McAfee Endpoint Security

Transcription

1 Migration Guide McAfee Endpoint Security For use with McAfee epolicy Orchestrator

2 COPYRIGHT 2016 Intel Corporation TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence, McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Endpoint Security Migration Guide

3 Contents Preface 5 About this guide Audience Conventions Find product documentation Migration overview 7 Settings that migrate What happens to policies during migration Overview of the migration process Overview of the deployment process Choosing a migration path Preparing to migrate Install the Migration Assistant Migrating settings automatically 13 Automatic migration workflow Migrate settings automatically Verify automatically migrated objects How repeated automatic migrations are handled Migrating settings manually 19 Manual migration workflow Migrate policies manually Migrate client tasks manually Migrate the Host IPS Catalog manually Verify manually migrated objects How repeated manual migrations are handled How migration updates product settings 25 McAfee Default policy and product default settings Policy names and notes Multiple-instance policies Multiple-platform and single-platform policies How policies are merged during migration Migrating legacy settings to the Common Options policy Migrating VirusScan Enterprise policies to Threat Prevention Migration notes for VirusScan Enterprise settings Merging on-access scan settings from Windows, Mac, and Linux Migrating IPS Rules to Threat Prevention Migration notes for IPS Rules settings Merging Access Protection and Buffer Overflow Protection settings Migrating Host IPS Firewall policies to Endpoint Security Firewall Migration notes for McAfee Host IPS Firewall settings Migrating SiteAdvisor Enterprise policies to Web Control McAfee Endpoint Security Migration Guide 3

4 Contents Migration notes for SiteAdvisor Enterprise settings Migrating legacy Mac policies to Threat Prevention Migration notes for McAfee Endpoint Protection for Mac settings Migrating legacy Linux policies to Threat Prevention Migration notes for VirusScan Enterprise for Linux settings A Troubleshooting 49 Error messages B IPS Rules migration 51 Signature-level settings in migrated IPS Rules Subrule-level settings in migrated IPS Rules Exceptions Application Protection Rules C Creating Firewall rules to replace predefined Access Protection port-blocking rules 57 Create rule to prevent mass mailing worms from sending mail Create rule to prevent IRC communication Create rule to prevent FTP communication Create rule to prevent HTTP communication D Maps of migrated policies 63 Policy maps E Changes to migrated settings 71 Changes to VirusScan Enterprise settings Changes to IPS Rules settings in Host Intrusion Prevention Changes to Firewall settings Changes to SiteAdvisor Enterprise settings Changes to McAfee Endpoint Protection for Mac settings Changes to McAfee VirusScan Enterprise for Linux settings Index 93 4 McAfee Endpoint Security Migration Guide

5 Preface This guide provides the information you need to work with your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses these typographical conventions and icons. Italic Bold Monospace Narrow Bold Title of a book, chapter, or topic; a new term; emphasis Text that is emphasized Commands and other text that the user types; a code sample; a displayed message Words from the product interface like options, menus, buttons, and dialog boxes Hypertext blue A link to a topic or to an external website Note: Extra information to emphasize a point, remind the reader of something, or provide an alternative method Tip: Best practice information Caution: Important advice to protect your computer system, software installation, network, business, or data Warning: Critical advice to prevent bodily harm when using a hardware product McAfee Endpoint Security Migration Guide 5

6 Preface Find product documentation Find product documentation On the ServicePortal, you can find information about a released product, including product documentation, technical articles, and more. Task 1 Go to the ServicePortal at and click the Knowledge Center tab. 2 In the Knowledge Base pane under Content Source, click Product Documentation. 3 Select a product and version, then click Search to display a list of documents. 6 McAfee Endpoint Security Migration Guide

7 1 Migration 1 overview When you upgrade your legacy products to McAfee Endpoint Security, McAfee Endpoint Security for Mac, and McAfee Endpoint Security for Linux, you can also migrate your custom settings and assignments. The Endpoint Migration Assistant walks you through the migration process. You can let the Migration Assistant migrate all your settings and assignments automatically, based on your current settings and new product defaults, or you can select and configure them manually. The Migration Assistant migrates settings in environments managed with McAfee epolicy Orchestrator (McAfee epo ) version or later. Contents Settings that migrate What happens to policies during migration Overview of the migration process Overview of the deployment process Choosing a migration path Preparing to migrate Install the Migration Assistant Settings that migrate Endpoint Security enables you to migrate settings for the most recent versions of supported McAfee legacy products installed on your Windows, Mac, and Linux platforms. Migration requires a Threat Prevention License extension for the operating system platform. The Migration Assistant checks for a Mac and Linux License extension before enabling the option to migrate Mac and Linux settings. Automatic migration Migrates these settings and retains assignments: Host IPS Catalog Policies and client tasks for all supported Windows products (Optional) Some policy settings for supported Mac products (Optional) Some policy settings and client tasks for supported Linux products Manual migration Lets you select the Host IPS Catalog, policies, or client tasks to migrate. You can edit policies during the migration process, if needed. Best practice: Migrate the Host IPS Catalog immediately before the McAfee Host IPS Firewall policies to ensure that they remain synchronized. You can migrate these objects for the following legacy products. McAfee Endpoint Security Migration Guide 7

8 1 Migration overview What happens to policies during migration Products that migrate (all patch levels) McAfee VirusScan Enterprise 8.8 McAfee Host Intrusion Prevention Firewall 8.0 McAfee Host Intrusion Prevention 8.0 McAfee SiteAdvisor Enterprise 3.5 McAfee Endpoint Protection for Mac 2.3 McAfee VirusScan for Mac 9.8 McAfee VirusScan Enterprise for Linux Settings that migrate Policies Migrate workstation and server policies separately if you have both defined. Client tasks Host IPS Catalog Renamed Firewall Catalog in Endpoint Security. Firewall and General policies IPS Rules policy: Excluded Application Protection Rules IPS Exceptions Custom signatures IPS Protection policy Policies Client tasks Anti-malware policy: On-access Scan Exclusions: On-access Scan On-Access Scanning policy On-Demand Scanning client tasks If unsupported product versions are installed, upgrade them to supported versions before proceeding with migration. See the legacy product documentation for upgrade instructions. What happens to policies during migration Endpoint Security optimizes and consolidates legacy products into an integrated, efficient new platform. In addition to new and enhanced features that leverage the latest developments in security technology, a new McAfee Endpoint Security Common module centralizes the shared protection features so they are easily accessible by all product modules. As a result, some of the policy settings you are familiar with in legacy products have changed. The Endpoint Migration Assistant ensures that the settings in your legacy policies are moved to the correct policies in Endpoint Security. In some cases, they are merged with other Endpoint Security settings, and in others, new default settings are applied to support updated technologies. New and revised categories reflect new and shared features. New settings represent new functionality. Some settings are removed, moved to a different category or policy, or merged with settings for other features. Some settings for multiple operating system platforms can be migrated to separate single-platform policies or one multi-platform policy. 8 McAfee Endpoint Security Migration Guide

9 Migration overview Overview of the migration process 1 Settings shared by multiple product modules and features are moved to the Options policy in the Common module. In some cases, settings are duplicated in multiple policies for use by functionality that is split across modules. See Appendix E, Changes to migrated settings, for details about settings that are removed, moved, renamed, or merged. Figure 1-1 Source and target policies Overview of the migration process Use the Endpoint Migration Assistant to migrate product settings where a supported legacy version of a product module is installed. 1 Check that your legacy products are supported for migration. 2 Install the Migration Assistant extension on the McAfee epo server. McAfee Endpoint Security Migration Guide 9

10 1 Migration overview Overview of the deployment process 3 Open the Migration Assistant, select an automatic or manual path, then follow the instructions on the screen. Automatic migration Migrates all supported legacy settings for all supported Windows products installed on your managed systems. Optionally migrates all supported settings for supported Mac and Linux products. Retains assignments. Manual migration Lets you select the settings to migrate, then edit the policies if needed. Does not retain assignments. 4 (Manual migration only) Repeat step 3 to select and migrate additional settings. 5 Verify that your settings were migrated successfully. See also Install the Migration Assistant on page 12 Settings that migrate on page 7 How repeated automatic migrations are handled on page 17 Choosing a migration path on page 11 Overview of the deployment process Migration is only one task in the process of installing and deploying Endpoint Security. This deployment overview shows where migration fits into the overall process. See the McAfee epolicy Orchestrator documentation for more information about installing the product components and creating assignments. 1 Check that the environment and managed systems where you want to install Endpoint Security meet the requirements described in: Windows KB82761 and the McAfee Endpoint Security Installation Guide Macintosh KB84934 and the McAfee Endpoint Security for Mac Product Guide Linux KB87073 and the McAfee Endpoint Security for Linux Product Guide 2 Check in and install the product package extension files and the McAfee Agent package files to the McAfee epo server. 3 Create a client task to deploy the correct version of the McAfee Agent to managed systems. 4 Migrate legacy product settings. 5 (Manual migration only) Assign the migrated policies and client tasks to managed groups and systems. 6 Deploy Endpoint Security to managed systems. 10 McAfee Endpoint Security Migration Guide

11 Migration overview Choosing a migration path 1 Choosing a migration path Decide which migration path to follow by considering the characteristics of your network or managed systems and your migration goals. 1 Decide whether you need to migrate. Do you want to retain any current settings or assignments for your legacy products? No Install Endpoint Security without migrating. See the product installation guide for instructions. Yes Use the Endpoint Migration Assistant to migrate your settings before deploying the Endpoint Security Client to systems. 2 If you want to migrate your settings, decide whether to migrate automatically or manually. Automatic migration is a "hands-off" process. The Migration Assistant makes most migration decisions "behind the scenes." Recommended if you: Have a network with fewer than 250 managed systems Use default policy settings or a minimum number of custom policies Manual migration is a "hands-on" process. You make most of the migration decisions by selecting the objects to migrate and editing their settings, if needed. Recommended if you: Have a network with more than 250 managed systems Use multiple custom policies Want to fine-tune existing policy settings during the migration process Want to fine-tune assignments Want to migrate settings to single-platform policies Want to personally supervise and approve each step of the migration process Table 1-1 Choosing a migration path Automatic migration Manual migration Pros Requires minimal input from you. Migrates all policies, client tasks, and the Host IPS Catalog for Windows products. Optionally migrates policies for Mac and Linux products. Optionally migrates Linux on-demand scan client tasks. Creates multi-platform target policies combining Windows, Mac, and Linux settings. Retains policy and client task assignments. Lets you select objects to migrate. Lets you edit policies before migrating. Lets you create both single-platform and multi-platform target policies. Cons You can't select specific objects to migrate. You can't edit target policies. You can't create single-platform target policies. Does not migrate unassigned policies. Requires input from you. Does not retain assignments. You need to assign policies and client tasks to managed systems. McAfee Endpoint Security Migration Guide 11

12 1 Migration overview Preparing to migrate Preparing to migrate To streamline the migration process and minimize conflicts or duplication in migrated settings, follow these best practices before migrating. Install the Endpoint Migration Assistant The Migration Assistant is a self-contained McAfee epo extension that you need to install on the McAfee epo server. Review and revise objects you plan to migrate Review legacy settings and assignments. Consolidate them where possible. Remove duplicates and unused objects. Notify others not to make changes to the Policy Catalog, Client Task Catalog, and Host IPS Catalog during migration If objects change while you're migrating them, the migrated objects don't reflect those changes. Locate unassigned policies and client tasks for migration (Automatic migration only) During automatic migration, only policies and client tasks that are assigned to at least one group or managed system are migrated. Use manual migration to migrate unassigned policies or client tasks. What to do next Once you install the Migration Assistant and review the settings you want to migrate, you are ready to begin migration. See Appendix D, Maps of migrated policies, for illustrations of how legacy policies are migrated to Endpoint Security policies. These illustrations are also available for reference from the Endpoint Migration Assistant by clicking View Endpoint Security policy mapping at the top of the manual policy selection pane. See Appendix E, Changes to migrated settings, for details about settings that are removed, moved, renamed, or merged. See also Policy maps on page 63 Install the Migration Assistant The Migration Assistant extension is required only for migrating legacy settings to Endpoint Security. It is not part of the Endpoint Security product extension package. You must install it on your McAfee epo server as a separate extension if you plan to migrate. Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Software Manager Software Not Checked In. 2 On the left side of the Software Manager screen, under Product Categories, select Licensed, then: a In the Software Not Checked In table, select McAfee Endpoint Security Migration Assistant. The description and the extension for the Migration Assistant are displayed in the table at the bottom of the screen. b Click Check In to check in the Migration Assistant extension to your McAfee epo. When installation is complete, the Migration Assistant is listed on the Extensions screen. 12 McAfee Endpoint Security Migration Guide

13 2 2 Migrating settings automatically Automatic migration migrates all the supported settings for all the supported products you have installed on your Windows, Mac, and Linux systems. This migration path requires minimal input from you. Use automatic migration to migrate all the policies and client tasks for the legacy products on your Windows systems. It also migrates the entries in your legacy Host IPS Catalog to the new Endpoint Security Firewall Catalog. Optionally, you can migrate Linux on-demand scan client tasks and Mac and Linux on-access scan policy settings. The Endpoint Migration Assistant creates and assigns the new Endpoint Security policies and client tasks automatically, based on your current product settings. Contents Automatic migration workflow Migrate settings automatically Verify automatically migrated objects How repeated automatic migrations are handled Automatic migration workflow Here's a high-level overview of the automatic migration process. 1 Run the Endpoint Migration Assistant and select Automatic migration. 2 If Mac or Linux products are installed, specify whether to migrate them. 3 If there are VirusScan Enterprise policies to migrate, specify whether to migrate workstation or server policies. 4 Preview and save the proposed policies. A server task runs and completes the policy migration. It also migrates client tasks and the Host IPS Catalog. McAfee Endpoint Security Migration Guide 13

14 2 Migrating settings automatically Automatic migration workflow Automatic migration retains assignments for migrated policies and client tasks. After automatic migration completes, you can deploy Endpoint Security 10.2 to managed systems. Figure 2-1 Migrating automatically 14 McAfee Endpoint Security Migration Guide

15 Migrating settings automatically Migrate settings automatically 2 For these objects... Policies Client Tasks (Windows and Linux) Host IPS Catalog The Migration Assistant... Creates the new policies, adds them to the Endpoint Security Policy Catalog, and assigns them to the same managed systems. You can preview the new policies before they are created. Policies for Windows products are migrated automatically. If Mac or Linux products are installed, you can specify whether to migrate their supported policies. When similar settings for Windows and non-windows products are migrated, Windows settings take precedence. On-access scan exclusions are merged. If you don't like the previewed policies, you can cancel the migration and begin a manual migration instead. Creates new tasks, adds them to the Endpoint Security Client Task Catalog, and assigns them to the same managed systems. Client tasks for Windows products are migrated automatically. If VirusScan Enterprise for Linux is installed, you can specify whether to migrate its on-demand scan client tasks. Migrates legacy catalog entries to the Endpoint Security Firewall Catalog. Migrate settings automatically Use automatic migration to migrate your currently assigned policies and client tasks and the Host IPS Catalog with minimal interaction. Before you begin Verify that the products to migrate are supported. Install the Endpoint Migration Assistant extension on the McAfee epo server. Do not allow others to make changes to the objects you are migrating until migration is complete. Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Policy Endpoint Migration Assistant. 2 For Mode, select Automatic migration. 3 If VirusScan Enterprise is installed, select either Workstation or Server. Select one to migrate now, then use manual migration to migrate the other at a later time. Threat Prevention does not support separate policies for workstation and server settings. 4 If supported non-windows products are installed, select whether to migrate them. Mac Migrates on-access scan policy settings from McAfee Endpoint Protection for Mac. Linux Migrates on-access scan policy settings and on-demand scan client tasks from VirusScan Enterprise for Linux. McAfee Endpoint Security Migration Guide 15

16 2 Migrating settings automatically Verify automatically migrated objects Automatic migration creates multi-platform policies shared by all operating system platforms. If you want to migrate at a later time, or create single-platform policies, use manual migration to migrate these products. 5 Click Next to generate a preview of the new Endpoint Security policies. A progress bar appears and lets you know how many policies are being included in the preview. 6 Review the new policies. a Under New Categories in the left pane, select a category, then preview the new policies for that category in the right pane. b (Optional) For every new policy that is created under Endpoint Security, click Rename and Edit Notes to rename the policy or edit the policy notes, if needed. 7 Click Save to run a server task to complete the migration. The Migration Assistant runs a server task in the background to migrate your policies. Client tasks and the Host IPS Catalog are also migrated. You can check its status in the Server Task Log. You must wait for the server task to complete before starting another migration session. See also Policy names and notes on page 25 Settings that migrate on page 7 Multiple-platform and single-platform policies on page 27 Install the Migration Assistant on page 12 Verify automatically migrated objects Check that objects were migrated successfully before deploying Endpoint Security to managed systems. Before you begin You have used the Endpoint Migration Assistant to manually migrate legacy product settings to Endpoint Security. Task For details about product features, usage, and best practices, click? or Help. 1 Verify migrated policies. a In McAfee epo, select Menu Policy Policy Catalog. b Select each product module, then check that the migrated policies were created. 2 Verify migrated policy assignments. a In McAfee epo, select Menu Systems Section System Tree. b c View the Assigned Policies for the groups and systems where the source policies were assigned. Verify that the new Endpoint Security policies are assigned to those groups and systems. 16 McAfee Endpoint Security Migration Guide

17 Migrating settings automatically How repeated automatic migrations are handled 2 3 Verify migrated client tasks. a In McAfee epo, select Menu Policy Client Task Catalog. b Select each product module where you migrated client tasks, then select the category for each task you migrated, and verify that the migrated client task was created. 4 Verify migrated client task assignments. a In McAfee epo, select Menu Systems Section System Tree. b c Review the Client Task Assignments for the groups and systems where the source client tasks were assigned. Verify that the migrated client tasks have the same schedule and settings as the source client tasks. 5 Verify the migrated Firewall Catalog. a In McAfee epo, select Menu Policy Firewall Catalog. b Verify that the migrated entries appear in the migrated Firewall Catalog. How repeated automatic migrations are handled Running automatic migration after you have already migrated some or all of your settings affects the new objects created during the previous migration session. When you run automatic migration after migrating previously, the Migration Assistant: Deletes objects created during a previous automatic migration session. For example, if you migrate your policies automatically, then run automatic migration again, only the new policies created in the most recent migration session are listed in the Policy Catalog when you complete the second migration. Retains objects created during a previous manual migration, but does not retain their assignments. Assigns the new policies to managed systems. For example, if you have assigned policies that you migrated manually to managed systems, the new policies are assigned instead. These actions also apply to the Common Options policies created during previous migrations. McAfee Endpoint Security Migration Guide 17

18 2 Migrating settings automatically How repeated automatic migrations are handled 18 McAfee Endpoint Security Migration Guide

19 3 3 Migrating settings manually Manual migration migrates selected settings for the supported products you have installed on your Windows, Mac, and Linux systems. This is an interactive migration path that requires your input. Use manual migration to migrate selected policies, client tasks, or the Host IPS Catalog for your legacy products. The Endpoint Migration Assistant lets you select specific objects to migrate and edit the policies if needed. Manual migration does not retain assignments for migrated objects. Contents Manual migration workflow Migrate policies manually Migrate client tasks manually Migrate the Host IPS Catalog manually Verify manually migrated objects How repeated manual migrations are handled Manual migration workflow Here's a high-level overview of the manual migration process. 1 Run the Endpoint Migration Assistant and select Manual migration. 2 Select the type of objects to migrate. If you select the Host IPS Catalog, a server task runs and completes the Catalog migration. If you select Policies or Client Tasks, select what you want to migrate from the categories, then save your selections. You can edit policies, if needed. You can also edit notes for policies and client tasks. Your selections are migrated in the background. Best practice: Migrate the Host IPS Catalog immediately before the McAfee Host IPS Firewall policies to ensure that they remain synchronized. 3 Run the Migration Assistant again to migrate additional objects. McAfee Endpoint Security Migration Guide 19

20 3 Migrating settings manually Migrate policies manually After manual migration, you must assign the new policies and client tasks to managed systems as part of product deployment. See the McAfee epolicy Orchestrator Installation Guide for more information. Figure 3-1 Migrating settings manually Migrate policies manually Use manual migration to select the policies to migrate, then edit them if needed. Once the new policies are created, you need to assign them to managed systems. Before you begin Verify that the products to migrate are supported. Install the Endpoint Migration Assistant extension on the McAfee epo server. Do not allow others to make changes to the objects you are migrating until migration is complete. 20 McAfee Endpoint Security Migration Guide

21 Migrating settings manually Migrate policies manually 3 Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Policy Endpoint Migration Assistant. 2 For Mode, select Manual migration. 3 For Objects to Migrate, select Policies, then click Next. Only the objects that you have permission to view are listed. 4 Under Available Policies in the left pane, select policy categories for your products. The legacy policies within those categories are listed on the right side of the screen. Best practice: Click View Endpoint Security policy mapping, located at the top of the page, to view policy maps that show where legacy policies migrate in Endpoint Security. a b c If you select VirusScan Enterprise policies, the Workstation settings are listed by default. To display Server policy settings instead, click Edit, then select Server. If a category contains multiple policies, select the name of the policy to migrate from the drop-down list that appears next to the category name. If settings in a selected policy are merging with policies from other categories, the Migration Assistant displays the other categories. For each of these categories: Select the name of the policy to migrate. If you don't want to migrate settings in that category now, select None. If you select None for all the merging categories, no new policy is created for these categories. d If you're migrating similar products from multiple operating system platforms, select or deselect Create Multi-Platform Policy. This checkbox appears only when migrating two or more of these products: VirusScan Enterprise, McAfee Endpoint Protection for Mac or McAfee VirusScan for Mac, and VirusScan Enterprise for Linux. Selected The Migration Assistant creates one On-Access Scan policy that can be shared by Windows, Mac, and Linux systems. If product settings conflict, Windows settings take precedence over all others, and Mac settings take precedence over Linux. On-Access Scan exclusions are merged. This is the default setting. Deselected The Migration Assistant creates up to three On-Access Scan policies: migrated VirusScan Enterprise settings for the Windows platform, migrated McAfee Endpoint Protection for Mac or McAfee VirusScan for Mac settings, and migrated VirusScan Enterprise for Linux settings. 5 Click Next. The Migration Assistant displays the source policies on the left side of the screen. At the top of the screen, you see tabs for each Endpoint Security policy to be created. Each tab gives a preview of the new policies created when the selected source policies are migrated. The left pane shows the selected source policies. 6 Click Next to start the manual migration wizard. 7 On the open tab, type a name for the policy, type notes to describe it, and configure its options, then click Next to proceed to the next tab. Repeat this step until you have configured all the selected policies, then click Next. 8 Review the summary of changes, then click Save to create the new policies and add them to the Policy Catalog. McAfee Endpoint Security Migration Guide 21

22 3 Migrating settings manually Migrate client tasks manually 9 Select whether to migrate more objects. Yes Displays the screen where you can select additional objects to migrate. No Displays the first screen with default settings. See also Policy names and notes on page 25 Settings that migrate on page 7 Multiple-platform and single-platform policies on page 27 Install the Migration Assistant on page 12 Policy maps on page 63 Migrate client tasks manually Use manual migration to select the client tasks to migrate. Once the new client tasks are created, assign them to managed systems. Only client tasks for Windows and Linux products are migrated. Before you begin Verify that the products to migrate are supported. Install the Endpoint Migration Assistant extension on the McAfee epo server. Do not allow others to make changes to the objects you are migrating until migration is complete. Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Policy Endpoint Migration Assistant. 2 For Mode, select Manual migration. 3 For Objects to Migrate, select Client Tasks, then click Next. Only the objects that you have permission to view are listed. 4 Under Available Tasks in the left pane, select the task types to migrate. The legacy tasks of that type are listed on the right side of the screen. You can type a name or partial name in the Filter list box at the top of the left pane to filter the listing. a If you have created multiple tasks of the same type, a drop-down list appears next to the task type name. Select the name of the task to migrate. b (Optional) To migrate another task of the same type, click + and select the task from the new drop-down list, then repeat for all the tasks to migrate. This option is available only when another task of the same type exists. 5 Click Next to start the manual migration wizard. At the top of the screen, you see tabs for each Endpoint Security client task to be created. Each tab gives a preview of the new tasks when the selected source tasks are migrated. The left pane shows the selected source task. 6 (Optional) For each new task to create, type a new name and edit settings, if needed. 22 McAfee Endpoint Security Migration Guide

23 Migrating settings manually Migrate the Host IPS Catalog manually 3 7 Click Next, review the summary of changes, then click Save to create the new client tasks and add them to the Client Task Catalog. 8 Select whether to migrate more objects. Yes Displays the screen where you can select additional objects to migrate. No Displays the first screen with default settings. See also Policy names and notes on page 25 Settings that migrate on page 7 Install the Migration Assistant on page 12 Migrate the Host IPS Catalog manually Use manual migration to select and migrate the Host IPS Catalog. Migrate the Catalog immediately before migrating the associated policies, to ensure that they remain synchronized. Before you begin Verify that the products to migrate are supported. Install the Endpoint Migration Assistant extension on the McAfee epo server. Do not allow others to make changes to the objects you are migrating until migration is complete. Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Policy Endpoint Migration Assistant. 2 For Mode, select Manual migration. 3 For Objects to Migrate, select Catalog, then click Next. All the items in the Catalog will be migrated. 4 Click Next to start the migration. The Migration Assistant displays a message that a server task is migrating the Catalog. When the migration is complete, the selection screen appears for you to select additional objects to migrate. Verify manually migrated objects Check that objects were migrated successfully before deploying Endpoint Security to managed systems. Before you begin You have used the Endpoint Migration Assistant to manually migrate legacy product settings to Endpoint Security. McAfee Endpoint Security Migration Guide 23

24 3 Migrating settings manually How repeated manual migrations are handled Task For details about product features, usage, and best practices, click? or Help. 1 Verify migrated policies. a In McAfee epo, select Menu Policy Policy Catalog. b Select each product module where you migrated policies, then check that the migrated policies were created. 2 Verify migrated client tasks. a In McAfee epo, select Menu Policy Client Task Catalog. b c Select each product module where you migrated client tasks. Select the category for each task you migrated, and verify that the migrated client task was created. 3 Verify the migrated Firewall Catalog. a In McAfee epo, select Menu Policy Firewall Catalog. b Verify that the migrated entries appear in the migrated Firewall Catalog. How repeated manual migrations are handled Manual migration has no effect on objects migrated during a previous migration session. For example, if you migrate some policies for a product module, then migrate the same policies again: The new policies are created in the Policy Catalog. If the target policy name already exists, the Migration Assistant appends a digit to the newer policy name (for example, My Policy, My Policy-1, My Policy-2). The previously migrated policies still appear in the Policy Catalog. If you migrate McAfee Host IPS Firewall policies again, you need to migrate the Host IPS Catalog again. (The Migration Assistant shows the date and time when the Catalog was last migrated, if applicable.) Best practice: Migrate the Host IPS Catalog immediately before the McAfee Host IPS Firewall policies to ensure that they remain synchronized. Manual migration does not retain assignments for migrated objects. You must assign the migrated objects manually. You also must manually delete the objects created during the previous migration session that you no longer want. If you have assigned objects that you created during a previous manual migration session, these assignments are not affected if you migrate the same objects again. 24 McAfee Endpoint Security Migration Guide

25 4 How 4 migration updates product settings Changes to Endpoint Security policies include new policies, categories, options, and default settings that are designed to leverage the latest protection technologies and optimize product performance. During the migration process, legacy settings for policies, options, rules, and tasks might be renamed, removed, or reset to default values, depending on how the features work in Endpoint Security. Some settings are moved to new categories or policies, or merged with other settings. Similar settings from products running on multiple operating system platforms can be migrated to separate, single-platform policies or shared multi-platform policies. Contents McAfee Default policy and product default settings Policy names and notes Multiple-instance policies Multiple-platform and single-platform policies How policies are merged during migration Migrating VirusScan Enterprise policies to Threat Prevention Migrating IPS Rules to Threat Prevention Migrating Host IPS Firewall policies to Endpoint Security Firewall Migrating SiteAdvisor Enterprise policies to Web Control Migrating legacy Mac policies to Threat Prevention Migrating legacy Linux policies to Threat Prevention McAfee Default policy and product default settings The McAfee Default policy does not migrate. If you currently use the McAfee Default policy for legacy products, the Migration Assistant assigns the new Endpoint Security McAfee Default policy. If a source policy with default settings (McAfee Default, My Default (unedited), or Typical Corporate Environment) is assigned to any group or managed system, the Migration Assistant assigns the new Endpoint Security McAfee Default policy during automatic migration. Policy names and notes The Endpoint Migration Assistant uses these general conventions for naming migrated Endpoint Security policies and creating policy notes. You can edit the policy names and notes before saving the new policies or after they are created. Policy names Automatic migration McAfee Endpoint Security Migration Guide 25

26 4 How migration updates product settings Multiple-instance policies Migrated policy type Target policy name Examples Single product migration One-to-one policy migration One-to-multiple policy migration Migrated [legacy product abbreviation] Policy-[n] where: Legacy product abbreviation is VSE, HIPS, SAE, EPM, or VSELinux. n is incremented each time a new policy is migrated for the same module. Migrated VSE Policy Migrated VSE Policy-1 Migrated VSE Policy-2 Migrated HIPS Policy Migrated HIPS Policy-1 Migrated SAE Policy Migrated EPM Policy Migrated VSELinux Policy Multiple product migration (includes multi-platform policies) Multiple-to-one policy migration Common Options Merged Policy-[n] where n is incremented each time a new policy of the same type is migrated. Merged Policy-[n] where n is incremented each time a new Common Options policy is created. Merged Policy Merged Policy-1 Merged Policy-2 Merged Policy Merged Policy-1 Merged Policy-2 Manual migration Migrated policy type Target policy name Examples One-to-one or one-to-multiple policy migration Same as the source name. If the target policy name already exists, the Migration Assistant appends a digit that is incremented each time a new policy is created using that name. You can type a different policy name before saving the new policy. My Policy My Policy-1 My Policy-2 Multiple-to-one policy migration Multi-platform policy You must specify a name for the target policy. You must specify a name for the target policy. Policy notes During migration, the Migration Assistant creates policy notes that include the name (and type, if applicable) of the source policy or policies, the migration date and time, and the name of the user who migrated the policy. For example: Source: VirusScan Enterprise Access Protection Policies > My Default; Type: Server; 6/20/ PM - Automatic Migration; User: admin Multiple-instance policies Multiple-instance policies, also known as multi-slot policies, allow you to assign more than one policy instance to a client, resulting in one combined, effective policy. When migrating legacy policies to Endpoint Security, multiple-instance policies from one or more source policies are merged into one target policy for the respective policy type. 26 McAfee Endpoint Security Migration Guide

27 How migration updates product settings Multiple-platform and single-platform policies 4 Table 4-1 How multiple-instance policies are migrated Source product Source policies Target product module Target policy McAfee Host IPS IPS Rules Threat Prevention Access Protection and Exploit Prevention McAfee Host IPS General (Trusted Applications) SiteAdvisor Enterprise Prohibit List and Authorize List Content Actions Firewall Web Control Options (Trusted Applications) Block and Allow List Content Actions Multiple-platform and single-platform policies During manual migration, you can select whether to migrate settings from different operating system platforms to separate policies or merge them into one policy for multiple platforms. Table 4-2 Migration for settings from multiple operating system platforms When you select these products to migrate... The Migration Assistant creates these Threat Prevention policies... Create Multi-Platform Policy selected Create Multi-Platform Policy deselected VirusScan Enterprise McAfee Endpoint Protection for Mac VirusScan Enterprise VirusScan Enterprise for Linux One On-Access Scan policy for Windows and Mac systems Merged on-access scan exclusions For duplicate or conflicting settings, Windows settings take precedence over Mac settings. One On-Access Scan policy for Windows and Linux systems One Options policy for Windows and Linux systems Merged on-access scan exclusions For duplicate or conflicting settings, Windows settings take precedence over Linux settings. Two On-Access Scan policies: One for Windows systems One for Mac systems Separate on-access scan exclusions Two On-Access Scan policies: One for Windows systems One for Linux systems Two Options policies: One for Windows systems One for Linux systems Separate on-access scan exclusions McAfee Endpoint Security Migration Guide 27

28 4 How migration updates product settings How policies are merged during migration Table 4-2 Migration for settings from multiple operating system platforms (continued) When you select these products to migrate... The Migration Assistant creates these Threat Prevention policies... Create Multi-Platform Policy selected Create Multi-Platform Policy deselected VirusScan Enterprise McAfee Endpoint Protection for Mac VirusScan Enterprise for Linux McAfee Endpoint Protection for Mac VirusScan Enterprise for Linux One On-Access Scan policy for Windows, Mac, and Linux systems One Options policy for Windows and Linux systems Merged on-access scan exclusions For duplicate or conflicting settings, Windows settings take precedence over other settings. One On-Access Scan policy for Mac and Linux systems One Options policy for Linux systems Merged on-access scan exclusions For duplicate or conflicting settings, Mac settings take precedence over Linux settings. Three On-Access Scan policies: One for Windows systems One for Mac systems One for Linux systems Two Options policies: One for Windows systems One for Linux systems Separate on-access scan exclusions Two On-Access Scan policies: One for Mac systems One for Linux systems One Options policy for Linux systems Separate on-access scan exclusions Automatic migration creates multi-platform target policies. You must use manual migration to create single-platform policies. How policies are merged during migration Sometimes, source policies from one or more legacy products are merged into a single target policy. Table 4-3 Policies merged during migration to Threat Prevention Source product module Source policies Threat Prevention policy VirusScan Enterprise Quarantine Manager Unwanted Programs Options VirusScan Enterprise for Linux On-Access Scanning VirusScan Enterprise McAfee Endpoint Protection for Mac High-Risk Processes Low-Risk Processes On-Access Default Processes On-Access General Anti-malware (on-access scan settings) On-Access Scan VirusScan Enterprise for Linux On-Access Scanning 28 McAfee Endpoint Security Migration Guide

29 How migration updates product settings How policies are merged during migration 4 Table 4-3 Policies merged during migration to Threat Prevention (continued) Source product module Source policies Threat Prevention policy VirusScan Enterprise Access Protection Buffer Overflow Protection Access Protection McAfee Host IPS IPS Rules IPS Protection VirusScan Enterprise Buffer Overflow Protection Exploit Prevention McAfee Host IPS IPS Rules IPS Protection Table 4-4 Policies merged during migration to Firewall Source product module Source policies McAfee Host IPS Firewall (Options and DNS Blocking) General (Trusted Applications, Trusted Networks, and Client UI) Firewall policy Options Table 4-5 Policies merged during migration to Web Control Source product module Source policies SiteAdvisor Enterprise Content Actions Rating Actions Authorize List Hardening Content Actions Rating Actions Authorize List Prohibit List Enable or Disable Event Tracking General (some settings) Web Control policy Content Actions Options Block and Allow List McAfee Endpoint Security Migration Guide 29

30 4 How migration updates product settings How policies are merged during migration Migrating legacy settings to the Common Options policy Features shared by multiple product modules reside in the Common module, which is installed with other Endpoint Security product modules. Settings for these shared features are defined in the Options policy for the Common module. Figure 4-1 Legacy settings migrated to the Common Options policy The Migration Assistant migrates legacy settings for these policy categories to the Common Options policy. Table 4-6 Legacy settings migrated to the Common Options policy Source settings VirusScan Enterprise Alert policy VirusScan Enterprise Access Protection policy, Common Standard Protection category VirusScan Enterprise General Options policy, Display Options category Host Intrusion Prevention General policy, Client UI category: Client UI language setting Firewall logging SiteAdvisor Enterprise General policy, Proxy Server tab Migrated Common Options policy categories Client Logging Self Protection Client Interface Language (Windows only) Managed Tasks (Windows only) Client Interface Language (Windows only) Client Logging Proxy Server for McAfee GTI (Windows only) Enable HTTP proxy authentication 30 McAfee Endpoint Security Migration Guide

31 How migration updates product settings Migrating VirusScan Enterprise policies to Threat Prevention 4 Migrating VirusScan Enterprise policies to Threat Prevention This overview shows where migrated policy settings for McAfee VirusScan Enterprise appear in Endpoint Security policies. Figure 4-2 Where VirusScan Enterprise settings migrate McAfee Endpoint Security Migration Guide 31

32 4 How migration updates product settings Migrating VirusScan Enterprise policies to Threat Prevention Migration notes for VirusScan Enterprise settings During the migration process to Endpoint Security 10.2, the Endpoint Migration Assistant adjusts the migrated settings in your target policies to address differences between the legacy product and the new product. Therefore, some of the target policy settings don't match your legacy settings. Workstation and server settings In VirusScan Enterprise, policies include settings for servers and workstations. This is not the case for Threat Prevention policies. Therefore, you must specify to migrate either the workstation settings or the server settings. The default is Workstation. If you use automatic migration, you must select one type of settings for automatic migration, then migrate the other type of settings manually. Quarantine folder The path for the quarantine folder is limited to 190 characters, but VirusScan Enterprise allowed 256 characters. During client migration, if the migrated quarantine folder path contains more than 190 characters, the path automatically reverts to the default location, <SYSTEM_DRIVE>\Quarantine. Access Protection port-blocking rules Endpoint Security Firewall provides more advanced port-blocking capabilities than the predefined Access Protection rules for VirusScan Enterprise 8.8. Access Protection port-blocking rules, either predefined or user-defined, are not migrated. User-added inclusions and exclusions for predefined rules are also not migrated. If you want to continue using legacy rules that don't migrate from VirusScan Enterprise, you can create firewall rules in Endpoint Security Firewall to replicate their behavior. You can create firewall rules to: Define the same behavior as one or more of the predefined Access Protection port-blocking rules. Block the same ports as one or more custom Access Protection port-blocking rules. See Appendix C, Creating Firewall rules to replace Access Protection port-blocking rules, for more information. Self Protection settings When you migrate Access Protection rules (except port-blocking rules): Self Protection settings move from the Access Protection policies to the Common Options policy. Self Protection is enabled by default, regardless of the legacy setting. 32 McAfee Endpoint Security Migration Guide

33 How migration updates product settings Migrating VirusScan Enterprise policies to Threat Prevention 4 User-defined exclusions configured for each legacy product module are migrated as global exclusions for Endpoint Security. User-defined exclusions for three predefined rules in the Common Standard Protection category are migrated as global Self Protection exclusions in the Common Options policy: User-defined exclusions for this legacy rule Migrate to the Self Protection exclusions for Prevent modification of McAfee files and settings Prevent termination of McAfee processes Prevent hooking of McAfee processes Processes Processes Processes Best practice: Review your exclusions after migration, then revise or remove them as needed. Also review exclusions configured for any third-party applications to access VirusScan Enterprise registry or file locations, because these locations have changed in Endpoint Security. Exploit Prevention (Buffer Overflow Protection) In Endpoint Security, Buffer Overflow Protection settings are renamed Exploit Prevention. After migration, the protection level for Exploit Prevention is set to the default Standard Protection, which detects and blocks only high-severity buffer overflow exploits identified in the Exploit Prevention content file and stops the detected threat. Best practice: Use this setting for a limited time only, then review the log file during that time to determine whether to change to Maximum Protection. Scan exclusions for root-level folders VirusScan Enterprise supports the exclusion of root-level folders from scans if the path starts with wildcard characters such as "?" or '"/". No drive identifier is required. However, Threat Prevention does not support the same syntax for leading wildcard characters in on-access scan and on-demand scan exclusions. The Migration Assistant converts unsupported syntax by changing the leading characters to "**\". Best practice: If you plan to migrate root-level scan exclusions that include wildcard characters, revise the legacy exclusions in VirusScan Enterprise to supported syntax before migration, if needed. Supported exclusion patterns Threat Prevention supports the following exclusion patterns, and the Migration Assistant does not change them during migration: Environmental variables Patterns that begin with % (for example, %systemroot%\test\ ) UNC paths Patterns that begin with \\ (for example, \\Test ) Full paths Patterns that include an absolute drive designator (for example, C:\Test\ ) Patterns that begin with **\ McAfee Endpoint Security Migration Guide 33

34 4 How migration updates product settings Migrating VirusScan Enterprise policies to Threat Prevention Unsupported exclusion patterns For all other VirusScan Enterprise exclusion patterns, the Migration Assistant: Converts leading characters to **\ For example, converts \?:?:\ *\ *: *:\ Inserts **\ when there are no leading characters. For example, converts Test to **\Test Appends a backslash character to the exclusion pattern, if the Also Exclude Subfolders option is selected for an exclusion and the exclusion pattern doesn't end with a backslash ( \ ) character. With the **\ syntax, Threat Prevention excludes folders at more levels in the folder structure than VirusScan Enterprise does. Best practice is to review the migrated exclusions and revise them, if needed, to duplicate the behavior of the legacy exclusions. See KB85746 for more information. The following table shows an example of how migrated exclusions are handled differently than exclusions in legacy products. Table 4-7 How non-absolute root-level exclusions are handled Legacy exclusion \test\ or?:\test\ Excludes: \test\ folder at the root level on any drive. For example: c:\test\ d:\test\ z:\test Does not exclude: \test folder at levels other than the root level on any drive, such as: c:\lab\test\ d:\lab\project\test\ Migrated exclusion **\test\ Excludes: \test\ folder at the root or any other level on any drive. For example: c:\test\ d:\test\ z:\test c:\lab\test\ d:\lab\project \test\ To exclude only the \test folder at the root level, revise the migrated exclusion to specify an absolute path. For example: c:\test\ d:\test\ z:\test See also Changes to VirusScan Enterprise settings on page McAfee Endpoint Security Migration Guide

35 How migration updates product settings Migrating VirusScan Enterprise policies to Threat Prevention 4 Merging on-access scan settings from Windows, Mac, and Linux On-access scan settings from supported Mac and Linux products also migrate to the On-Access Scan and Options policies in Threat Prevention. These migrated policies can be multi-platform or single-platform. Figure 4-3 Migrating on-access scan settings from Windows, Mac, and Linux See also Migrating legacy Mac policies to Threat Prevention on page 44 Migrating legacy Linux policies to Threat Prevention on page 46 Multiple-platform and single-platform policies on page 27 McAfee Endpoint Security Migration Guide 35

36 4 How migration updates product settings Migrating IPS Rules to Threat Prevention Migrating IPS Rules to Threat Prevention This overview shows where migrated settings for the IPS Rules and IPS Protection policies from McAfee Host IPS appear in Endpoint Security policies. Figure 4-4 Where IPS Rules settings migrate Migration notes for IPS Rules settings During the migration process to Endpoint Security, the Endpoint Migration Assistant moves your migrated IPS Rules and IPS Protection policy settings into Threat Prevention policies. See Appendix B, IPS Rules migration, for more information about how IPS Rules are migrated to Endpoint Security policies. Policy settings that are migrated These settings are migrated: IPS custom signature subrules for files, registry, and programs IPS Application Protection Rules IPS Exceptions Signatures Only custom signatures migrate. McAfee-defined (canned) signatures do not migrate, even if you have modified them. Signatures with IDs in the range migrate to Access Protection custom rules. Each subrule of a signature migrates as an individual Access Protection custom rule in Threat Prevention. The same signature settings (name, severity, notes, and description) migrate to all rules created in Threat Prevention for all IPS subrules of the signature. A signature name is required. If a signature doesn't have name, the rules using the signature don't migrate. The Severity level and Log status settings from the IPS Rules policy merge with the Reaction setting from the IPS Protection policy to determine the Block/Report settings for migrated Rules in Threat Prevention. 36 McAfee Endpoint Security Migration Guide

37 How migration updates product settings Migrating IPS Rules to Threat Prevention 4 Application Protection Rules Excluded applications from Application Protection rules migrate to the Exploit Prevention policy as Exclusions. Exception Rules Exception Rules from the IPS Rules policy migrate to the Access Protection and Exploit Prevention policies as executables under Exclusions. Source Exception Signature type Target Endpoint Security policy Executables, Caller module, and API Executables and Parameters Kevlar signatures (IDs 6052, 428, 6012, 6013, 6014, and 6015) FILE/REGISTRY/PROGRAM signatures Exploit Protection Access Protection Executables No signature Access Protection Exploit Protection Target setting Exclusions Executables and subrule Parameters Global Exclusions GPEP (General Privilege Escalation Prevention) signature Severity/reaction signature (ID 6052) Exploit Protection Enable General Privilege Escalation Prevention Exception Rules with signatures IPS Exceptions can include custom signatures. The executables and parameters from exceptions are appended to the Endpoint Security Access Protection Rule created during signature migration. If all McAfee-defined signatures are added to a subrule exception, the exception migrates as a global exclusion in the Access Protection and Exploit Prevention policies. See also Changes to IPS Rules settings in Host Intrusion Prevention on page 78 Merging Access Protection and Buffer Overflow Protection settings Access Protection, Buffer Overflow Protection, and IPS Rules policy settings from VirusScan Enterprise and McAfee Host IPS migrate to two Threat Prevention policies and the Endpoint Security Common policy. These policy types are migrated to the Access Protection policy in Threat Prevention: McAfee Host IPS IPS Rules VirusScan Enterprise Access Protection These policy types are migrated to the Exploit Prevention policy in Threat Prevention: McAfee Host IPS IPS Rules VirusScan Enterprise Buffer Overflow Protection McAfee Endpoint Security Migration Guide 37

38 4 How migration updates product settings Migrating IPS Rules to Threat Prevention For more information, see Appendix B, IPS Rules migration, and Appendix E, Changes to migrated settings. Figure 4-5 Migrating Access Protection and Buffer Overflow Protection settings from legacy products See also Changes to VirusScan Enterprise settings on page 71 Changes to IPS Rules settings in Host Intrusion Prevention on page McAfee Endpoint Security Migration Guide

39 How migration updates product settings Migrating Host IPS Firewall policies to Endpoint Security Firewall 4 Migrating Host IPS Firewall policies to Endpoint Security Firewall This overview shows where migrated policy settings for the Firewall and General policy options from McAfee Host IPS appear in Endpoint Security policies. Only settings for the Firewall and General policies migrate to Endpoint Security Firewall. You can continue to manage McAfee Host Intrusion Prevention as a separate extension, with its remaining policy settings in effect, or you can migrate its policy settings to Threat Prevention policies. Figure 4-6 Where Host IPS Firewall settings migrate McAfee Endpoint Security Migration Guide 39

40 4 How migration updates product settings Migrating Host IPS Firewall policies to Endpoint Security Firewall Migration notes for McAfee Host IPS Firewall settings During the migration process to Endpoint Security 10.2, the Endpoint Migration Assistant adjusts the migrated settings in your target policies to address differences between the legacy product and the new product. Therefore, some of the target policy settings don't match your legacy settings. Policy settings that are migrated Only policy types from the Firewall and General policies that apply to the Endpoint Security Firewall are migrated: Client UI DNS Rules Trusted Applications Firewall Rules Trusted Networks Firewall Options Multiple-instance policies Trusted Applications policies are multiple-instance policies. When you migrate them, they are merged into one target policy for the policy type. These changes occur when you migrate Trusted Applications policies: For all the source instances that have the McAfee Host IPS Firewall enabled, trusted executables are appended to the Trusted Executables list in the target Firewall Options policy. If there is a default policy (McAfee Default, My Default (unedited), or Typical Corporate Environment) in any instance of the source policies, the Migration Assistant adds Endpoint Security McAfee Default values to the Endpoint Security target policy. Host IPS Catalog migration When migrating manually, the best practice is to migrate the Host IPS Catalog immediately before the Host Intrusion Prevention Firewall policies. This ensures that they remain synchronized. If Firewall policy settings change after migrating the Catalog, migrate the Catalog again, then migrate the policies. The Migration Assistant displays the date and time when the catalog was last migrated, if applicable, next to the option to migrate the catalog. Firewall Rules and Trusted Networks The Trusted Networks Trust for IPS setting in McAfee Host IPS does not correspond directly to a setting in Endpoint Security Firewall policies. 40 McAfee Endpoint Security Migration Guide

41 How migration updates product settings Migrating Host IPS Firewall policies to Endpoint Security Firewall 4 Table 4-8 How trusted networks are migrated Product McAfee Host IPS Firewall Endpoint Security Firewall What you need to know How legacy feature works: IP addresses become "trusted" only after they are applied to firewall rules that "allow" them. How policy setting is migrated: IP addresses that were formerly listed under Trusted Networks Trust for IPS migrate as Defined Networks Not trusted in the target Firewall Options policy. You can set them to trusted there. How new Defined Networks feature works: All traffic is allowed to Defined Networks that are labeled Trusted in the target Firewall Options policy. Add IP addresses that you want to treat as trusted networks. How to configure migrated policy setting: Configure traffic to the IP addresses that were migrated as Not trusted by associating them with firewall rules in the Firewall Rules policy. See the Endpoint Security Firewall Help for more information. See also Changes to Firewall settings on page 81 McAfee Endpoint Security Migration Guide 41

42 4 How migration updates product settings Migrating SiteAdvisor Enterprise policies to Web Control Migrating SiteAdvisor Enterprise policies to Web Control This overview shows where migrated policy settings for McAfee SiteAdvisor Enterprise appear in Endpoint Security policies. Figure 4-7 Where SiteAdvisor Enterprise settings migrate Migration notes for SiteAdvisor Enterprise settings During the migration process to Endpoint Security 10.2, the Endpoint Migration Assistant adjusts the migrated settings in your target policies to address differences between the legacy product and the new product. Therefore, some of the target policy settings don't match your legacy settings. Multiple-instance policies The Authorize List, Prohibit List, and Content Actions policies are multiple-instance policies. When you migrate them, multiple instances are merged into one target policy for each policy type. If any instance of a source policy is a default policy (My Default (unedited) or McAfee Default), the Endpoint Security McAfee Default instance is used for the target policy instead of merging. Block and Allow List All instances of SiteAdvisor Enterprise Authorize List and Prohibit List source policies are merged into one Endpoint Security Block and Allow List target policy. 42 McAfee Endpoint Security Migration Guide

43 How migration updates product settings Migrating SiteAdvisor Enterprise policies to Web Control 4 Each source policy instance has these settings: Track events and request information from the McAfee SiteAdvisor server. Configure access to individual file downloads based on their rating. Give this Authorize List precedence over the Prohibit List. For each of these settings, if the value of the setting is the same for all instances of the source policies, the value is migrated. Otherwise, the target policy uses the Endpoint Security McAfee Default settings. Site entries from the Authorize List and Prohibit List migrate to a target Block and Allow List. Content Actions All instances of source policies that have the Enable Categorization option selected are evaluated during migration. When merging policies that have different actions defined for categories, the most stringent action from the Action for green column is applied to each category in the target policy. Actions specified for yellow, red, and unrated content are ignored when creating the target policy. For the following special categories, both Action for green and Action for unrated columns are considered: Anonymizers Phishing Anonymizing Utilities Personal Network Storage Potential Hacking/Computer Crime Spam URLs Malicious Sites Interactive Web Applications P2P/File Sharing Parked Domain Remote Access Residential IP Addresses Resource Sharing Browser Exploits Shareware/Freeware Malicious Downloads Spyware/Adware/Keyloggers PUPs For all instances of source policies where the Enable Categorization option is not selected, the option is deselected in the target policy. The Endpoint Security McAfee Default settings are added for all categories. See also Changes to SiteAdvisor Enterprise settings on page 84 McAfee Endpoint Security Migration Guide 43

44 4 How migration updates product settings Migrating legacy Mac policies to Threat Prevention Migrating legacy Mac policies to Threat Prevention This overview shows where migrated policy settings for McAfee Endpoint Protection for Mac appear in Endpoint Security policies. The On-access Scan settings and exclusions configured in the Anti-malware policy migrate to the Threat Prevention On-AccessScan policy. You can migrate the settings to a single-platform Mac policy or a multi-platform policy shared by Windows, Mac, and Linux systems. Figure 4-8 Where McAfee Endpoint Protection for Mac settings migrate See also Merging on-access scan settings from Windows, Mac, and Linux on page 35 Migration notes for McAfee Endpoint Protection for Mac settings During the migration process to Endpoint Security for Mac, the Endpoint Migration Assistant moves your migrated settings into a Threat Prevention policy. Policy settings that are migrated Only On-access Scan settings and exclusions from the Anti-malware policy are migrated. They are migrated to the On-Access Scan policy in Threat Prevention. On-Access Scan exclusions are always migrated. If you are migrating VirusScan Enterprise settings, they take precedence over McAfee Endpoint Protection for Mac settings. Duplicate Mac settings are not migrated. If you are not migrating VirusScan Enterprise settings, additional settings are migrated from McAfee Endpoint Protection for Mac. 44 McAfee Endpoint Security Migration Guide

45 How migration updates product settings Migrating legacy Mac policies to Threat Prevention 4 License check The Migration Assistant checks for a Threat Prevention Mac License extension. If the license is absent, Mac migration options are not available for automatic or manual migration. Multiple-platform or single-platform policies When you migrate McAfee Endpoint Protection for Mac along with Windows or Linux products, the target Threat Prevention On-Access Scan policy can define settings for one or more operating system platforms. During automatic migration One merged (multi-platform) policy is created for all the platforms being migrated. During manual migration Specify whether to create one merged (multi-platform) policy or separate (single-platform) policies. Select Create Multi-Platform Policy to create one policy that contains settings for all the platforms being migrated (for example, Mac, Windows, and Linux). Deselect Create Multi-Platform Policy to create separate On-Access Scan policies: one with migrated McAfee Endpoint Protection for Mac settings for the Mac platform, and others with settings for Windows or Linux. Responses to detections In response to threat and unwanted program detections, McAfee EPM lets you specify these actions: Clean, Quarantine, and Delete. You can specify a primary action and a secondary action (to perform only if the primary action fails). However, the Quarantine option isn't available in Threat Prevention. Therefore, these changes occur to the response settings during migration to the On-Access Scan policy in Threat Prevention. The Quarantine option migrates to Delete. Exception: If Quarantine and Delete are selected as the primary and secondary actions in McAfee EPM, the secondary response migrates to Deny. See also Changes to McAfee Endpoint Protection for Mac settings on page 88 McAfee Endpoint Security Migration Guide 45

46 4 How migration updates product settings Migrating legacy Linux policies to Threat Prevention Migrating legacy Linux policies to Threat Prevention This overview shows where migrated policy settings for McAfee VirusScan Enterprise for Linux appear in Endpoint Security policies. The on-access scan exclusions and other settings configured in the On-Access Scanning policy migrate to the Threat Prevention On-Access Scan and Options policies. You can migrate the settings to a single-platform Linux policy or a multi-platform policy shared by Windows, Mac, and Linux systems. Figure 4-9 Where McAfee VirusScan Enterprise for Linux settings migrate See also Merging on-access scan settings from Windows, Mac, and Linux on page 35 Migration notes for VirusScan Enterprise for Linux settings During the migration process to Endpoint Security for Linux, the Endpoint Migration Assistant moves your migrated settings into a Threat Prevention policy. You can manage systems running Endpoint Security for Linux with the Endpoint Security Threat Prevention extension in McAfee epo. Endpoint Security Firewall and Web Control are not supported for Linux. 46 McAfee Endpoint Security Migration Guide

47 How migration updates product settings Migrating legacy Linux policies to Threat Prevention 4 Policy settings that are migrated Only settings from the On-Access Scanning policy are migrated. On-Access Scan exclusions are always migrated. If you are migrating VirusScan Enterprise or McAfee Endpoint Protection for Mac settings, they take precedence over VirusScan Enterprise for Linux settings. Duplicate Linux settings are not migrated. If you are not migrating VirusScan Enterprise or McAfee Endpoint Protection for Mac settings, additional settings are migrated from VirusScan Enterprise for Linux. Client tasks that are migrated Custom scheduled on-demand scan client tasks are migrated to the Client Task Catalog. License check The Migration Assistant checks for a Threat Prevention Linux License extension. If the license is absent, Linux migration options are not available for automatic or manual migration. Multiple-platform or single-platform policies When you migrate VirusScan Enterprise for Linux with Windows or Mac products, the target Threat Prevention policies can define settings for one or more operating system platforms. During automatic migration Two merged (multi-platform) policies are created for all platforms being migrated. One On-Access Scan for Windows, Mac, and Linux systems. One Options policy for Windows and Linux systems. During manual migration Specify whether to create merged (multi-platform) policies or separate (single-platform) policies. Select Create Multi-Platform Policy to create one On-Access Scan policy and one Options policy that contain settings for all platforms being migrated (for example, Windows and Linux). Deselect Create Multi-Platform Policy to create an On-Access Scan policy and an Options policy with only migrated VirusScan Enterprise for Linux settings, then create separate policies with settings for Windows or Mac. Scan exclusions Endpoint Security for Linux does not support regular expressions as scan exclusions. If regular expressions do migrate successfully from VirusScan Enterprise for Linux, Endpoint Security for Linux ignores them. See also Changes to McAfee VirusScan Enterprise for Linux settings on page 90 McAfee Endpoint Security Migration Guide 47

48 4 How migration updates product settings Migrating legacy Linux policies to Threat Prevention 48 McAfee Endpoint Security Migration Guide

49 A Troubleshooting Use this information to resolve problems during the migration process. Error messages Error messages are displayed by programs when an unexpected condition occurs that can't be fixed by the program itself. Use this list to find an error message, an explanation of the condition, and any action you can take to correct it. Table A-1 Migration Assistant error messages Message Description Solution There are no products installed that can be migrated. An Endpoint Security Migration server task is running and must be completed before continuing. You can migrate only the settings that you have permission to view. You can't begin another migration until the server task is complete. Check your permissions and update them if needed. Wait until the server task is complete, then begin another migration. McAfee Endpoint Security Migration Guide 49

50 A Troubleshooting Error messages 50 McAfee Endpoint Security Migration Guide

51 B IPS Rules migration Endpoint Security uses the logic described in this appendix to configure migrated settings from the IPS Rules and IPS Protection policies in McAfee Host IPS. Settings migrate to the Access Protection and Exploit Prevention policies in Threat Prevention. Contents Signature-level settings in migrated IPS Rules Subrule-level settings in migrated IPS Rules Exceptions Application Protection Rules Signature-level settings in migrated IPS Rules Signature-level settings migrate to Access Protection Rules according to these guidelines. Signature-level settings include Block and Report, Notes, and Rule Name. Migrated Block and Report settings Endpoint Security uses these legacy settings in McAfee Host IPS to determine the Block and Report settings under Rules in the target Access Protection policies: IPS Rules: Signature tab Severity and Log status IPS Protection Reaction To determine the Block setting for the migrated target policy, the Migration Assistant: 1 Reads the source signature Severity setting from the IPS Rules policy. The possible values are High, Medium, Low, Informational, and Disabled. 2 From the IPS Protection policy, reads the Reaction setting for the corresponding severity. For example, if Severity is set to Medium, it reads the Reaction setting value for Medium. 3 If the Reaction value is Prevent, the Block setting is Enabled. Otherwise, it is Disabled. 4 If Severity is Disabled, both Report and Block settings are Disabled. Endpoint Security determines the migrated Report setting as follows: Source IPS Rules policy: Log status setting Source IPS Protection policy: Reaction setting Enabled Prevent or Log Enabled Enabled Ignore Disabled Disabled N/A Disabled Target Access Protection policy: Report setting McAfee Endpoint Security Migration Guide 51

52 B IPS Rules migration Subrule-level settings in migrated IPS Rules Notes Source Notes and Description data merges and migrates to the Notes section of the Endpoint Security Rule, using this format: Notes: <IPS Notes section>; Description: <IPS Description section> Rule Name The source signature name and subrule name merge and migrate to the Endpoint Security Rule name, using this format: <IPS Signature name>_<ips Subrule name> Settings that don't migrate Settings for Signature ID, Type, and Client rules don't migrate. Subrule-level settings in migrated IPS Rules Subrules migrate to Access Protection policies according to these guidelines. General migration guidelines Only Standard subrules migrate. Expert subrules don't migrate. The signature subrule name is required. It migrates to the subrule name. Subrules with these Rule types migrate: Files, Registry, and Programs. Subrules with a Rule type of Registry can have a parameter for Registry (Key) and Registry (Value). Its value determines where these subrules migrate in the Access Protection policy. Rules with a Registry (Key) parameter migrate to a Registry Key type rule. Rules with a Registry (Value) parameter migrate to a Registry Value type rule. Rules with both parameters do not migrate. Most operations migrate directly to the corresponding equivalent for their type. Special cases are described in the following sections. If source data is null or missing, it doesn't migrate. Files subrules File parameter data is required. Subrules must have at least one parameter to migrate. The Destination file parameter migrates only when Rename Operation is enabled. The User name parameter from the IPS subrule migrates to the User Names section in the target Rule. The Drive type parameter migrates to the target subrule parameters list Drive Type as follows: CD or DVD migrates to CD/DVD. Floppy migrates to Floppy. OtherRemovable or USB migrates to Removable. HardDrive migrates to Fixed. Network migrates to Network. 52 McAfee Endpoint Security Migration Guide

53 IPS Rules migration Exceptions B Registry subrules Registry parameter data is required. Subrules must have a least one parameter to migrate. If one subrule has parameters for both Registry (Key) and Registry (Value), the subrule doesn't migrate. The User name parameter from the IPS subrule migrates to the User Names section in the target Rule. Endpoint Security doesn't support the Registry Value Operation setting for Enumerate. If only this operation is defined for a registry subrule, the subrule doesn't migrate. Programs subrules Program parameter data is required. Subrules must have a least one parameter to migrate. User name moves up to the rule level in Endpoint Security. Caller module doesn't migrate. Target Executable migrates to Process. If the source subrule doesn't specify a value for Target Executable, it doesn't migrate. Endpoint Security doesn't support the Operation setting for Open with Access to wait. If only this operation is defined for a program subrule, the subrule doesn't migrate. Executables Executables in Files, Registry, and Programs subrules migrate to Rule-level executables. Fingerprint migrates to MD5 hash. Signer migrates. File Description doesn't migrate. Target Executable migrates to Process. If the source subrule doesn't specify a value for Target Executable, it doesn't migrate. Exceptions IPS Exception Rules migrate to Access Protection and Exploit Prevention policies according to these guidelines. Exceptions can have custom signatures, McAfee-defined (canned) signatures, a mixture of both types, or no signature. Custom signature exceptions migrate to the Access Protection policy. McAfee-defined exceptions migrate to the Exploit Prevention policy. Global exceptions migrate to both policies. Custom signature exceptions (Files/Registry/Programs) Exceptions with custom signatures migrate to the Access Protection Rules that were created during IPS Signature migration. Executables from IPS Exceptions that have custom Files/Registry/Programs signatures migrate to Executables in the Files/Registry/Programs Rules. If an Exception has more than one executable for a Files/Registry/Programs Rules custom signature, all executables migrate as Executables. McAfee Endpoint Security Migration Guide 53

54 B IPS Rules migration Exceptions Exceptions: Executables migrate to Files/Registry/Programs rules from only custom signatures. Exceptions: Programs signature: Target executables migrate to the Target executable for the Process subrule. For exceptions with Handler Module or Caller Module parameters, only the executables migrate. Handler Module or Caller Module parameters don't migrate. Domain Group parameters don't migrate. Exceptions with two or more of these parameters defined do not migrate: Target Executable Files parameter (Files, dest_file, and/or drive type) Registry (Key) Registry (Value) Exceptions migrate to Process Rules when they: Do have Target Executable. Don't have Files parameter (Files, dest_file, and/or drive type). Don't have Registry (Key). Don't have Registry (Value). If the exceptions have executables, the executables migrate to Process Rule level, and target executables migrate to Process Rule: Subrule parameters. Exceptions migrate to File Rules when they: Do have the Executable OR Files parameter (Files, dest_file, and/or drive type). Don't have Target Executable. Don't have Registry (Key). Don't have Registry (Value). If the exceptions have executables, the executables migrate to the File Rule level. If the exceptions have the Files parameter (Files, dest_file, and/or drive type), they migrate to File Rule: Subrule parameters. Exceptions migrate to Registry Key Rules when they: Do have the Executable OR Registry (Key) parameter. Don't have Target Executable. Don't have Files parameter (Files, dest_file, and/or drive type). Don't have Registry (Value). If the exceptions have executables, the executables migrate to the Key Rule level. If the exceptions have the Key parameter, they migrate to Key Rule: Subrule parameters. Exceptions migrate to Registry Value Rules when they: Do have the Executable OR Registry (Value) parameter. Don't have Target Executable. 54 McAfee Endpoint Security Migration Guide

55 IPS Rules migration Application Protection Rules B Don't have Files parameter (Files, dest_file, and/or drive type). Don't have Registry (Key). If the exceptions have executables, the executables migrate to the Value Rule level. If the exceptions have Value parameter, they migrate to Value Rule: Subrule parameters. User name applies to all three categories, in a similar way to the executables previously described. If User name migrates with the executables to Access Protection Rules, the migrated Access Protection Rules have both the executable and user name. McAfee-defined signature exceptions Executables from IPS Exceptions that have signature IDs 6052, 428, 6012, 6013, 6014, or 6015 migrate to Exploit Prevention exclusions in Endpoint Security. If an exception has more than one executable, handler, or caller module, only the first executable, handler, or caller module migrates. Exploit Prevention doesn't support exclusion name, so Executable name doesn't migrate to Exploit Prevention. Domain Group parameters don't migrate. Global exceptions Global exceptions migrate to both the Access Protection and Exploit Prevention policies as global exclusions in a similar way to the exceptions previously described. An exception is considered global if it has no signatures added or has all the McAfee-defined signatures added but no custom signatures. Exceptions with two or more of these parameters defined don't migrate: Target Executable Files parameter (Files, dest_file, and/or drive type) Registry (Key) Registry (Value) Application Protection Rules Application Protection Rules migrate to Endpoint Security Exploit Prevention policies according to these guidelines. Excluded applications from Application Protection Rules migrate to Exploit Prevention exclusions. McAfee Endpoint Security Migration Guide 55

56 B IPS Rules migration Application Protection Rules 56 McAfee Endpoint Security Migration Guide

57 C Creating Firewall rules to replace predefined Access Protection portblocking rules The Migration Assistant does not migrate predefined or user-defined Access Protection port-blocking rules from VirusScan Enterprise 8.8. However, you can create firewall rules in Endpoint Security Firewall that define behavior equivalent to the predefined VirusScan Enterprise port-blocking rules. VirusScan Enterprise 8.8 includes these four predefined port-blocking rules that are not migrated: AVO10: Prevent mass mailing worms from sending mail AVO11: Prevent IRC communication CW05: Prevent FTP communication CS06: Prevent HTTP communication Contents Create rule to prevent mass mailing worms from sending mail Create rule to prevent IRC communication Create rule to prevent FTP communication Create rule to prevent HTTP communication Create rule to prevent mass mailing worms from sending mail Use this task to create Endpoint Security 10.2 firewall rules that are equivalent to the predefined Access Protection rule AVO10 in VirusScan Enterprise 8.8. See the Endpoint Security Firewall Help for more information about creating firewall rules. Rule AVO10: Prevent mass mailing worms from sending mail Rule AVO10 G_030_AntiVirusOn { Description "Prevent mass mailing worms from sending mail" Process { Include * Exclude ${Default Client} ${DefaultBrowser} eudora.exe msimn.exe msn6.exe msnmsgr.exe neo20.exe nlnotes.exe outlook.exe pine.exe poco.exe thebat.exe thunde*.exe winpm-32.exe MAPISP32.exe VMIMB.EXE RESRCMON.EXE Owstimer.exe SPSNotific* WinMail.exe explorer.exe iexplore.exe firefox.exe mozilla.exe netscp.exe opera.exe msn6.exe $ {epotomcatdir}\\bin\\tomcat.exe ${epotomcatdir}\\bin\\tomcat5.exe ${epotomcatdir}\\bin\ \tomcat5w.exe ${epotomcatdir}\\bin\\tomcat7.exe inetinfo.exe amgrsrvc.exe ${epoapachedir}\ \bin\\apache.exe webproxy.exe msexcimc.exe Exclude ntaskldr.exe nsmtp.exe nrouter.exe agent.exe Exclude ebs.exe firesvc.exe modulewrapper* msksrvr.exe mskdetct.exe mailscan.exe rpcserv.exe Exclude mdaemon.exe worldclient.exe wspsrv.exe } Port OTU { Include 25 Include 587 } McAfee Endpoint Security Migration Guide 57

58 C Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent mass mailing worms from sending mail } You need to create two firewall rules to provide equivalent functionality to the VirusScan Enterprise 8.8 rule. Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Policy Policy Catalog, then select Endpoint Security Firewall from the Product list. 2 From the Category list, select Rules. 3 Click the name of the assigned Firewall Rules policy. 4 Click Add Rule, then configure a rule with the following settings. Action: Block Direction: Out To be effective, this rule must be positioned above any other rules that block or allow outgoing TCP traffic to remote ports 25 or 587. Network protocol: Any protocol Transport protocol: TCP Remote ports: 25 and 587 Applications: Add executables with the file name or path* set to the Exclude section in the AVO10 rule.** * Variable names ${Default Client}, ${DefaultBrowser}, ${epotomcatdir}, $ {epoapachedir} are not supported by Endpoint Security 10.2, so in order to add these executables, you need to add the executable file names associated with the desired default client, default browser, McAfee epo Tomcat Install directory before \bin\, and McAfee epo Apache Install directory before \bin\. ** Use single backslashes instead of double backslashes. 5 Click Save. 6 Click Add Rule, then configure a second rule directly below the rule you created in step 4: Action: Block Transport protocol: TCP Direction: Out Remote ports: 25 and 587 Network protocol: Any protocol 7 Click Save. This rule is created and enabled in Endpoint Security 10.2 for all managed systems where it is assigned. The AVO10 rule was disabled by default in VirusScan Enterprise 8.8, so the traffic was allowed. To achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action to Allow. 58 McAfee Endpoint Security Migration Guide

59 Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent IRC communication C Create rule to prevent IRC communication Use this task to create an Endpoint Security 10.2 firewall rule that is equivalent to the predefined Access Protection rule AVO11 in VirusScan Enterprise 8.8. See the Endpoint Security Firewall Help for more information about creating firewall rules. Rule AVO10: Prevent mass mailing worms from sending mail Rule AVO11 G_030_AntiVirusOn { Description "Prevent IRC communication" Process { Include * } Port IOTU { Include } } Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Policy Policy Catalog, then select Endpoint Security Firewall from the Product list. 2 From the Category list, select Rules. 3 Click the name of the assigned Firewall Rules policy. 4 Click New Rule, then configure the following settings. Action: Block Transport protocol: TCP Direction: Either Local ports: Network protocol: Any protocol Remote ports: Click Save. This rule is created and enabled in Endpoint Security 10.2 for all managed systems where it is assigned. The AVO11 rule was disabled by default in VirusScan Enterprise 8.8, so IRC traffic was allowed. To achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action to Allow. Create rule to prevent FTP communication Use this task to create Endpoint Security Firewall 10.2 firewall rules that are equivalent to the predefined Access Protection rule CW05 in VirusScan Enterprise 8.8. See the Endpoint Security Firewall Help for more information about creating firewall rules. Rule CW05: Prevent FTP communication Rule CW05 G_070_CommonOff { Description "Prevent FTP communication" Enforce 0 Report 0 Process { Include * Exclude ${DefaultBrowser} explorer.exe iexplore.exe firefox.exe mozilla.exe netscp.exe opera.exe msn6.exe ${epotomcatdir}\\bin\\tomcat.exe ${epotomcatdir}\\bin\ \tomcat5.exe ${epotomcatdir}\\bin\\tomcat5w.exe ${epotomcatdir}\\bin\\tomcat7.exe inetinfo.exe amgrsrvc.exe ${epoapachedir}\\bin\\apache.exe webproxy.exe msexcimc.exe McAfee Endpoint Security Migration Guide 59

60 C Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent FTP communication mcscript* frameworks* naprdmgr.exe naprdmgr64.exe frminst.exe naimserv.exe framepkg.exe narepl32.exe updaterui.exe cmdagent.exe cleanup.exe mctray.exe udaterui.exe framepkg_upd.exe mue_inuse.exe setlicense.exe mcscancheck.exe lucoms* luupdate.exe lsetup.exe idsinst.exe sevinst.exe nv11esd.exe tsc.exe v3cfgu.exe ofcservice.exe earthagent.exe tmlisten.exe inodist.exe ilaunchr.exe ii_nt86.exe iv_nt86.exe cfgeng.exe f-secu* fspex.exe getdbhtp.exe fnrb32.exe "f-secure automa*" sucer.exe ahnun000.tmp supdate.exe autoup.exe pskmssvc.exe pavagent.exe dstest.exe paddsupd.exe pavsrv50.exe avtask.exe giantantispywa* boxinfo.exe Exclude pasys* google* Exclude alg.exe ftp.exe agentnt.exe } Port OTU { Include } } You need to create two firewall rules to provide equivalent functionality to the VirusScan Enterprise 8.8 rule. Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Policy Policy Catalog, then select Endpoint Security Firewall from the Product list. 2 From the Category list, select Rules. 3 Click the name of the assigned Firewall Rules policy. 4 Click Add Rule, then configure a rule with the following settings. Action: Allow Direction: Out To be effective, this rule must be positioned above any other rules that block or allow outgoing TCP traffic to remote ports 20 or 21. Network protocol: Any protocol Transport protocol: TCP Remote ports: 20 and 21 Applications: Add executables with the file name or path* set to the Exclude section in the VirusScan Enterprise rule above.** * Variable names ${Default Client}, ${DefaultBrowser}, ${epotomcatdir}, and$ {epoapachedir} are not supported by Endpoint Security Firewall To add these executables, you need to add the executable file names associated with the desired default client, default browser, McAfee epo Tomcat Install directory before \bin\, and McAfee epo Apache Install directory before \bin\. ** Use single backslashes instead of double backslashes. 5 Click Save. 6 Click Add Rule, then configure a second rule directly below the rule you created in step 4: Action: Block Transport protocol: TCP Direction: Out Remote ports: 20 and 21 Network protocol: Any protocol 7 Click Save. 60 McAfee Endpoint Security Migration Guide

61 Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent HTTP communication C This rule is created and enabled in Endpoint Security 10.2 for all managed systems where it is assigned. The CW05 rule was disabled by default in VirusScan Enterprise 8.8, so FTP traffic was allowed. To achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action to Allow. Create rule to prevent HTTP communication Create Endpoint Security 10.2 firewall rules that are equivalent to the predefined Access Protection rule CW06 in VirusScan Enterprise 8.8. See the Endpoint Security Firewall Help for more information about creating firewall rules. Rule CW06: Prevent HTTP communication Rule CW06 G_070_CommonOff { Description "Prevent HTTP communication" Enforce 0 Report 0 Process { Include * Exclude ${DefaultBrowser} ${Default Client} explorer.exe iexplore.exe firefox.exe mozilla.exe netscp.exe opera.exe msn6.exe ${epotomcatdir}\\bin\\tomcat.exe $ {epotomcatdir}\\bin\\tomcat5.exe ${epotomcatdir}\\bin\\tomcat5w.exe ${epotomcatdir}\\bin\ \tomcat7.exe inetinfo.exe amgrsrvc.exe ${epoapachedir}\\bin\\apache.exe webproxy.exe msexcimc.exe mcscript* frameworks* naprdmgr.exe naprdmgr64.exe frminst.exe naimserv.exe framepkg.exe narepl32.exe updaterui.exe cmdagent.exe cleanup.exe mctray.exe udaterui.exe framepkg_upd.exe mue_inuse.exe setlicense.exe mcscancheck.exe eudora.exe msimn.exe msn6.exe msnmsgr.exe neo20.exe nlnotes.exe outlook.exe pine.exe poco.exe thebat.exe thunde*.exe winpm-32.exe MAPISP32.exe VMIMB.EXE RESRCMON.EXE Owstimer.exe SPSNotific* WinMail.exe msiexec.exe msi*.tmp setup.exe ikernel.exe setup*.exe?setup.exe??setup.exe???setup.exe _ins*._mp McAfeeHIP_Clie* InsFireTdi.exe update.exe uninstall.exe SAEuninstall.exe SAEDisable.exe Setup_SAE.exe Exclude lucoms* luupdate.exe lsetup.exe idsinst.exe sevinst.exe nv11esd.exe tsc.exe v3cfgu.exe ofcservice.exe earthagent.exe tmlisten.exe inodist.exe ilaunchr.exe ii_nt86.exe iv_nt86.exe cfgeng.exe f-secu* fspex.exe getdbhtp.exe fnrb32.exe "f-secure automa*" sucer.exe ahnun000.tmp supdate.exe autoup.exe pskmssvc.exe pavagent.exe dstest.exe paddsupd.exe pavsrv50.exe avtask.exe giantantispywa* boxinfo.exe Exclude alg.exe mobsync.exe waol.exe agentnt.exe svchost.exe runscheduled.exe pasys* google* backweb-* Exclude vmnat.exe devenv.exe windbg.exe jucheck.exe realplay.exe acrord32.exe acrobat.exe Exclude wfica32.exe mmc.exe mshta.exe dwwin.exe wmplayer.exe console.exe wuauclt.exe Exclude javaw.exe ccmexec.exe ntaskldr.exe winamp.exe realplay.exe quicktimeplaye* SiteAdv.exe McSACore.exe } Port OTU { Include 80 Include 443 } } Task For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Policy Policy Catalog, then select Endpoint Security Firewall from the Product list. 2 From the Category list, select Rules. 3 Click the name of the assigned Firewall Rules policy. McAfee Endpoint Security Migration Guide 61

62 C Creating Firewall rules to replace predefined Access Protection port-blocking rules Create rule to prevent HTTP communication 4 Click Add Rule, then configure a rule with the following settings. Action: Allow Direction: Out To be effective, this rule must be positioned above any other rules that block or allow outgoing TCP traffic to remote ports 80 or 443. Network protocol: Any protocol Transport protocol: TCP Remote ports: 80 and 443 Applications: Add executables with the file name or path* set to the Exclude section in the CW06 rule.** * Variable names ${Default Client}, ${DefaultBrowser}, ${epotomcatdir}, $ {epoapachedir} are not supported by Endpoint Security To add these executables, you need to add the executable file names associated with the desired default client, default browser, McAfee epo Tomcat Install directory before \bin\, and McAfee epo Apache Install directory before \bin\. ** Use single backslashes instead of double backslashes. 5 Click Save. 6 Click Add Rule, then configure a second rule directly below the rule you created in step 4: Action: Block Transport protocol: TCP Direction: Out Remote ports: 80 and 443 Network protocol: Any protocol 7 Click Save. This rule is created and enabled in Endpoint Security 10.2 for all managed systems where it is assigned. The CW06 rule was disabled by default in VirusScan Enterprise 8.8, so HTTP traffic was allowed. To achieve the VirusScan Enterprise default behavior in Endpoint Security, change the Block rule's Action to Allow. 62 McAfee Endpoint Security Migration Guide

63 D Maps of migrated policies These policy overview diagrams show where legacy policy settings appear in McAfee Endpoint Security policies. Policy maps Use these maps to see where legacy settings are moved or merged during migration to Endpoint Security policies. See Appendix E, Changes to migrated settings, for details about settings that are removed, moved, renamed, or merged. Migrating VirusScan Enterprise settings (Windows) Settings from VirusScan Enterprise migrate to multiple Threat Prevention policies and the Endpoint Security Common policy. McAfee Endpoint Security Migration Guide 63

64 D Maps of migrated policies Policy maps Migrating on-access scan settings to Threat Prevention policies (Windows, Mac, and Linux) On-access scan settings from VirusScan Enterprise, McAfee Endpoint Protection for Mac, and VirusScan Enterprise for Linux migrate to two Threat Prevention policies. On-Access Scan exclusions are always migrated. If you are migrating products for multiple operating system platforms: VirusScan Enterprise settings take precedence over McAfee Endpoint Protection for Mac settings and VirusScan Enterprise for Linux settings. McAfee Endpoint Protection for Mac settings take precedence over VirusScan Enterprise for Linux settings. 64 McAfee Endpoint Security Migration Guide

65 Maps of migrated policies Policy maps D Duplicate settings are not migrated. If you are not migrating VirusScan Enterprise settings, additional settings are migrated from McAfee Endpoint Protection for Mac and VirusScan Enterprise for Linux. Migrating Access Protection and Buffer Overflow protection to Threat Prevention policies (Windows) Settings for Access Protection and Buffer Overflow Protection migrate from VirusScan Enterprise and McAfee Host IPS to two Threat Prevention policies and the Endpoint Security Common Options policy. McAfee Endpoint Security Migration Guide 65

66 D Maps of migrated policies Policy maps Migrating Host IPS Firewall and General settings to Endpoint Security Firewall Settings from the Host IPS Firewall and General policies migrate to two Endpoint Security Firewall policies and the Endpoint Security Common Options policy. 66 McAfee Endpoint Security Migration Guide

67 Maps of migrated policies Policy maps D Migrating SiteAdvisor Enterprise settings to Web Control Settings from SiteAdvisor Enterprise policies migrate to five Web Control policies and the Endpoint Security Common Options policy. McAfee Endpoint Security Migration Guide 67

68 D Maps of migrated policies Policy maps Migrating legacy settings to the Common Options policy Settings from VirusScan Enterprise, McAfee Host IPS, and SiteAdvisor Enterprise policies migrate to the Options policy in the Common module for use by all the Endpoint Security product modules. 68 McAfee Endpoint Security Migration Guide

69 Maps of migrated policies Policy maps D See also Changes to migrated settings on page 4 McAfee Endpoint Security Migration Guide 69