity, notes, and description) migrate to all rules created in Threat Prevention for all IPS subrules of the signature. A signature name is required. If a signature doesn't have name, the rules using the signature don't migrate. McAfee Endpoint Security Migration Guide 39

40 5 Changes to migrated product settings Migrating IPS Rules to Threat Prevention IPS McAfee-defined signatures All McAfee-defined signatures supported in the Threat Prevention Exploit Prevention policy are migrated. Most of these are Buffer Overflow and Illegal API Usage signatures. Application Protection Rules Excluded applications from Application Protection rules migrate to the Exploit Prevention policy as Application Protection rules. User-defined Application Protection rules for included processes in McAfee Host IPS are not migrated to Exploit Prevention. Exception Rules Exception Rules from the IPS Rules policy migrate to the Access Protection and Exploit Prevention policies as executables under Exclusions. Source Exception Signature type Target Endpoint Security policy Executables, Caller module, and API Executables and Parameters All McAfee-defined signatures supported in the Threat Prevention Exploit Prevention policy (for example, Buffer Overflow and Illegal API Usage signatures) FILE/REGISTRY/PROGRAM/SERVICE signatures Exploit Protection Access Protection Executables No signature Access Protection Exploit Protection Target setting Exclusions Executables and subrule Parameters Global Exclusions GPEP (General Privilege Escalation Prevention) signature Severity/reaction signature (ID 6052) Exploit Protection Enable General Privilege Escalation Prevention Exception Rules with signatures IPS Exceptions can include custom signatures. The executables and parameters from exceptions are appended to the Endpoint Security Access Protection Rule created during signature migration. If all McAfee-defined signatures are added to a subrule exception, the exception migrates as a global exclusion in the Access Protection and Exploit Prevention policies. IPS Expert Rules Expert Rules, created as a subrule in the IPS Rules policy to protect system resources, migrate to the Threat Prevention Exploit Prevention policy. Exploit Prevention uses two different McAfee Technologies in Expert Rules to manage the control of these resources: McAfee Host IPS-based rules Prevent buffer overflow and illegal API use, and protects Windows Services. Arbitrary Access Control (AAC) rules Protect files, processes, and registry items. Therefore, some Expert Rules defined in Host IPS do not migrate to Endpoint Security and must be re-created using the AAC syntax. 40 McAfee Endpoint Security Migration Guide

41 Changes to migrated product settings Migrating IPS Rules to Threat Prevention 5 Resource protected (legacy Class type) Services (valid for Windows 8.0 and earlier) Buffer Overflow Illegal API Migrated? Notes Yes No additional action required. Migrated with the source policy where they appear. File No Re-create the rules using AAC syntax. Registry Program No Re-create the rule with a class type of Process using AAC syntax. For more information about Expert Rules and the McAfee proprietary syntaxes, see PD Merging Access Protection and Buffer Overflow Protection settings Access Protection, Buffer Overflow Protection, and IPS Rules policy settings from VirusScan Enterprise and McAfee Host IPS migrate to two Threat Prevention policies and the Endpoint Security Common policy. These policy types are migrated to the Access Protection policy in Threat Prevention: McAfee Host IPS IPS Rules (Windows and Linux) McAfee Host IPS Trusted Applications (Automatic migration only) (Windows and Linux) VirusScan Enterprise Access Protection These policy types are migrated to the Exploit Prevention policy in Threat Prevention: McAfee Host IPS IPS Rules (Windows and Linux) VirusScan Enterprise Buffer Overflow Protection The IPS Rules policy is a multiple-instance policy. All source instances of the IPS Rules policy are merged and migrated to a single Access Protection policy and a single Exploit Prevention policy in Threat Prevention. McAfee Endpoint Security Migration Guide 41

42 5 Changes to migrated product settings Migrating IPS Rules to Threat Prevention For more information, see the IPS Rules migration and Changes to migrated settings appendixes. Figure 5-5 Migrating Access Protection and Buffer Overflow Protection settings from legacy products Trusted Applications (Windows and Linux) Automatic migration moves settings from Trusted Applications in the McAfee Host IPS General policies to the Access Protection policy in Threat Prevention. Trusted applications where Trusted for IPS is enabled migrate. Trusted applications where Trusted for Firewall is enabled do not migrate. If you migrate settings manually, you need to add the settings from Trusted Applications to the migrated Access Protection policy. 42 McAfee Endpoint Security Migration Guide

43 Changes to migrated product settings Migrating Host IPS Firewall policies to Endpoint Security Firewall 5 Migrating Host IPS Firewall policies to Endpoint Security Firewall This overview shows where migrated policy settings for the Firewall and General policy options from McAfee Host IPS appear in Endpoint Security policies. Only settings for the Firewall and General policies migrate to Endpoint Security Firewall. You can continue to manage McAfee Host Intrusion Prevention as a separate extension, with its remaining policy settings in effect, or you can migrate its policy settings to Threat Prevention policies. Figure 5-6 Where Host IPS Firewall settings migrate McAfee Endpoint Security Migration Guide 43

44 5 Changes to migrated product settings Migrating Host IPS Firewall policies to Endpoint Security Firewall Migration notes for McAfee Host IPS Firewall settings During the migration process to Endpoint Security 10.6, the Endpoint Migration Assistant adjusts the migrated settings in your target policies to address differences between the legacy product and the new product. Therefore, some of the target policy settings don't match your legacy settings. Policy settings that are migrated Only policy types from the Firewall and General policies that apply to the Endpoint Security Firewall are migrated: Client UI DNS Rules Trusted Applications Firewall Rules Trusted Networks Firewall Options Multiple-instance policies Trusted Applications policies are multiple-instance policies. When you migrate them, they are merged into one target policy for the policy type. These changes occur when you migrate Trusted Applications policies: For all the source instances that have the McAfee Host IPS Firewall enabled, trusted executables are appended to the Trusted Executables list in the target Firewall Options policy. If there is a default policy (McAfee Default, My Default (unedited), or Typical Corporate Environment) in any instance of the source policies, the Migration Assistant adds Endpoint Security McAfee Default values to the Endpoint Security target policy. Host IPS Catalog migration When migrating manually, the best practice is to migrate the Host IPS Catalog immediately before the Host Intrusion Prevention Firewall policies. This ensures that they remain synchronized. If Firewall policy settings change after migrating the Catalog, migrate the Catalog again, then migrate the policies. The Migration Assistant displays the date and time when the catalog was last migrated, if applicable, next to the option to migrate the catalog. Firewall Rules and Trusted Networks The Trusted Networks Trust for IPS setting in McAfee Host IPS does not correspond directly to a setting in Endpoint Security Firewall policies. 44 McAfee Endpoint Security Migration Guide

45 Changes to migrated product settings Migrating Host IPS Firewall policies to Endpoint Security Firewall 5 Table 5-9 How trusted networks are migrated Product McAfee Host IPS Firewall Endpoint Security Firewall What you need to know How legacy feature works: IP addresses become "trusted" only after they are applied to firewall rules that "allow" them. How policy setting is migrated: IP addresses that were formerly listed under Trusted Networks Trust for IPS migrate as Defined Networks Not trusted in the target Firewall Options policy. You can set them to trusted there. How new Defined Networks feature works: All traffic is allowed to Defined Networks that are labeled Trusted in the target Firewall Options policy. Add IP addresses that you want to treat as trusted networks. How to configure migrated policy setting: Configure traffic to the IP addresses that were migrated as Not trusted by associating them with firewall rules in the Firewall Rules policy. See the Endpoint Security Firewall product documentation for more information. McAfee Endpoint Security Migration Guide 45

46 5 Changes to migrated product settings Migrating SiteAdvisor Enterprise policies to Web Control Migrating SiteAdvisor Enterprise policies to Web Control This overview shows where migrated policy settings for McAfee SiteAdvisor Enterprise appear in Endpoint Security policies. Figure 5-7 Where SiteAdvisor Enterprise settings migrate Migration notes for SiteAdvisor Enterprise settings During the migration process to Endpoint Security 10.6, the Endpoint Migration Assistant adjusts the migrated settings in your target policies to address differences between the legacy product and the new product. Therefore, some of the target policy settings don't match your legacy settings. Multiple-instance client tasks The SiteAdvisor Enterprise Send Web Reporter client task is a multiple-instance task. Each instance of the source task migrates to a separate instance of the Send Web Reporter Logs client task in Web Control. 46 McAfee Endpoint Security Migration Guide

47 Changes to migrated product settings Migrating SiteAdvisor Enterprise policies to Web Control 5 Multiple-instance policies The SiteAdvisor Enterprise Content Actions, Authorize List, and Prohibit List policies are multiple-instance policies. Each instance of the source policies migrates to a separate instance of the target policies. Content Actions Settings from Content Actions (multiple-instance policy) and Rating Actions (single-instance policy) migrate to the Web Control Content Actions policy. The first (and only) instance of Rating Actions and the first instance of Content Actions migrate to the first instance of the target policy. If there are multiple instances of Content Actions in SiteAdvisor Enterprise, each migrates to a separate instance of the target policy. If any instance of a source policy is a default policy (My Default (unedited) or McAfee Default), the Endpoint Security McAfee Default instance is used for that instance of the target policy. Authorize List and Prohibit List Settings from Authorize List and Prohibit List policies migrate to the Web Control Block and Allow List policy. The first instances of Authorize List and Prohibit List migrate to the first instance of the target policy. If there are multiple instances of the source policies, they migrate to successive instances of the target policy. If one source policy has more instances than another, only those instances continue to migrate to new instances of the target policy. McAfee Endpoint Security Migration Guide 47

48 5 Changes to migrated product settings Migrating SiteAdvisor Enterprise policies to Web Control 48 McAfee Endpoint Security Migration Guide

49 Changes to migrated product settings Migrating legacy Mac policies to Threat Prevention 5 Migrating legacy Mac policies to Threat Prevention This overview shows where migrated policy settings for McAfee Endpoint Security for Mac appear in Endpoint Security policies. The On-access Scan settings and exclusions configured in the Anti-malware policy migrate to the Threat Prevention On-AccessScan policy. You can migrate the settings to a single-platform Mac policy or a multi-platform policy shared by Windows, Mac, and Linux systems. Figure 5-8 Where McAfee Endpoint Security for Mac settings migrate Migration notes for McAfee Endpoint Security for Mac settings During the migration process to Endpoint Security for Mac, the Endpoint Migration Assistant moves your migrated settings into a Threat Prevention policy. Policy settings that are migrated Only On-access Scan settings and exclusions from the Anti-malware policy are migrated. They are migrated to the On-Access Scan policy in Threat Prevention. On-Access Scan exclusions are always migrated. If you are migrating VirusScan Enterprise settings, they take precedence over McAfee Endpoint Security for Mac settings. Duplicate macos settings are not migrated. If you are not migrating VirusScan Enterprise settings, additional settings are migrated from McAfee Endpoint Security for Mac. License check The Migration Assistant checks for a Threat Prevention macos License extension. If the license is absent, macos migration options are not available for automatic or manual migration. McAfee Endpoint Security Migration Guide 49

50 5 Changes to migrated product settings Migrating legacy Mac policies to Threat Prevention Multiple-platform or single-platform policies When you migrate McAfee Endpoint Security for Mac along with Windows or Linux products, the target Threat Prevention On-Access Scan policy can define settings for one or more operating system platforms. During automatic migration One merged (multi-platform) policy is created for all the platforms being migrated. During manual migration Specify whether to create one merged (multi-platform) policy or separate (single-platform) policies. Select Create Multi-Platform Policy to create one policy that contains settings for all the platforms being migrated (for example, Mac, Windows, and Linux). Deselect Create Multi-Platform Policy to create separate On-Access Scan policies: one with migrated McAfee Endpoint Security for Mac settings for the Mac platform, and others with settings for Windows or Linux. Responses to detections In response to threat and unwanted program detections, Endpoint Security for Mac lets you specify these actions: Clean, Quarantine, and Delete. You can specify a primary action and a secondary action (to perform only if the primary action fails). However, the Quarantine option isn't available in Threat Prevention. Therefore, these changes occur to the response settings during migration to the On-Access Scan policy in Threat Prevention. The Quarantine option migrates to Delete. Exception: If Quarantine and Delete are selected as the primary and secondary actions in Endpoint Security for Mac, the secondary response migrates to Deny. 50 McAfee Endpoint Security Migration Guide

51 Changes to migrated product settings Migrating legacy Linux policies to Threat Prevention 5 Migrating legacy Linux policies to Threat Prevention This overview shows where migrated policy settings for McAfee VirusScan Enterprise for Linux appear in Endpoint Security policies. The on-access scan exclusions and other settings configured in the On-Access Scanning policy migrate to the Threat Prevention On-Access Scan and Options policies. You can migrate the settings to a single-platform Linux policy or a multi-platform policy shared by Windows, Mac, and Linux systems. Figure 5-9 Where McAfee VirusScan Enterprise for Linux settings migrate Migration notes for VirusScan Enterprise for Linux settings During the migration process to Endpoint Security for Linux, the Endpoint Migration Assistant moves your migrated settings into a Threat Prevention policy. You can manage systems running Endpoint Security for Linux with the Endpoint Security Threat Prevention extension in McAfee epo. Endpoint Security Firewall and Web Control are not supported for Linux. Policy settings that are migrated Only settings from the On-Access Scanning policy are migrated. On-Access Scan exclusions are always migrated. If you are migrating VirusScan Enterprise or McAfee Endpoint Security for Mac settings, they take precedence over VirusScan Enterprise for Linux settings. Duplicate Linux settings are not migrated. If you are not migrating VirusScan Enterprise or McAfee Endpoint Security for Mac settings, additional settings are migrated from VirusScan Enterprise for Linux. McAfee Endpoint Security Migration Guide 51

52 5 Changes to migrated product settings Migrating legacy Linux policies to Threat Prevention Client tasks that are migrated Custom scheduled On-Demand Scan client tasks are migrated to the Client Task Catalog. On-Demand Scan tasks are multiple-instance tasks. Each instance of the source task migrates to a separate instance of the client task in Threat Prevention. License check The Migration Assistant checks for a Threat Prevention Linux License extension. If the license is absent, Linux migration options are not available for automatic or manual migration. Multiple-platform or single-platform policies When you migrate VirusScan Enterprise for Linux with Windows or Mac products, the target Threat Prevention policies can define settings for one or more operating system platforms. During automatic migration Two merged (multi-platform) policies are created for all platforms being migrated. One On-Access Scan for Windows, Mac, and Linux systems. One Options policy for Windows and Linux systems. During manual migration Specify whether to create merged (multi-platform) policies or separate (single-platform) policies. Select Create Multi-Platform Policy to create one On-Access Scan policy and one Options policy that contain settings for all platforms being migrated (for example, Windows and Linux). Deselect Create Multi-Platform Policy to create an On-Access Scan policy and an Options policy with only migrated VirusScan Enterprise for Linux settings, then create separate policies with settings for Windows or Mac. Scan exclusions Endpoint Security for Linux does not support regular expressions as scan exclusions. If regular expressions do migrate successfully from VirusScan Enterprise for Linux, Endpoint Security for Linux ignores them. 52 McAfee Endpoint Security Migration Guide

53 A Troubleshooting Contents Error messages Resolving blocked applications with Adaptive mode Error messages Error messages are displayed by programs when an unexpected condition occurs that can't be fixed by the program itself. Use this list to find an error message, an explanation of the condition, and any action you can take to correct it. Table A-1 Migration Assistant error messages Message Description Solution There are no products installed that can be migrated. An Endpoint Security Migration server task is running and must be completed before continuing. You can migrate only the settings that you have permission to view. You can't begin another migration until the server task is complete. Check your permissions and update them if needed. Wait until the server task is complete, then begin another migration. Resolving blocked applications with Adaptive mode If applications aren't working correctly after migrating your Firewall policies, enable Adaptive mode to resolve the issues. Adaptive mode allows Endpoint Security Firewall to create client rules automatically, so that necessary applications and websites are not blocked while preserving minimum protection against vulnerabilities. Adaptive mode analyzes events, then if the activity is considered regular and needed for business, Firewall creates client rules. By enabling Adaptive mode, you can gather the information you need for tuning your protection settings. You can then convert client rules to server-mandated policies. When tuning is complete, turn off Adaptive mode. Best practice: To be fully protected by Firewall, turn off Adaptive mode after updating your policies. McAfee Endpoint Security Migration Guide 53

54 A Troubleshooting Resolving blocked applications with Adaptive mode You can enable Adaptive mode in these ways: From McAfee epo In the Firewall Options settings, then apply this policy to the client. From Endpoint Security Client In the Firewall Options settings. Best Practice: For information about troubleshooting blocked third-party applications, see KB To resolve problems with the McAfee Host IPS Firewall blocking applications, see KB McAfee Endpoint Security Migration Guide

55 B IPS Rules migration Endpoint Security uses the logic described in this appendix to configure migrated settings from the IPS Rules and IPS Protection policies in McAfee Host IPS. Settings migrate to the Access Protection and Exploit Prevention policies in Threat Prevention. Contents Signature-level settings in migrated IPS Rules Subrule-level settings in migrated IPS Rules Exceptions Application Protection Rules Signature-level settings in migrated IPS Rules Signature-level settings migrate to Access Protection Rules according to these guidelines. Signature-level settings include Block and Report, Notes, and Rule Name. Endpoint Security for Linux supports a subset of these operations. Migrated Block and Report settings (Windows and Linux) Endpoint Security uses these legacy settings in McAfee Host IPS to determine the Block and Report settings under Rules in the target Access Protection policies: IPS Rules: Signature tab Severity and Log status IPS Protection Reaction To determine the Block setting for the migrated target policy, the Migration Assistant: 1 Reads the source signature Severity setting from the IPS Rules policy. The possible values are High, Medium, Low, Informational, and Disabled. 2 From the IPS Protection policy, reads the Reaction setting for the corresponding severity. For example, if Severity is set to Medium, it reads the Reaction setting value for Medium. 3 If the Reaction value is Prevent, the Block setting is Enabled. Otherwise, it is Disabled. 4 If Severity is Disabled, both Report and Block settings are Disabled. Endpoint Security determines the migrated Report setting as follows: McAfee Endpoint Security Migration Guide 55

56 B IPS Rules migration Subrule-level settings in migrated IPS Rules Source IPS Rules policy: Log status setting Source IPS Protection policy: Reaction setting Enabled Prevent or Log Enabled Enabled Ignore Disabled Disabled N/A Disabled Target Access Protection policy: Report setting Notes Source Notes and Description data merges and migrates to the Notes section of the Endpoint Security Rule, using this format: Notes: <IPS Notes section>; Description: <IPS Description section> Rule Name The source signature name and subrule name merge and migrate to the Endpoint Security Rule name, using this format: <IPS Signature name>_<ips Subrule name> Settings that don't migrate Settings for Signature ID, Type, and Client rules don't migrate. Subrule-level settings in migrated IPS Rules Subrules migrate to Access Protection policies according to these guidelines. General migration guidelines Only Standard subrules migrate. Expert subrules don't migrate. The signature subrule name is required. It migrates to the subrule name. Subrules with these Rule types migrate: Files, Registry, Programs, and Service. Endpoint Security for Linux supports only the Files Rule type. Subrules with a Rule type of Registry can have a parameter for Registry (Key) and Registry (Value). Its value determines where these subrules migrate in the Access Protection policy. Rules with a Registry (Key) parameter migrate to a Registry Key type rule. Rules with a Registry (Value) parameter migrate to a Registry Value type rule. Rules with both parameters do not migrate. Most operations migrate directly to the corresponding equivalent for their type. Special cases are described in the following sections. If source data is null or missing, it doesn't migrate. Files subrules (Windows and Linux) File parameter data is required. Subrules must have at least one parameter to migrate. The Destination file parameter migrates only when Rename Operation is enabled. Endpoint Security for Linux also supports the Rename, Symlink, and Hardlink operations. 56 McAfee Endpoint Security Migration Guide

57 IPS Rules migration Subrule-level settings in migrated IPS Rules B The User name parameter from the IPS subrule migrates to the User Names section in the target Rule. (Windows only) The Drive type parameter migrates to the target subrule parameters list Drive Type as follows: CD or DVD migrates to CD/DVD. Floppy migrates to Floppy. OtherRemovable or USB migrates to Removable. HardDrive migrates to Fixed. Network migrates to Network. Registry subrules (Windows only) Registry parameter data is required. Subrules must have a least one parameter to migrate. If one subrule has parameters for both Registry (Key) and Registry (Value), the subrule doesn't migrate. The User name parameter from the IPS subrule migrates to the User Names section in the target Rule. Endpoint Security doesn't support the Registry Value Operation setting for Enumerate. If only this operation is defined for a registry subrule, the subrule doesn't migrate. Programs subrules (Windows only) Program parameter data is required. Subrules must have a least one parameter to migrate. User name moves up to the rule level in Endpoint Security. Caller module doesn't migrate. Target Executable migrates to Process. If the source subrule doesn't specify a value for Target Executable, it doesn't migrate. Endpoint Security doesn't support the Operation setting for Open with Access to wait. If only this operation is defined for a program subrule, the subrule doesn't migrate. Service subrules (Windows only) Service parameter data is required. Subrules must have a least one parameter to migrate. User name moves up to the rule level in Endpoint Security. Display name and Service name migrate to subrule. Executables (Windows and Linux) Executables in Files, Registry, and Programs subrules migrate to Rule-level executables. Endpoint Security for Linux supports only executables in Files subrules and only executables based on names. Fingerprint migrates to MD5 hash. Signer migrates. File Description doesn't migrate. (Windows only) Target Executable migrates to Process. If the source subrule doesn't specify a value for Target Executable, it doesn't migrate. McAfee Endpoint Security Migration Guide 57

58 B IPS Rules migration Exceptions Exceptions IPS Exception Rules migrate to Access Protection and Exploit Prevention policies according to these guidelines. Exceptions can have custom signatures, McAfee-defined (canned) signatures, a mixture of both types, or no signature. Custom signature exceptions migrate to the Access Protection policy. McAfee-defined exceptions migrate to the Exploit Prevention policy. Global exceptions migrate to both policies. Custom signature exceptions (Files/Registry/Programs/Service) Exceptions with custom signatures migrate to the Access Protection Rules that were created during IPS Signature migration. Endpoint Security for Linux supports only the Files type subrules. Executables from IPS Exceptions that have custom Files/Registry/Programs/Service signatures migrate to Executables in the Files/Registry/Programs/Service Rules. If an Exception has more than one executable for a Files/Registry/Programs/Service Rules custom signature, all executables migrate as Executables. Exceptions: Executables migrate to Files/Registry/Programs/Service rules from only custom signatures. Exceptions: Programs signature: Target executables migrate to the Target executable for the Process subrule. For exceptions with Handler Module or Caller Module parameters, only the executables migrate. Handler Module or Caller Module parameters don't migrate. Domain Group parameters don't migrate. Exceptions with two or more of these parameters defined do not migrate: Target Executable Files parameter (Files, dest_file, and/or drive typefiles) Endpoint Security for Linux supports only the Files parameter (Files, dest_file). Registry (Key) Registry (Value) Service parameter (Display Name or Services) Exceptions migrate to Process Rules when they: Do have Target Executable. Don't have Files parameter (Files, dest_file, and/or drive type). Don't have Registry (Key). Don't have Registry (Value). Don't have Service parameter (Display Name or Services). If the exceptions have executables, the executables migrate to Process Rule level, and target executables migrate to Process Rule: Subrule parameters. 58 McAfee Endpoint Security Migration Guide

59 IPS Rules migration Exceptions B Exceptions migrate to File Rules when they: Do have the Executable OR Files parameter (Files, dest_file, and/or drive type). Don't have Target Executable. Don't have Registry (Key). Don't have Registry (Value). Don't have Service parameter (Display Name or Services). If the exceptions have executables, the executables migrate to the File Rule level. If the exceptions have the Files parameter (Files, dest_file, and/or drive type), they migrate to File Rule: Subrule parameters. Exceptions migrate to Registry Key Rules when they: Do have the Executable OR Registry (Key) parameter. Don't have Target Executable. Don't have Files parameter (Files, dest_file, and/or drive type). Don't have Registry (Value). Don't have Service parameter (Display Name or Services). If the exceptions have executables, the executables migrate to the Key Rule level. If the exceptions have the Key parameter, they migrate to Key Rule: Subrule parameters. Exceptions migrate to Registry Value Rules when they: Do have the Executable OR Registry (Value) parameter. Don't have Target Executable. Don't have Files parameter (Files, dest_file, and/or drive type). Don't have Registry (Key). Don't have Service parameter (Display Name or Services). If the exceptions have executables, the executables migrate to the Value Rule level. If the exceptions have the Value parameter, they migrate to Value Rule: Subrule parameters. Exceptions migrate to Service Rules when they: Do have the Executable OR Service parameter (Display Name or Services). Don't have Target Executable. Don't have Files parameter (Files, dest_file, and/or drive type). Don't have Registry (Key). Don't have Registry (Value). If the exceptions have executables, the executables migrate to the Service Rule level. If the exceptions have the Service parameter (Display Name or Services), they migrate to Service rule: Subrule parameters. User name applies to all three categories, in a similar way to the executables previously described. If User name migrates with the executables to Access Protection Rules, the migrated Access Protection Rules have both the executable and user name. McAfee Endpoint Security Migration Guide 59

60 B IPS Rules migration Application Protection Rules McAfee-defined signature exceptions All McAfee-defined signatures supported in the Threat Prevention Exploit Prevention policy are migrated (for example, Buffer Overflow and Illegal API Usage). If an exception has more than one executable, handler, or caller module, only the first executable, handler, or caller module migrates. Exploit Prevention doesn't support exclusion name, so Executable name doesn't migrate to Exploit Prevention. Domain Group parameters don't migrate. Global exceptions Global exceptions migrate to both the Access Protection and Exploit Prevention policies as global exclusions in a similar way to the exceptions previously described. An exception is considered global if it has no signatures added or has all the McAfee-defined signatures added but no custom signatures. Exceptions with two or more of these parameters defined don't migrate: Target Executable Files parameter (Files, dest_file, and/or drive type) Registry (Key) Registry (Value) Service parameter (Display Name and/or Services) Application Protection Rules Application Protection Rules migrate to Endpoint Security Exploit Prevention policies according to these guidelines. Excluded applications from Application Protection Rules migrate to Exploit Prevention Application Protection Rules. User-defined Application Protection rules for included processes in McAfee Host IPS are not migrated to Exploit Prevention. 60 McAfee Endpoint Security Migration Guide

61 C Creating Firewall rules to replace predefined Access Protection port-blocking rules The Migration Assistant does not migrate predefined or user-defined Access Protection port-blocking rules from VirusScan Enterprise 8.8. However, you can create firewall rules in Endpoint Security Firewall that define behavior equivalent to the predefined VirusScan Enterprise port-blocking rules. VirusScan Enterprise 8.8 includes these four predefined port-blocking rules that are not migrated: AVO10: Prevent mass mailing worms from sending mail AVO11: Prevent IRC communication CW05: Prevent FTP communication CS06: Prevent HTTP communication Contents Create rule to prevent mass mailing worms from sending mail Create rule to prevent IRC communication Create rule to prevent FTP communication Create rule to prevent HTTP communication Create rule to prevent mass mailing worms from sending mail Use this task to create Endpoint Security 10.6 firewall rules that are equivalent to the predefined Access Protection rule AVO10 in VirusScan Enterprise 8.8. See the Endpoint Security Firewall product documentation for more information about creating firewall rules. Rule AVO10: Prevent mass mailing worms from sending mail Rule AVO10 G_030_AntiVirusOn { Description "Prevent mass mailing worms from sending mail" Process { Include * Exclude ${Default Client} ${DefaultBrowser} eudora.exe msimn.exe msn6.exe msnmsgr.exe neo20.exe nlnotes.exe outlook.exe pine.exe poco.exe thebat.exe thunde*.exe winpm-32.exe MAPISP32.exe VMIMB.EXE RESRCMON.EXE Owstimer.exe SPSNotific* WinMail.exe explorer.exe iexplore.exe firefox.exe mozilla.exe netscp.exe opera.exe msn6.exe $ {epotomcatdir}\\bin\\tomcat.exe ${epotomcatdir}\\bin\\tomcat5.exe ${epotomcatdir}\\bin\ \tomcat5w.exe ${epotomcatdir}\\bin\\tomcat7.exe inetinfo.exe amgrsrvc.exe ${epoapachedir}\ \bin\\apache.exe webproxy.exe msexcimc.exe Exclude ntaskldr.exe nsmtp.exe nrouter.exe agent.exe Exclude ebs.exe firesvc.exe modulewrapper* msksrvr.exe mskdetct.exe mailscan.exe rpcserv.exe Exclude mdaemon.exe worldclient.exe wspsrv.exe } Port OTU { Include 25 Include 587 } } McAfee Endpoint Security Migration Guide 61

62 C Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent IRC communication You need to create two firewall rules to provide equivalent functionality to the VirusScan Enterprise 8.8 rule. Task 1 In McAfee epo, select Menu Policy Policy Catalog, then select Endpoint Security Firewall from the Product list. 2 From the Category list, select Rules. 3 Click the name of the assigned Firewall Rules policy. 4 Click Add Rule, then configure a rule with the following settings. Action: Allow Direction: Out To be effective, this rule must be positioned above any other rules that block or allow outgoing TCP traffic to remote ports 25 or 587. Network protocol: Any protocol Transport protocol: TCP Remote ports: 25 and 587 Applications: Add executables with the file name or path* set to the Exclude section in the AVO10 rule.** * Variable names ${Default Client}, ${DefaultBrowser}, ${epotomcatdir}, ${epoapachedir} are not supported by Endpoint Security 10.6, so in order to add these executables, you need to add the executable file names associated with the desired default client, default browser, McAfee epo Tomcat Install directory before \bin\, and McAfee epo Apache Install directory before \bin\. 5 Click Save. ** Use single backslashes instead of double backslashes. 6 Click Add Rule, then configure a second rule directly below the rule you created in step 4: Action: Block Transport protocol: TCP Direction: Out Remote ports: 25 and 587 Network protocol: Any protocol 7 Click Save. This rule is created and enabled in Endpoint Security 10.6 for all managed systems where it is assigned. The AVO10 rule was disabled by default in VirusScan Enterprise 8.8, so the traffic was allowed. To achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action to Allow. Create rule to prevent IRC communication Use this task to create an Endpoint Security 10.6 firewall rule that is equivalent to the predefined Access Protection rule AVO11 in VirusScan Enterprise 8.8. See the Endpoint Security Firewall product documentation for more information about creating firewall rules. 62 McAfee Endpoint Security Migration Guide

63 Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent FTP communication C Rule AVO10: Prevent mass mailing worms from sending mail Rule AVO11 G_030_AntiVirusOn { Description "Prevent IRC communication" Process { Include * } Port IOTU { Include } } Task 1 In McAfee epo, select Menu Policy Policy Catalog, then select Endpoint Security Firewall from the Product list. 2 From the Category list, select Rules. 3 Click the name of the assigned Firewall Rules policy. 4 Click New Rule, then configure the following settings. Action: Block Transport protocol: TCP Direction: Either Local ports: Network protocol: Any protocol Remote ports: Click Save. This rule is created and enabled in Endpoint Security 10.6 for all managed systems where it is assigned. The AVO11 rule was disabled by default in VirusScan Enterprise 8.8, so IRC traffic was allowed. To achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action to Allow. Create rule to prevent FTP communication Use this task to create Endpoint Security Firewall 10.6 firewall rules that are equivalent to the predefined Access Protection rule CW05 in VirusScan Enterprise 8.8. See the Endpoint Security Firewall product documentation for more information about creating firewall rules. Rule CW05: Prevent FTP communication Rule CW05 G_070_CommonOff { Description "Prevent FTP communication" Enforce 0 Report 0 Process { Include * Exclude ${DefaultBrowser} explorer.exe iexplore.exe firefox.exe mozilla.exe netscp.exe opera.exe msn6.exe ${epotomcatdir}\\bin\\tomcat.exe ${epotomcatdir}\\bin\ \tomcat5.exe ${epotomcatdir}\\bin\\tomcat5w.exe ${epotomcatdir}\\bin\\tomcat7.exe inetinfo.exe amgrsrvc.exe ${epoapachedir}\\bin\\apache.exe webproxy.exe msexcimc.exe mcscript* frameworks* naprdmgr.exe naprdmgr64.exe frminst.exe naimserv.exe framepkg.exe narepl32.exe updaterui.exe cmdagent.exe cleanup.exe mctray.exe udaterui.exe framepkg_upd.exe mue_inuse.exe setlicense.exe mcscancheck.exe lucoms* luupdate.exe lsetup.exe idsinst.exe sevinst.exe nv11esd.exe tsc.exe v3cfgu.exe ofcservice.exe earthagent.exe tmlisten.exe inodist.exe ilaunchr.exe ii_nt86.exe iv_nt86.exe cfgeng.exe f-secu* fspex.exe getdbhtp.exe fnrb32.exe "f-secure automa*" sucer.exe ahnun000.tmp supdate.exe autoup.exe pskmssvc.exe pavagent.exe dstest.exe paddsupd.exe pavsrv50.exe avtask.exe giantantispywa* boxinfo.exe Exclude pasys* google* Exclude alg.exe ftp.exe agentnt.exe } Port OTU { Include } McAfee Endpoint Security Migration Guide 63

64 C Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent FTP communication } You need to create two firewall rules to provide equivalent functionality to the VirusScan Enterprise 8.8 rule. Task 1 In McAfee epo, select Menu Policy Policy Catalog, then select Endpoint Security Firewall from the Product list. 2 From the Category list, select Rules. 3 Click the name of the assigned Firewall Rules policy. 4 Click Add Rule, then configure a rule with the following settings. Action: Allow Direction: Out To be effective, this rule must be positioned above any other rules that block or allow outgoing TCP traffic to remote ports 20 or 21. Network protocol: Any protocol Transport protocol: TCP Remote ports: 20 and 21 Applications: Add executables with the file name or path* set to the Exclude section in the VirusScan Enterprise rule above.** * Variable names ${Default Client}, ${DefaultBrowser}, ${epotomcatdir}, and${epoapachedir} are not supported by Endpoint Security Firewall To add these executables, you need to add the executable file names associated with the desired default client, default browser, McAfee epo Tomcat Install directory before \bin\, and McAfee epo Apache Install directory before \bin\. 5 Click Save. ** Use single backslashes instead of double backslashes. 6 Click Add Rule, then configure a second rule directly below the rule you created in step 4: Action: Block Transport protocol: TCP Direction: Out Remote ports: 20 and 21 Network protocol: Any protocol 7 Click Save. This rule is created and enabled in Endpoint Security 10.6 for all managed systems where it is assigned. The CW05 rule was disabled by default in VirusScan Enterprise 8.8, so FTP traffic was allowed. To achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action to Allow. 64 McAfee Endpoint Security Migration Guide

65 Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent HTTP communication C Create rule to prevent HTTP communication Create Endpoint Security 10.6 firewall rules that are equivalent to the predefined Access Protection rule CW06 in VirusScan Enterprise 8.8. See the Endpoint Security Firewall product documentation for more information about creating firewall rules. Rule CW06: Prevent HTTP communication Rule CW06 G_070_CommonOff { Description "Prevent HTTP communication" Enforce 0 Report 0 Process { Include * Exclude ${DefaultBrowser} ${Default Client} explorer.exe iexplore.exe firefox.exe mozilla.exe netscp.exe opera.exe msn6.exe ${epotomcatdir}\\bin\\tomcat.exe $ {epotomcatdir}\\bin\\tomcat5.exe ${epotomcatdir}\\bin\\tomcat5w.exe ${epotomcatdir}\\bin\ \tomcat7.exe inetinfo.exe amgrsrvc.exe ${epoapachedir}\\bin\\apache.exe webproxy.exe msexcimc.exe mcscript* frameworks* naprdmgr.exe naprdmgr64.exe frminst.exe naimserv.exe framepkg.exe narepl32.exe updaterui.exe cmdagent.exe cleanup.exe mctray.exe udaterui.exe framepkg_upd.exe mue_inuse.exe setlicense.exe mcscancheck.exe eudora.exe msimn.exe msn6.exe msnmsgr.exe neo20.exe nlnotes.exe outlook.exe pine.exe poco.exe thebat.exe thunde*.exe winpm-32.exe MAPISP32.exe VMIMB.EXE RESRCMON.EXE Owstimer.exe SPSNotific* WinMail.exe msiexec.exe msi*.tmp setup.exe ikernel.exe setup*.exe?setup.exe??setup.exe???setup.exe _ins*._mp McAfeeHIP_Clie* InsFireTdi.exe update.exe uninstall.exe SAEuninstall.exe SAEDisable.exe Setup_SAE.exe Exclude lucoms* luupdate.exe lsetup.exe idsinst.exe sevinst.exe nv11esd.exe tsc.exe v3cfgu.exe ofcservice.exe earthagent.exe tmlisten.exe inodist.exe ilaunchr.exe ii_nt86.exe iv_nt86.exe cfgeng.exe f-secu* fspex.exe getdbhtp.exe fnrb32.exe "f-secure automa*" sucer.exe ahnun000.tmp supdate.exe autoup.exe pskmssvc.exe pavagent.exe dstest.exe paddsupd.exe pavsrv50.exe avtask.exe giantantispywa* boxinfo.exe Exclude alg.exe mobsync.exe waol.exe agentnt.exe svchost.exe runscheduled.exe pasys* google* backweb-* Exclude vmnat.exe devenv.exe windbg.exe jucheck.exe realplay.exe acrord32.exe acrobat.exe Exclude wfica32.exe mmc.exe mshta.exe dwwin.exe wmplayer.exe console.exe wuauclt.exe Exclude javaw.exe ccmexec.exe ntaskldr.exe winamp.exe realplay.exe quicktimeplaye* SiteAdv.exe McSACore.exe } Port OTU { Include 80 Include 443 } } Task 1 In McAfee epo, select Menu Policy Policy Catalog, then select Endpoint Security Firewall from the Product list. 2 From the Category list, select Rules. 3 Click the name of the assigned Firewall Rules policy. 4 Click Add Rule, then configure a rule with the following settings. Action: Allow Direction: Out To be effective, this rule must be positioned above any other rules that block or allow outgoing TCP traffic to remote ports 80 or 443. Network protocol: Any protocol Transport protocol: TCP McAfee Endpoint Security Migration Guide 65

66 C Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent HTTP communication Remote ports: 80 and 443 Applications: Add executables with the file name or path* set to the Exclude section in the CW06 rule.** * Variable names ${Default Client}, ${DefaultBrowser}, ${epotomcatdir}, ${epoapachedir} are not supported by Endpoint Security To add these executables, you need to add the executable file names associated with the desired default client, default browser, McAfee epo Tomcat Install directory before \bin\, and McAfee epo Apache Install directory before \bin\. 5 Click Save. ** Use single backslashes instead of double backslashes. 6 Click Add Rule, then configure a second rule directly below the rule you created in step 4: Action: Block Transport protocol: TCP Direction: Out Remote ports: 80 and 443 Network protocol: Any protocol 7 Click Save. This rule is created and enabled in Endpoint Security 10.6 for all managed systems where it is assigned. The CW06 rule was disabled by default in VirusScan Enterprise 8.8, so HTTP traffic was allowed. To achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action to Allow. 66 McAfee Endpoint Security Migration Guide

67 D Maps of migrated policies Policy maps Use these maps to see where legacy settings are moved or merged during migration to Endpoint Security policies. See the Changes to migrated settings appendix for details about settings that are removed, moved, renamed, or merged. Migrating VirusScan Enterprise settings (Windows) Settings from VirusScan Enterprise migrate to multiple Threat Prevention policies and the Endpoint Security Common policy. McAfee Endpoint Security Migration Guide 67

68 D Maps of migrated policies Policy maps Migrating on-access scan settings to Threat Prevention policies (Windows, Mac, and Linux) On-access scan settings from VirusScan Enterprise, McAfee Endpoint Security for Mac, and VirusScan Enterprise for Linux migrate to two Threat Prevention policies. On-Access Scan exclusions are always migrated. If you are migrating products for multiple operating system platforms: VirusScan Enterprise settings take precedence over McAfee Endpoint Security for Mac settings and VirusScan Enterprise for Linux settings. McAfee Endpoint Security for Mac settings take precedence over VirusScan Enterprise for Linux settings. Duplicate settings are not migrated. If you are not migrating VirusScan Enterprise settings, additional settings are migrated from McAfee Endpoint Security for Mac and VirusScan Enterprise for Linux. 68 McAfee Endpoint Security Migration Guide

69 Maps of migrated policies Policy maps D Migrating Access Protection and Buffer Overflow protection to Threat Prevention policies (Windows) Settings for Access Protection and Buffer Overflow Protection migrate from VirusScan Enterprise and McAfee Host IPS to two Threat Prevention policies and the Endpoint Security Common Options policy. McAfee Endpoint Security Migration Guide 69

70 D Maps of migrated policies Policy maps Migrating Host IPS Firewall and General settings to Endpoint Security Firewall Settings from the Host IPS Firewall and General policies migrate to two Endpoint Security Firewall policies and the Endpoint Security Common Options policy. 70 McAfee Endpoint Security Migration Guide

71 Maps of migrated policies Policy maps D Migrating SiteAdvisor Enterprise settings to Web Control Settings from SiteAdvisor Enterprise policies migrate to five Web Control policies and the Endpoint Security Common Options policy. McAfee Endpoint Security Migration Guide 71

72 D Maps of migrated policies Policy maps Migrating multiple-instance SiteAdvisor Enterprise policies The SiteAdvisor Enterprise Content Actions, Authorize List, and Prohibit List policies are multiple-instance policies. Each instance of the source policies migrates to a separate instance of the target policies. 72 McAfee Endpoint Security Migration Guide

73 Maps of migrated policies Policy maps D Migrating legacy settings to the Common Options policy Settings from VirusScan Enterprise, McAfee Host IPS, and SiteAdvisor Enterprise policies migrate to the Options policy in the Common (Endpoint Security Platform) module for use by all the Endpoint Security product modules. McAfee Endpoint Security Migration Guide 73

74 D Maps of migrated policies Policy maps 74 McAfee Endpoint Security Migration Guide