Mcafee

Product Guide
McAfee Endpoint Security for Mac 10.2.0

COPYRIGHT
© 2016 Intel Corporation
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2 McAfee Endpoint Security for Mac 10.2.0 Product Guide

Contents
Preface 7
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1 Introduction 9
Why you need security for Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How McAfee Endpoint Security for Mac protects your system . . . . . . . . . . . . . . . . 10
Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Protecting your standalone Mac

2 Installing the software on a standalone Mac 17
Hardware and software requirements . . . . . . . . . . . . . . . . . . . . . . . . . 17
Install the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Install the software using wizard . . . . . . . . . . . . . . . . . . . . . . . . 18
Install the software from the command line (silent installation) . . . . . . . . . . . . 18
Test the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Test the Threat Prevention feature . . . . . . . . . . . . . . . . . . . . . . . . 19
Test the Firewall feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Test the Web Control feature . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Upgrading the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Supported upgrades on a standalone Mac . . . . . . . . . . . . . . . . . . . . . 21
Default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Recommended post-installation tasks . . . . . . . . . . . . . . . . . . . . . . . . . 25
Uninstall the software from a standalone Mac . . . . . . . . . . . . . . . . . . . . . . 25
3 Using the software on a standalone Mac 27

Security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
View your Mac security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Recent events summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
View event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Remove event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
View the quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Remove or restore the quarantined item . . . . . . . . . . . . . . . . . . . . . . . . 29
Update the DAT and Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Run a system scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configure custom scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Create a scan task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Change settings in an existing scan task . . . . . . . . . . . . . . . . . . . . . 31
Remove an existing scan schedule . . . . . . . . . . . . . . . . . . . . . . . . 32
McAfee Endpoint Security for Mac 10.2.0 Product Guide 3

Contents
4 Configuring protection settings on a standalone Mac 33

General protection options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Enable or disable protection features . . . . . . . . . . . . . . . . . . . . . . 33
Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
How Threat Prevention works . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Types of scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configure on-access scan preferences . . . . . . . . . . . . . . . . . . . . . . 36
Configure on-demand scan preferences . . . . . . . . . . . . . . . . . . . . . . 38
Exclude files or directories from scanning . . . . . . . . . . . . . . . . . . . . . 39
Best practices for Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . 39
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
How stateful filtering works . . . . . . . . . . . . . . . . . . . . . . . . . . 41
How regular mode firewall protection works . . . . . . . . . . . . . . . . . . . . 41
How Adaptive mode firewall protection works . . . . . . . . . . . . . . . . . . . 42
How DNS blocking works . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
How stateful FTP inspection works . . . . . . . . . . . . . . . . . . . . . . . . 44
How Firewall rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
How firewall rules are organized . . . . . . . . . . . . . . . . . . . . . . . . . 46
Create a Firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Firewall rules examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Best practices for Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
How Web Control works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
How safety ratings are compiled . . . . . . . . . . . . . . . . . . . . . . . . . 53
Color-coded buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Color icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Site safety report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Site rating action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Blocking sites based on the content category . . . . . . . . . . . . . . . . . . . 56
Block and Allow List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Configure Web Control on a standalone Mac . . . . . . . . . . . . . . . . . . . . 57
Configure an update schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configure the repository list . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configure proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configure the DAT update schedule . . . . . . . . . . . . . . . . . . . . . . . 59
Debug logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Enable or disable debug logging . . . . . . . . . . . . . . . . . . . . . . . . . 60
5 Troubleshooting 61
Run the repairMSC utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Protecting your managed Mac

6 Installing the software on a Mac managed with McAfee ePO 65
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Check in the package to the McAfee ePO server . . . . . . . . . . . . . . . . . . . . . 66
Check in the package using Software Manager . . . . . . . . . . . . . . . . . . . 66
Check in the package manually . . . . . . . . . . . . . . . . . . . . . . . . . 66
Install the extensions on the McAfee ePO server . . . . . . . . . . . . . . . . . . . . . 66
Install the extensions using Software Manager . . . . . . . . . . . . . . . . . . . 67
Install the extensions manually . . . . . . . . . . . . . . . . . . . . . . . . . 67
Install the client software on a managed Mac using the installation URL . . . . . . . . . . . . 67
Create an installation URL . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Install the software with an installation URL on a managed Mac . . . . . . . . . . . . 68
Deploy the software from McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . 68
Test the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Contents
Remove the software from a managed Mac . . . . . . . . . . . . . . . . . . . . . . . 69

Remove the software extensions . . . . . . . . . . . . . . . . . . . . . . . . 69
Remove the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7 Installing the software on a Mac managed with McAfee ePO Cloud 71

McAfee ePO Cloud components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Accessing the McAfee ePO Cloud account . . . . . . . . . . . . . . . . . . . . . . . . 72
Install the client software on a managed systems using the installation URL . . . . . . . . . . 72
Create an installation URL . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Install the software with an installation URL . . . . . . . . . . . . . . . . . . . . 73
Deploy the client software from McAfee ePO Cloud . . . . . . . . . . . . . . . . . . . . 73
8 Managing the software with McAfee ePO and McAfee ePO Cloud 75
Using Endpoint Security extensions as common extensions . . . . . . . . . . . . . . . . . 75
Manage policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Create or modify policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Assign policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Monitor the McAfee Agent status . . . . . . . . . . . . . . . . . . . . . . . . 77
Common policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring client interface access . . . . . . . . . . . . . . . . . . . . . . . . 78
Preventing client software uninstallation . . . . . . . . . . . . . . . . . . . . . 78
Self Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configuring debug logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Default Client Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configure the Common policy . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Threat Prevention policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Configure On-Access Scan policy . . . . . . . . . . . . . . . . . . . . . . . . 81
Configure On-Demand Scan policy (Full Scan) . . . . . . . . . . . . . . . . . . . 83
Configure an On-Demand Scan policy (Quick Scan) . . . . . . . . . . . . . . . . . 85
Exclude files or directories from scanning . . . . . . . . . . . . . . . . . . . . . 87
Schedule a full or quick scan on managed Mac . . . . . . . . . . . . . . . . . . . 88
Schedule a custom on-demand scan . . . . . . . . . . . . . . . . . . . . . . . 89
Schedule the DAT update . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configure a firewall rules policy . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configure a Firewall Options policy . . . . . . . . . . . . . . . . . . . . . . . . 94
Configure location awareness options . . . . . . . . . . . . . . . . . . . . . . 95
Configure DNS blocking options . . . . . . . . . . . . . . . . . . . . . . . . . 96
Web Control policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Enable or disable Web Control . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configure site rating actions . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring actions for unverified sites . . . . . . . . . . . . . . . . . . . . . . 98
Define Block and Allow List . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configure browser events . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configure Web Control Options policy . . . . . . . . . . . . . . . . . . . . . . 99
Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Queries for Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . 100
Queries for Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Queries for Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Other queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Index 105

Contents

Preface
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
About this guide

This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
• Users — People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized
Monospace Commands and other text that the user types; a code sample; a displayed message
Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes
Hypertext blue A link to a topic or to an external website
Note: Extra information to emphasize a point, remind the reader of something, or
provide an alternative method
Tip: Best practice information
Caution: Important advice to protect your computer system, software installation,

network, business, or data
Warning: Critical advice to prevent bodily harm when using a hardware product

Preface

On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.

1 Introduction
®
McAfee Endpoint Security for Mac is a comprehensive security solution that protects your Mac and
minimizes the risk of exposure to threats.
You can use the software on standalone and managed Mac systems.
• For a standalone Mac — You or your Mac administrator can install the software and configure
settings using the interface.
• For a managed Mac — Your system administrator sets up and configures security policies using
these servers.
• McAfee ePolicy Orchestrator (McAfee ePO )
® ® ™
• McAfee® ePolicy Orchestrator® Cloud (McAfee ePO™ Cloud)
Contents
Why you need security for Mac
How McAfee Endpoint Security for Mac protects your system
Product features
Why you need security for Mac

Systems without protection might result in a security breach such as data loss, misuse of personal and
business information, and system disorder.
New products and technologies broaden opportunities for new security threats and challenges. The
motive behind these threats is to interrupt and espionage your system or destruct the data and the
system functionality completely.
The targeted security threats devised by cyber criminals and hackers are evolving consistently and
increasing the risk consistently. The analyst reports say that the overall malware samples reached
more than 450 million implying the importance of securing your Mac from the threats.
The list of threats and reported vulnerabilities that can harm your Mac are:
Threat category Potential threat

Malware Directs the user to access malicious items that can infect the Mac.
Examples: Flashback Trojan, Fake AV
Spyware Tracks every key you type to access sensitive information, such as user name
and password and other personal details.
Example: Keyloggers
Botnet breakdowns Infects your system or network and controls it remotely to spread malware.

1
Introduction
Threat category Potential threat

Network threat Slows down network performance and gain unauthorized access to systems.
Web-based threats Infects your Mac when you access malicious sites.
Based on the modules that you have installed and enabled, McAfee Endpoint Security for Mac protects
your Mac from malware, network threats, and web-based threats.

The software provides a security mechanism protects your system from malware attacks and minimize
the risk of exposing your systems to threats.
The protection includes Threat Prevention, Firewall, and Web Control, based on the modules you have
selected during the software installation.
Threat Prevention
The Threat Prevention module protects your Mac from malware proactively with the predefined actions
upon detecting malware and suspicious items.
When enabled, Threat Prevention checks for viruses, trojans, unwanted programs, and other threats
by scanning items. The software scans files, folders on local, network-mounted volumes, and
removable media whenever you create or access them. You can also run scans on demand.
The software uses the latest anti-malware engine that:

• Performs complex analysis using the malware definition files (DAT).
• Decodes the contents of the item you access.
• Compares them with the known signatures stored in the DAT files to identify malware.
® ™
In addition, McAfee Global Threat Intelligence (McAfee GTI) (heuristic network check for suspicious
files) looks for suspicious files and programs running on client systems that Threat Prevention
protects.
The system must have Internet connection to access McAfee GTI.
Firewall
The Firewall module filters incoming and outgoing network traffic, to allow or block traffic as defined in
the rules. Each rule defines a set of conditions that the network traffic must meet and executes the
rule's associated action.
Stateful filtering and packet inspection identify data packets for different types of connections and hold
the connection attributes in memory until the end of the session. When the first data packet of a new
session arrives, Firewall matches the packet against the rules list. If the data packet matches an
existing allow rule, a new entry is added to the state table and the traffic is allowed, and its
subsequent packets are allowed without further verification for that session. When the session is
completed or timed out, the entry is removed from the table.
If the data packet does not match existing rules, firewall blocks the network traffic.
You can run Firewall protection in two ways:

1
Introduction
Product features
• Regular mode — When the network packet adheres to a rule’s condition, the associated action
defined in the rule is executed. If no matching rule is found, the network packet is blocked.
• Adaptive mode — When the network packet matches a rule’s conditions, the associated action
defined in the rule is executed. If no matching rule is found, the packet is allowed and a rule is
created to allow similar packets later.
Controlled network access protection permits the Mac to access only authorized networks, minimizing
the risk from network threats.
Web Control
Web Control protects your Mac from online threats, called web-based threats, when you browse sites.
The software monitors each site that you access or browse, validates its safety ratings, and allows or
blocks the site according to the configuration.
Web Control provides safety ratings at two levels. In the browser, the software:
• Displays a safety rating icon for each site that the search engine lists
The software supports only the Google search engine.
• Displays a safety rating button for each site
The default setting blocks access to malicious sites that can harm your Mac.
Product features
This release of the software includes these features.
Threat Prevention
• On-Access Scan — Scans files and directories for threats whenever users access them.
• On-Demand Scan — Schedules a scan on files and directories at specific times. Each on-demand
scan contains its own policy settings. You can also run Full Scan or Quick Scan on a Mac.
• McAfee GTI — Supports McAfee GTI, a heuristic network look up for suspicious files for on-access
and on-demand scanning.
• Policy-Based On-Demand Scan client tasks — Run a Quick Scan or Full Scan on the Endpoint
Security Client from McAfee ePO. Configure the behavior of these scans in the policy settings for
On-Demand Scan.
• 5800 Engine support — Pre-packaged with the latest 5800 engine that provides enhanced
detection capabilities.
• Product Update client tasks — Update the engine and content files automatically from the
McAfee download website.
• Extra.DAT files — Download and install Extra.DAT files to provide protection from a major virus
outbreak.
• Scheduled tasks — Modify client tasks (such as Product Update) and scan times to improve
performance by running them during non peak times.
• Content repositories — Reduce network traffic over the enterprise Internet or intranet by moving
the content file repository closer to the clients.

1
Introduction
Product features
• Scan policies — Analyze log files or queries and modify policies to increase performance or virus
protection, if necessary. For example, you can improve performance by configuring exclusions.
• Additional options when scheduling on-demand scans — Allows you to run an on-demand
scan when the system is idle or not running on battery power.
• Exclusion of files and directories from scanning — Excludes specific files and directories from
on-access scanning and on-demand scanning using criteria such as file type, extension, file age, or
wildcards.
• Option to scan network volumes, compressed files, and Apple emails — Exclude or include
mounted network volumes, compressed files, and Apple emails from scanning.
• Option to retain client-side exclusions — Overwrites or retains the client exclusion list for
on-access scanning in a managed environment.
Firewall
• Regular mode — Executes the associated action defined in the rule, when the network packet
adheres to a rule's condition. If no matching rule is found, the network packet is blocked.
• Adaptive mode — Executes the associated action defined in the rule, when the network packet
adheres to a rule's condition. If no matching rule is found, the network packet is allowed and a rule
is created to allow similar packets later.
• Stateful firewall — Validates each packet for different connections against predefined rules,
holding the connection attributes in memory from beginning‑to‑end.
• Domain Name System (DNS) blocking — Blocks access to networks that can include unwanted
domains.
• Defined networks — Define networks including subnets, ranges, or a single IP address that can
be used while creating firewall rules. You can also configure Firewall to trust networks.
• Stateful FTP inspection — Creates dynamic rules automatically for FTP data connections, by
actively monitoring the FTP commands on the control channel.
• Location awareness — Create separate rules for locations, such as office or home network.
• Management of rules — Create and manage rules using rule group.
• Firewall events — Send Allow and Block events to McAfee ePolicy Orchestrator (McAfee ePO ) .
® ® ™
Web Control
• Support for Google Chrome browser — Protects your Mac from web-based threats, when you
browse sites using the Google Chrome browser.
• Safety ratings button — Displays the safety rating in the upper-left corner of the browser when
you access the site. The color of the button indicates the risk associated with the site.
The software supports Safari 7.1 and later, 8.0 and later, and 9.0 and later, and Google Chrome 49
and later browser versions.
• Search Annotation — Displays the safety rating icon next to each site listed by the search engine.
The color of the icon indicates the risk associated with the site.
• Web category blocking — Configure access to sites based on their content type.
• Block and Allow List — Create a list of sites to allow or block based on URLs and domains.

1
Introduction
Product features
• Block phishing pages — Block access to phishing sites.
• Logging events — Monitor and regulate browser activity and log events for:
• Sites configured in the Block and Allow List
• Web categories for green-rated sites
• Red or yellow-rated site visits
Common Policy
• Self Protection — Protects the security software files and folders from malware and from being
changed or deleted.
• Password protection for client interface — Configure different access levels for users as
needed. You can also prevent users from changing the protection preferences.
• Password protection for uninstallation — Set password protection for the client software to
prevent removal of the software from the Mac.
General
• Common extensions to manage Windows, Macintosh, and Linux systems — Use McAfee
®
Endpoint Security extensions as common extensions to manage policies for your Windows, Mac,
and Linux systems.
• Common McAfee ePO Dashboard and queries — Use the McAfee ePO dashboard to view the
status of managed Mac and Windows systems.
• Turn off protection using the command-line option during product deployment — You can
disable Threat Prevention and Firewall protection using the command-line option from the McAfee
ePO server when deploying the software on managed Mac systems. For more information about
using the command-line option, see McAfee KnowledgeBase article KB85505.
• Support for McAfee® ePolicy Orchestrator® Cloud (McAfee ePO™ Cloud) — Support for
McAfee ePO Cloud to manage policies for your Mac.
• Option to select protection modules — You can install one or all protection modules on a
standalone Mac as needed.
• McAfee Agent status monitor — Displays information, and initiates communication with McAfee
®
ePO manually from the managed system.
• Menulet for easy access of the software interface — Easy access to the user interface by
clicking the McAfee menulet from the status bar.
• Enable debug logging from client interface — Enable debug logging for the modules that you
have installed using the client interface.

1
Introduction
Product features

Install the software, analyze the default settings, and configure protection
preferences for your standalone Mac.
Chapter 2 Installing the software on a standalone Mac

Chapter 3 Using the software on a standalone Mac
Chapter 4 Configuring protection settings on a standalone Mac
Chapter 5 Troubleshooting


2 Installing the software on a standalone
Mac
Install the software on a standalone Mac using the wizard or from the command line.
Contents
Hardware and software requirements
Install the software
Test the installation
Upgrading the software
Default settings
Recommended post-installation tasks
Uninstall the software from a standalone Mac
Hardware and software requirements

Make sure that your standalone Mac meets these requirements for successful installation.
Component Requirement
Hardware Mac that can run the supported operating system configuration.
Operating system • El Capitan 10.11.x (client and server)
®
If you are using McAfee Agent 5.x on your Mac, you must upgrade it to McAfee
Agent 5.0.2 with Hotfix HF1085179 before upgrading the operating system to El
®
Capitan. Otherwise, the communication between the McAfee ePolicy
® ™
Orchestrator (McAfee ePO ) server and the Mac fails, and you would be unable
to manage the Mac from the McAfee ePO server. For more information about the
McAfee Agent 5.0.2 known issues with El Capitan, see McAfee KnowledgeBase
article KB83895.
• Yosemite 10.10.x (client and server)

• Mavericks 10.9.x (client and server)
Browser Safari 7.1.x, 8.0.x, and 9.0.x.

Google Chrome 49 and later.

2
Installing the software on a standalone Mac

Install the software on a standalone Mac using the wizard or the command line.
Before you begin

McAfee Endpoint Security for Mac doesn't support the co-existence of competitor's software
in the Mac. You must uninstall competitor's software from the system before installation.
Tasks
• Install the software using wizard on page 18
The wizard guides you through the steps to install the software on your standalone Mac.
• Install the software from the command line (silent installation) on page 18
You can use the command line to install the software without user intervention.
Install the software using wizard

The wizard guides you through the steps to install the software on your standalone Mac.
Task
1 Download McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.dmg to
a temporary location on your Mac, then double-click it to mount.
2 Double-click McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg
to open the wizard.
During the installation, the installer prompts you to select modules for installation. You can select
one or multiple modules. To install a module later, you must start the installation wizard. If the
modules are grayed out, it indicates that the installer has detected the competitor software on your
Mac. You must uninstall it before installing the module. For more information, see McAfee
Knowledgebase article KB78192.
3 Follow the prompts to install the software.
To install the module that you have already installed, you must start the installation wizard, then
select the module as needed. When you re-install the module, the protection settings that you
configured previously are retained.
Install the software from the command line (silent installation)

You can use the command line to install the software without user intervention.
Task
1 Download McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.dmg to
a temporary location on your Mac, then double-click it to mount
McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg.
2 Copy the McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg file

to a temporary location on your Mac.
3 Open a Terminal window and change the working directory to the one where you saved the
McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg file.

2
4 Type the following command, then press return.

sudo installer -pkg
McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg –target /
5 Type the administrator password, then press return. The following message appears.
The Install was successful.
To install individual protection module using the command-line, see McAfee KnowledgeBase article
KB84772.

Test the software to make sure that it is installed properly and can protect your Mac.
Tasks
• Test the Threat Prevention feature on page 19
Access the EICAR standard anti-virus test file to test the Threat Prevention feature.
• Test the Firewall feature on page 19
Test the Firewall feature by creating a rule. Consider a scenario where you want to create
an allow rule for www.intelsecurity.com.
• Test the Web Control feature on page 20
Make sure that the Web Control extension is added to the Safari browser, and appropriate
rating appears for sites.
Test the Threat Prevention feature

Access the EICAR standard anti-virus test file to test the Threat Prevention feature.
This file is the combined effort by anti-virus vendors to implement one standard that customers can
use to validate the anti-virus software.
Task
1 Go to the EICAR website http://www.eicar.org.
2 Click DOWNLOAD ANTI MALWARE TESTFILE, then click DOWNLOAD.
3 From the Download area using the standard protocol http section, click the file eicar.com.txt.
For the test to be successful, McAfee Endpoint Security for Mac displays a Notification 1 detection(s)
found on your system. with the relevant details.
Test the Firewall feature

Test the Firewall feature by creating a rule. Consider a scenario where you want to create an allow rule
for www.intelsecurity.com.
Task
1 Click the McAfee menulet on the status bar, then select Preferences.
2 Click Firewall.
3
Click , type the administrator password, then click OK.
4 Select Regular Mode.

2
5
Click in the bottom left corner of the console to create a firewall rule.
a Type a name of the rule in the Rule Name text box.
b Select Enabled from the Status drop-down list.
c Select Allow from the Action drop-down list.
d Select Outgoing from the Direction drop-down list.
6 In the Network Protocol (IPv4), section:

a Select Any Local IP Address for Local.
b
Click , select Fully Qualified Domain Name for Remote, then type the Domain Name.
7 In the Transport Protocol section, select All Protocols.
8 Open the browser, type the website name, then press return.
Test the Web Control feature

Make sure that the Web Control extension is added to the Safari browser, and appropriate rating
appears for sites.
Tasks
• Verify the extension installation on page 20
Make sure that the Web Control extension is added to the Safari browser.
• Test the site rating feature on page 20
Make sure that the Web Control feature displays the appropriate rating for sites.
Verify the extension installation

Make sure that the Web Control extension is added to the Safari browser.
Task
1 Start the Safari browser.
2 On the Menu bar, click Safari, then select Preferences.
3 In the Extension dialog box, you can see McAfee Web Control 10.1 with Enable Web Control selected.
Test the site rating feature

Make sure that the Web Control feature displays the appropriate rating for sites.
Before you begin

You must have enabled Web Control in Preferences.
Task
1 Start the Safari browser.
2 In the address bar, type www.intelsecurity.com, then press return.
3
You must see the Green rating on the left top of the browser page.

2

McAfee Endpoint Security for Mac supports upgrading the software and migrating the configuration
from the previous versions of the software.
Supported upgrades on a standalone Mac

McAfee Endpoint Security for Mac supports upgrading the software and migrating the preferences from
the previous versions of the software.
You can upgrade the software from:
• McAfee® Endpoint Protection for Mac 2.3.0
• McAfee Endpoint Security for Mac 10.x
• McAfee® VirusScan™ for Mac 9.8.0
Upgrading from McAfee Endpoint Protection for Mac 2.3.0

When you upgrade the software, the respective preferences are migrated according to the modules
you select.
When you upgrade the software from the previous version, the existing software is removed completely
but the preferences for all modules are saved. When you install a module, the respective preferences
are migrated.
For example:
If you select... Migrated preferences...

Threat Prevention Anti-malware
Firewall Desktop Firewall
Web Control None
Since Application Protection module is not part of McAfee Endpoint Security for Mac, the Application
®
Protection preferences are migrated only when you install the McAfee Application Protection 2.3.0
software. For more information, see McAfee Application Protection product guide.
When you migrate the preferences from McAfee Endpoint Protection for Mac or McAfee VirusScan for
Mac, the Quarantine scan action is migrated to Delete, and the Notify scan action is migrated to Deny.
Upgrading from McAfee Endpoint Security for Mac 10.x

When you upgrade the software, the respective existing preferences are migrated according to the
module you select. For example:
If you select... Migrated preferences...

Threat Prevention Threat Prevention
Firewall Firewall
Web Control Web Control
Upgrading from McAfee VirusScan for Mac 9.8.0

When you upgrade the software, the existing anti-malware preferences are migrated.

2
Default settings
Upgrade the software on a standalone Mac

You can upgrade the software and migrate the existing configuration settings.
Before you begin

Before upgrading the software, make sure that your system meets all requirements.
Task
1 Install the software using the wizard.
For more information, see Install the software using wizard.
2 Make sure that all existing preferences are migrated to the new version.
Default settings
Once installed, McAfee Endpoint Security for Mac starts protecting the Mac immediately based on the
default configurations defined. Refer to these default settings, and configure them for your
environment.
General
Feature Default settings

Threat Prevention Enabled
Firewall Enabled
Web Control Enabled

2
Default settings
Threat Prevention

Threat Prevention On-Access Scan:
• Scan files while — Write
• Maximum scan time for a file — 45 seconds for a file.
• When a virus is found — Clean
• If clean fails — Delete
• When a spyware is found — Clean
• Enable McAfee GTI — Enabled.
• Sensitivity Level — Medium.
Also scan:
• Archives & Compressed Files — Disabled
• Apple Mail messages — Disabled
• Network Volumes — Disabled
On-Demand Scan:
• When a virus is found — Clean
• When a spyware is found — Clean
• Enable McAfee GTI — Enabled.
• Sensitivity Level — Medium.
• Archives & Compressed Files — Enabled
• Apple Mail messages — Enabled
• Network Volumes — Disabled
• Scheduled Scan Option

• Scan only when the system is idle — Enabled.
• Do not scan when the system is on battery power — Enabled.
Exclusions — None
Firewall

Firewall • Regular Mode — Enabled

2
Default settings
Web Control

Web Control • Rating Actions for Sites
• Red — Block
• Yellow — Warn
• Unrated — Allow
• Unverified — Allow
• Enable Web Category Blocking — Enabled
• Block and Allow List — None
Update

Update In Repository List
• Repository Name — McAfeeHttp, McAfeeFtp
In Proxy Settings
• Proxy settings — Configure proxy settings manually
In Schedule
• Schedule — Daily at 4:45 PM (local time)
Logging

Logging In Enable Debug Logging
• Threat Prevention — Disabled
• Firewall — Disabled
• Web Control — Disabled

2

Perform these tasks to make sure that the protection configuration does not affect the business
routines.
Task Description
Update the After installation, McAfee Endpoint Security for Mac automatically updates the
content files content files to protect the Mac from the latest threats. By default, this update is
scheduled at 4.45 pm local time every day. When the files are updated for the first
time, it may take longer time to download the full content. The subsequent updates
will be incremental.
You can view the content files last update details in the Console page.
Perform an Run an on-demand-scan to scan the local volumes, after you install the software to
on-demand clean the infected files that are not accessed by but reside in the Mac.
scan
Configure the On-Demand Scan task to define:
• The items to scan (files, folders, and drives)
• Set frequency of scan (daily, weekly, monthly, or immediately)
• Define the action when malware is found (Delete or Clean)
Threat McAfee Endpoint Security for Mac comes with the default settings. Verify that the
Prevention default settings are consistent with your organization policies and provides
complete protection against malware.
Firewall McAfee Endpoint Security for Mac comes with the stateful Firewall enabled, which
protects your Mac from the moment the product is installed. The firewall comes
with a set of default rules that enable your Mac to access the necessary services.
We recommend that you review the default rules to make sure that your Mac can
access the necessary services according to your organization policies.
The rules are processed using a top-down approach with the implicit default block
rule that denies all traffic. This rule can't be modified.
Web Control Review the default Web Control settings and update the Block and Allow List in such a
way that you can access business-critical sites and block unwanted sites.
The Block and Allow List overrides other settings such as Enable Web Category Blocking and
Rating Actions for Sites.

You can uninstall the software or specific modules from a Mac using the command line.
Before you begin

You must have administrator rights to uninstall the software.

2
Task
1 Open a Terminal window.
2 Type the following command, then press return.
To remove... Use this command...

All modules sudo /usr/local/McAfee/uninstall EPM
Threat Prevention module sudo /usr/local/McAfee/uninstall ThreatPrevention
Firewall module sudo /usr/local/McAfee/uninstall Firewall
Web Control module sudo /usr/local/McAfee/uninstall WebControl
The uninstallation command is case sensitive.
3 Type the administrator password when prompted.
When Uninstallation is enabled in Endpoint Security Common policy, uninstalling the software using the
command line prompts you to type the password set by your McAfee ePO server administrator.
When the software is uninstalled, the following message appears:

Product has been uninstalled successfully.
When you uninstall the software, the McAfee Agent is not uninstalled from the system. This is
because that it might be used by other products. Refer to the product guide of your McAfee Agent
version for more information.

3 Using the software on a standalone Mac
Access the McAfee Endpoint Security for Mac Console page to view your Mac security status and events
details.
You can also view the quarantined items, configure scan schedules, and update the DAT and engine.
Contents
Security status
View your Mac security status
Recent events summary
View event log
Remove event log
View the quarantined items
Remove or restore the quarantined item
Update the DAT and Engine
Run a system scan
Configure custom scan tasks
Security status
View the security status and the protection features that are enabled or disabled on your Mac.
Use the dashboard to know the status of:
• Threat Prevention
• Firewall
• Web Control
View your Mac security status

The Status page displays the security status of your Mac, the protection modules installed, and their
status.
You can view recent events summary and the last successful DAT or Engine update time.
The events that appear in the Status page are read-only.
To view your Mac security status and the protection modules installed:
Task
• Click the McAfee menulet on the status bar, then select Console | Status.
The Status page also displays the protection modules that are installed on your Mac and its status.

3
Using the software on a standalone Mac

You can view the summary of recent five events in Status page.
The events summary includes:
• Details of malware detected from on-access scan.
• Status of scan task with number of malware detected from on-demand scan.
• Threat Prevention update status with DAT version details.
Recent events displays only the summary of events. To view the complete details of events, navigate to
the Event Log page, then double-click the particular event.
View event log

View and analyze event log to understand the software activity information.
The Event Log page displays all events with details for malware detection, scan schedules, and Threat
Prevention update.
Task
1 Click the McAfee menulet on the status bar, then select Console.
2 On the console dashboard, click Event Log.
Twenty events are listed per page and you can use arrow keys to navigate through pages.
3 Double-click the event you want to view.

• Threat Prevention Update — Displays the DAT version, engine version, and the status of the update.
• On-Access Scan — Displays the application that accessed the malware, status of detection found,
and total number of detections with the details.
• On-Demand Scan — Displays number of files scanned, name and location of infected files, if found,
and action taken.
You can sort events based on Event, Type or Date & Time.
Remove event log

Remove event log from the History page.
Task
2 On the console dashboard, click Event Log.
3
Click , type the administrator password, then click OK
4 Select the event, then click Delete.

3
5 Click OK to remove the events.
You can't restore the events once you remove them from the list.
6
Click to prevent further changes.

The Quarantine feature isolates dangerous or suspicious malware that could harm your Mac otherwise.
Task
2 On the console dashboard, click Quarantine.
The quarantine page displays the original path of items quarantined with date and time of the event.
Remove or restore the quarantined item

The Quarantine page displays the list of quarantined items with the path, date, and time. You can restore
the quarantined items, only if you are sure that they are non-malicious items, otherwise you can
remove them.
Before you begin

You must have administrator rights to remove or restore the quarantined item from the list.
Before restoring an item, we recommend that you send it to McAfee Labs for testing. To
submit a sample to McAfee Labs, see McAfee KnowledgeBase article KB68030.
Task
2 On the console dashboard, click Quarantine.
3
• To restore, select the quarantined item, click Restore, then click OK to confirm.
• To remove, select the quarantined item, click Delete, then click OK to confirm.
You can't restore the items that are deleted from the quarantined list.
4

3

Always keep the DAT and Engine up to date to protect your Mac from the latest threats.
Task
2 On the console dashboard, click Update Now.
3 Click Start Update to initiate the DAT update task.
Upon completion, the update summary appears with the engine version, DAT version, update status,
and DAT creation date in the Threat Prevention Update section. You can view the status and details of
Threat Prevention update event in the Event Log page.
Run a system scan

Perform an on-demand scan on specific files, directories, and local or network-mounted volumes
immediately.
Task
2 On the console, click Scan Now.
3 From the What to scan drop-down list, select items, then click Start Scan.
You can select multiple items by clicking .

Schedule and customize scan tasks based on your requirements, to scan specific files, folders, and
volumes periodically. You can also modify or remove the existing schedule.
For example, to scan your download folder and music library folder more frequently, you can define a
scan schedule for only these two folders.
Tasks
• Create a scan task on page 31
Create scan tasks that automatically run at scheduled periods with the defined parameters.
• Change settings in an existing scan task on page 31
Change an existing scan schedule to add or remove locations or change the date and time.
• Remove an existing scan schedule on page 32
Remove the scan schedule when you no longer need it.

3
Create a scan task

Create scan tasks that automatically run at scheduled periods with the defined parameters.
Task
2 Click in the bottom left corner.
3 In the Scan Name field, type a name, then click Create.
4 From the What to scan drop-down list, select the items you want scan. Click or - to remove the
location.
• Documents — Scans the user documents folder.
• Desktop — Scans files and folders in desktop.
• Users — Scans the user directory.
• Applications — Scans the applications folders.
• Localhost — Scans the local host.
• Choose — Allows you to select folder or file location to scan.
5 In the When to scan section, select a schedule for the scan task, then click Schedule Scan.
• Immediately — Starts a scan task immediately. If you select to scan items immediately, click Start Scan.
• Once — Scans the defined locations once at the scheduled date and time.
• Daily — Scans the defined locations every day at the scheduled time. You can define the number
of occurrence to run the daily scan task or select No End Date to run the schedule without any
limit.
• Weekly — Scans the defined locations on a scheduled day and time of every week. You can define
the number of occurrence to run the weekly scan task or select No End Date to run the schedule
without any limit.
• Monthly — Scans the defined locations on a scheduled date and time of every month. You can
define the duration or select No End Date to continue the schedule without any limit.
6 When you see a message that the scan task is scheduled, click OK.
7 Click Schedule Scan.
Change settings in an existing scan task

Change an existing scan schedule to add or remove locations or change the date and time.
Task
2 On the console dashboard under Activity, click the scheduled task you want to modify. The scheduled
task displays the Last Scan Time and Next Scan Time.
3 Click Modify Scan, make the needed changes, then click Schedule Scan.

3
Remove an existing scan schedule

Remove the scan schedule when you no longer need it.
Task
2 On the console dashboard, select an existing scan schedule in the left pane.
3
In the bottom left corner of the console, click to remove the selected item.

4 Configuring protection settings on a
standalone Mac
Use Preferences to configure protection settings for the installed modules.
Contents
General protection options
Threat Prevention
Firewall
Web Control
Configure an update schedule
Debug logging
General protection options

Use the General tab options to enable the required protection preferences on your self-managed Mac.
You can enable or disable protection for the modules that you have installed.
• Threat Prevention
• Firewall
• Web Control
Enable or disable protection features

Enable the protection feature as required for your environment.
Task
2
On the General tab, click .
3 Type the password when prompted.
4 Enable or disable the protection as required.
5

4
Configuring protection settings on a standalone Mac
Threat Prevention
Threat Prevention
Threat Prevention protects your Mac from malware threats.
Configure the Threat Prevention settings to define actions for on-access scanning and on-demand
scanning, and to exclude files and paths from scanning.
How Threat Prevention works

Threat Prevention protects your Mac from malware threats and unwanted programs by scanning items
on your Mac.
When enabled, the software scans files, folders on local, network-mounted volumes, and removable
media whenever you access or create an item.
McAfee Endpoint Security for Mac uses the latest engine that:
• Performs complex analysis using the malware definition files (DATs)
• Decodes the contents of the item you access
• Compares them with the known signatures stored in the DAT files to identify malware
In addition, McAfee GTI (heuristic network check for suspicious files) looks for suspicious files and
programs running on client systems that Threat Prevention protects.
Use Threat Prevention preferences to configure actions for on-access scan, on-demand scan, or to
exclude files or paths from scanning.
Types of scan
The software scans files on Mac in two ways, on-demand and on-access.
On-access scan — Scans files and folders for malware threats and unwanted programs whenever you
access them, and takes actions according to the configuration.
On-demand scan — Scans files and folders for malware threats and unwanted programs at any time
or at scheduled time. You can run on-demand scan in two ways.
• Scan all files — Scans files and directories immediately for the locations you have selected in What to
Scan.
• Schedule Scan — Scans files and directories configured in What to Scan at the scheduled time.

4
Threat Prevention
How on-access scan works

This diagram shows how on-access scan works.
How on-demand scan works

This diagram shows how on-demand scan works.

4
Threat Prevention
Configure on-access scan preferences

The on-access scan protects your Mac from threats in real time. It scans for malware whenever an
item is read from or written to the hard disk, and takes action according to the configuration.
Task
2 On the Threat Prevention tab, click , type the administrator password, then click OK.

4
Threat Prevention
3 From the Scan files while drop-down list, select one of these options:
• Read — Scans items when they are read from the hard disk.
• Write — Scans items when they are written to the hard disk.
• Read & Write — Scans items when they are read from or written to the hard disk.
4 In Maximum scan time (in seconds), specify the duration allowed to scan each file.
You can specify a value between 10 and 9999. The default value is 45. When scanning exceeds the
defined time, the software stops scanning the file.
5 From the When a virus is found drop-down list, select one of these options:
• Clean — Clean the item that contains malware. Use the If clean fails drop-down list, to select a
secondary action (Delete or Deny).
• Delete — Deletes the item that contains malware.
• Deny — Prevents the user from accessing files with detected threats.
Although the software denies access to the file, it still resides in the system.
Whenever you select the primary action as Clean or Delete, the item is quarantined by default.
6 From the When a spyware is found drop-down list, select one of these options:
• Clean — Cleans the item that contains spyware. Use the If clean fails drop-down list, to select a
secondary action (Deny, Delete, or Allow).
• Delete — Deletes the item that contains spyware.
• Deny — Prevents the user from accessing files with detected threats.
Although the software denies access to the file, it still resides in the system.
• Allow — Allows the user to access files with detected threats.
Whenever you select the primary action as Clean or Delete, the item is quarantined by default.
7 In Also scan, select where you want to enable scanning:

• Archives & Compressed Files
• Apple Mail Messages
• Network Volumes
When these options are selected, McAfee Endpoint Security for Mac detects the threat. But, the
primary and secondary actions might vary depending on the options selected.
8 Enable McAfee GTI and define its sensitivity level.

• Very low — The detections and risk of false positives are the same as with regular DAT content
files. A detection is made available to Threat Prevention when McAfee Labs publishes it instead
of waiting for the next DAT content file update.
• Low — This setting is the minimum recommendation for systems with a strong security footprint.
• Medium — Use this level when the regular risk of exposure to malware is greater than the risk of
a false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely to
be malware. However, some detections might result in a false positive. With this setting, McAfee
Labs checks that popular applications and operating system files don't result in a false positive.

4
Threat Prevention
• High — Use this setting for deployment to systems or areas which are regularly infected.
• Very high — Detections found with this level are presumed malicious, but haven't been fully tested
to determine if they are false positives. McAfee recommends to use this level for systems that
require highest security.
9 Click to prevent further changes.
Configure on-demand scan preferences

Schedule an on-demand scan to run immediately, at a scheduled time, or at regular intervals.
Task
2 On the Threat Prevention tab, click On-Demand Scan.
3
Click , type the administrator password, then click OK to open the On-Demand Scan page.
4 From the When a virus is found drop-down list, select one of these options:
• Clean — Cleans the item that contains malware. Use the If clean fails drop-down list, to select a
secondary action (Delete, Continue scanning)
• Delete — Deletes the item that contains malware.
• Continue Scanning — Continues scanning when a threat is detected.

The detected threat still resides in the Mac.
5 From the When a spyware is found drop-down, select one of these options:
• Clean — Cleans the item that contains spyware. Use the If clean fails drop-down list, to select a
secondary action (Delete, Continue scanning).
• Delete — Deletes the item that contains spyware.
• Continue scanning — Continues scanning when a threat is detected.

The detected threat still resides in the Mac.
6 Enable McAfee GTI and define its sensitivity level.

• Very low — The detections and risk of false positives are the same as with regular DAT content
files. A detection is made available to Threat Prevention when McAfee Labs publishes it instead
of waiting for the next DAT content file update.
• Low — This setting is the minimum recommendation for systems with a strong security footprint.
• Medium — Use this level when the regular risk of exposure to malware is greater than the risk of
a false positive. McAfee Labs proprietary, heuristic checks result in detections that are likely to
be malware. However, some detections might result in a false positive. With this setting, McAfee
Labs checks that popular applications and operating system files don't result in a false positive.
• High — Use this setting for deployment to systems or areas which are regularly infected.
• Very high — Detections found with this level are presumed malicious, but haven't been fully tested
to determine if they are false positives. McAfee recommends to use this level for systems that
require highest security.

4
Threat Prevention
7 In Also scan, select where you want to enable scanning:

• Archives & Compressed Files
• Apple Mail Messages
• Network Volumes
8 In the Scheduled Scan Options, select one of these options:

• Scan only when the system is idle
• Scan anytime
• Do not scan when the system is on battery power

For information about creating a scan task, see Create a scan task.
Exclude files or directories from scanning

Exclude files and folder paths from an on-access scan or on-demand scan.
Task
2 Click Threat Prevention, then click Exclusions.
3
4 Click in the bottom left corner.
5 Select the path of the required files and folders, then click Open.
6 Select or deselect the On-Access Scan and On-Demand Scan options as needed.
• Double-click an item to change the name or path that appears in the exclusion list.
• Use regular expressions to exclude items from scanning. For example, to exclude all files in the
desktop from scanning, specify the path as /Users/user/Desktop/*
•
To remove the item from the exclusions list, select it, then click in the bottom left corner of
the page (or press fn+delete).
If you deselect the On-Access Scan and On-Demand Scan options for a path added to the exclusion list, the
path is removed from the exclusion list immediately.
7
Best practices for Threat Prevention

This section describes the best practices to define the preferences for scheduling an on-access scan
and an on-demand scan.
On-access scan preferences

• Always enable On-access-Scan because it checks every file the user accesses, and detects malware
before it runs.
• Enable the scan option for the Network Volumes when needed, to scan files copied from or written to
any network volumes.

4
Firewall
On-demand scan preferences

• Always enable the scan for Archives & Compressed Files while performing on-demand scan. This is
recommended if you disabled scanning option for these files.
On-demand scan schedule

• Schedule an on-demand scan during non-peak hours (for example, during weekends or
maintenance period).
• When scheduling an on-demand scan for the first time, schedule a full on-demand scan of your
entire hard disk.
Exclusions
You can add regular expressions that match required patterns to exclude multiple files and folders
from being scanned.
Here are some recommended exclusions:

• Microsoft Outlook database files
• Thunderbird database files
• Encrypted files
• Generic plist files such as Info.plist or version.plist for on-access scanning
Here are some recommended exclusion examples using wildcards:

• To exclude files with the extension mdb, use *.mdb
• To exclude each user's Outlook Database files of different Microsoft Office versions, use /Users/*/
Documents/Microsoft\ User\ Data/Office\ *\ Identities/*\ Identity/*
• To exclude all Info.plist under /Applications, use /Applications/*/Contents/Info.plist
• To exclude all version.plist under /Applications, use /Applications/*/Contents/version.plist
• To exclude files with the extensions jar, rar, or war under /private/var/tmp, use /
private/var/tmp/*.?ar
Firewall
The Firewall component provides a scalable solution to protect your Mac from unauthorized network
traffic.
The firewall comes with a stateful engine that provides flexibility in defining allowed network traffic for
your Mac. You can define rules based on various traffic parameters and group them for easier
management.
Here is the list of features of Firewall component:

• Stateful filtering — The stateful filtering and network packet inspection validate each packet for
different connections against predefined rules, holding the connection attributes in memory from
beginning-to-end.
• Regular mode — When the network packet adheres to a rule’s condition, the associated action
defined in the rule is executed. If no matching rule is found, the network packet is blocked.

4
Firewall
• Adaptive mode — When the network packet matches a rule’s conditions, the associated action
defined in the rule is executed. If no matching rule is found, the network packet is allowed and a
rule is created to allow similar packets later.
Use this option only to fine tune your firewall rules.
In both these modes, the status of the TCP/UDP/ICMP connection is tracked to identify whether the
incoming packet is part of the existing connection.
• New rules and grouping rules — You can create rules and group them for easier management.
• DNS blocking — Blocks access to unwanted domains.
• Location awareness — Creates separate rules for locations, such as office or home network.
How stateful filtering works

Stateful filtering preserves in memory the list of existing network connections allowed by the firewall.
Each entry in the state table contains multiple parameters that help to identify the connection state.
When the network packet matches with an allow rule, the packet is allowed and a new entry is added
to the state table. The subsequent packets are allowed without further verification of the predefined
rule sets. When the session is completed or timed out, the entry is removed from the state table.
Stateful filtering automatically tracks the reverse traffic for existing connections eliminating the need
for another firewall rule. Firewall performs stateful filtering on TCP, UDP, and ICMP protocols.
How regular mode firewall protection works

Each rule contains a set of conditions that the network traffic must meet. The associated parameters
of that rule allow or block the network traffic.
In Regular mode, firewall uses precedence to apply rules. The rule at the top of the rules list is applied
first. If the network packet meets the conditions, firewall allows or blocks the packet as defined. If the
packet does not meet the first rule's condition, the next rule is verified and moves through the rules
list until a rule is satisfied. If no rule is met from the rules list, firewall blocks the traffic.
When the traffic matches the rule condition, firewall does not try to apply any further rules from the
list.

4
Firewall
To change the firewall protection from Regular mode to Adaptive mode, click | Preferences | Firewall |
Adaptive Mode.
How Adaptive mode firewall protection works

In Adaptive mode, the precedence method is followed, but differently than in Regular mode.
In Adaptive mode, firewall uses precedence to apply rules. The rule at the top of the rules list is
applied first. When the network packet does not match the defined rules from the list, an allow rule is
created to allow the non-matching packet.
If the IP destination is a broadcast, multicast, loopback, or ICMP protocol, the network packet is
blocked. No additional rules are created for these types of traffic.
For security reasons, when Adaptive mode is enabled, incoming pings are blocked unless an explicit
allow rule is created for incoming ICMP traffic.
This diagram shows how network packets are handled in Adaptive mode.

4
Firewall
To change the firewall protection from Adaptive mode to Regular mode, click | Preferences | Firewall |
Regular Mode.
How DNS blocking works

You can create a list of domain names for which you want to block access.
Specify the domain names that you want to block. You can use ? and * wildcards to define the domain
names.
You can create rules to block a Fully Qualified Domain Name (FQDN) using the client interface. The
Domain Name System (DNS) blocking can be configured only using Firewall policy in McAfee ePO.
If the firewall host has not initiated any DNS queries for the blocked domains or FQDN, the DNS
blocking and FQDN-based rules do not work.

4
Firewall
How stateful FTP inspection works

Firewall can perform stateful inspection for the FTP protocol.
FTP involves two connections:
• Control for commands
• Data for the information
When a client connects to an FTP server, the control channel is established on FTP destination Port 21,
and an entry is made in the state table. If the option for FTP inspection was set with the Firewall
Options policy, when the firewall encounters a connection opened on Port 21, it knows to perform
stateful packet inspection on the packets coming through the FTP control channel.
Firewall monitors the PORT, EPRT, PASV, and EPSV commands on the control channel, and determines
which dynamic rules must be created for subsequent FTP data connections.
The combination of the control connection and one or more data connections is called a session. When
the data transfer is complete, the dynamic rules created for data transfer are removed.
When the control connection is terminated, Firewall makes sure that all corresponding data
connections are also removed.
How Firewall rules work

Each rule contains a set of conditions that the network traffic must meet. The associated parameters
of that rule allow or block the network traffic.
This diagram shows how network packet filtering works.

4
Firewall
This diagram explains how each network packet is processed.

4
Firewall
How firewall rules are organized

Rules are categorized as ePO Rules, Client Rules, and Adaptive Rules.
Rules are displayed in tree view. The ePO Rules group appears at the top with the list of rules, followed
by Client Rules, then Adaptive Rules.
To view firewall rules, click | Preferences | Firewall.

4
Firewall
• ePO Rules — Defined and enforced by administrators if your Mac is managed by McAfee ePO.
The ePO Rules group also contains list of rules that firewall creates automatically at run time for
business continuity. These rules can't be modified.
• ePO Rules are displayed and applied only when the Mac is managed by McAfee ePO.
• A local user can't modify ePO Rules.
• A user can't add rules above or in between ePO Rules.
• When rules are created from a client Mac, they are added after the existing rules in the Client
Rules section.
• ePO Rules are the first rules processed to match the network packet.
• These rules allow the Mac to:

• Obtain an IP address using DHCP.
• Perform DNS queries.
• Perform DAT updates.
• Allow communication with McAfee ePO.
• Client Rules — Created locally to allow or block specific network access.
• Adaptive Rules — Created automatically, when Firewall is running in Adaptive mode to allow a
non-matching network packet.
Create a Firewall rule

Create firewall rules to handle the network traffic according to your requirements.
Task
2 Click Firewall.
3 Click , type the administrator password, then click OK.
4 Select Regular Mode.

4
Firewall
5 Click in the bottom left corner of the console to open the rule page.
6 Define the following parameters as needed, then click OK.
For this Configure these options...

field...
Rule Name Type a name for the rule.
Status • Enabled — To enable the firewall rule.
• Disabled — To disable the firewall rule.
The rules appear as grayed out in the rules list, when their status is set to Disabled.
Action • Block — To block the network traffic.

• Allow — To allow the network traffic.
Direction • Incoming — To apply the rules for incoming network traffic.

• Outgoing — To apply the rules for outgoing network traffic.
Logging • Enabled — To make an entry in the system log, when a network packet matches a
rule.
• Disabled — To avoid making an entry in the system log when the network packet
matches a rule.
Enabling the logging feature can impact the system performance. We recommend
that you enable Logging only for troubleshooting and learning purpose.

4
Firewall
For this Configure these options...

field...
Interface(s) • Wired
• Wireless
• Virtual
Network Define the configuration for Local Mac using:

Protocol IPv4
• Single • Fully Qualified Domain Name
• Subnet • Any local IP Address
• Local Subnet • Any IPv4 Address
• Range (of IP addresses)
Local system is the system on which you are adding rules.
Select the configuration for Remote system using:

• Single • Fully Qualified Domain Name
• Subnet • Any local IP Address
• Local Subnet • Any IPv4 Address
• Range (of IP addresses)
Remote system is the system you want to connect.
Use to add more criteria and to remove existing criteria.
Transport Select All Protocols to apply the rule for all protocols.
Protocol
For Select Protocol, define the parameters for:
• TCP
• UDP
• ICMP
Use to add more criteria and to remove existing criteria.
Add specific rules at the top of the list, and generic rules at the bottom to filter the traffic most
efficiently.
7
To edit an existing Firewall rule, select the rule, then click to open the rule page.
Firewall rules examples

Refer to these examples when creating firewall rules.
Create a rule to allow DHCP outgoing on UDP local port 68 to remote port 67
To create a firewall rule that allows you to get an IP address on an interface, we
recommend creating two rules. First create a rule to allow DHCP outgoing on UDP local
port 68 and remote port 67, then create a rule to allow DNS queries.

4
Firewall
• Rule Name — Type a name for the rule
• Status — Enabled
• Action — Allow
• Direction — Outgoing
• Network Protocol (IPv4) — Not applicable
• Transport Protocol — Select Protocol
• Select UDP, Local, then type the Port No as 68
• Select UDP, Remote, then type the Port No as 67
Create a rule to allow DNS queries

• Network Protocol (IPv4) — Not applicable
• Select UDP, Remote, then type the Port No as 53
Create a rule to allow access to websites

• Network Protocol (IPv4) — Not applicable.
• Select TCP, Remote, then type the Port No as 80
Allow specific remote IP address and port access

• In Network Protocol (IPv4), select Remote | Subnet, then type the Subnet Mask value

4
Firewall
• Select TCP, Remote, then type the Port No
You can type a single port number, or series of port numbers using a comma, or a range of
ports using a hyphen.
Recommended firewall rules

In addition to the default firewall rules, we recommend that you configure these rules:
• Allow bi-directional NTP port 123 to 123
• Allow bi-directional NetBIOS name service port 137 to 137
• Allow outgoing FTP client port 1024-65535 to 21
• Allow outgoing for POP3, IMAP, SMTP
• Allow outgoing for RDP
• Allow outgoing for Idap
• Allow bi-directional for AFP/SMB, if you are using file sharing
Best practices for Firewall

We recommend that you configure these firewall rules that protect your system in line with your
organizational requirements.
• McAfee Endpoint Security for Mac is shipped with a set of default firewall rules. We recommend that
you use them as starting point, and modify them according to your organizational requirements.
• If your organization does not have a firewall policy or if this is the first time your organization uses
a firewall policy, we recommend that you use the default corporate policy. After, you can use the
Adaptive mode for further fine tuning.
We strongly suggest not to run Adaptive mode in production.
• Remember that Adaptive mode must be used to fine-tune the firewall rule sets. So, run Adaptive
mode only for short duration to identify the organizational requirements.
• Create Defined Networks for easier rule creation and management.
• Configure the DNS blocking feature to block the known unwanted domains.
• Always use firewall rule groups to organize the rules in an efficient way.
• Make rules as specific as possible.

For example, to allow access to a particular website, provide the name or IP address, with the port
number.
• Use more specific rules on the top of the rules set and the generic one toward the end.
For example, to give access to a particular website for all Mac users in the organization except one
system, create a specific deny rule to block the website on that particular system first.
• Because Firewall validates rules using a top-down approach, we recommend that you always revisit
the rules completely to avoid the loopholes.

4
Web Control
Web Control
Web Control protects your Mac from online threats, called web-based threats, when you access or
browse website.
The software monitors sites that you access or browse, checks for their safety ratings, and allows or
blocks the sites according to the configuration.
Web Control provides safety ratings at two levels. The software:

• Displays a safety rating for each page while browsing
• Displays a safety rating for each site that the search engine lists
The software allows you to configure access permission to sites based on their rating or content
category defined by McAfee GTI.
For a standalone Mac, you can configure the security preferences to:
• Enable or disable the Web Control feature
• Allow or block access to sites based on their rating
• Configure access to sites based on the content type
• Define a list of sites to allow or block
How Web Control works

This diagram shows how Web Control works and protect your system.

4
Web Control
How safety ratings are compiled

Safety rating is a color-coded safety category for a website.
A McAfee team analyzes each website and assigns a color-coded safety rating based on test results.
The color indicates the safety level of the site. The team develops safety ratings by testing criteria for
each site and evaluating the results to detect common threats.

4
Web Control
Automated tests compile safety ratings for a website by:
• Downloading files to check for viruses and potentially unwanted programs bundled with the
download.
• Entering contact information into sign-up forms and checking for resulting spam or a high volume
of non-spam email sent by the site or its affiliates.
• Checking for an excessive number of pop-up windows.
• Checking for attempts by the site to exploit browser vulnerabilities.
• Checking for deceptive or fraudulent practices that a site uses.
The team compiles test results into a safety report that can also include:
• Feedback submitted by site owners, which might include descriptions of safety precautions used by
the site or responses to user feedback about the site.
• Feedback submitted by site users, which might include reports of phishing scams or bad shopping
experiences.
• More analysis by McAfee experts.
The McAfee GTI server stores site ratings. The server is updated periodically with the latest rating and
site details.
Color-coded buttons
Each color button indicates the safety rating category of the site.
Button Color Description

Green Sites are safe and you can access them.
Yellow Sites are suspicious and they might pose security issues. You must access
these sites with caution.
Red Sites contain potential security risks. You must access these sites with
extreme caution. However, by default, the software denies access to red-rated
sites.
Gray No rating is available for this site. By default, Web Control allows sites when a
rating is not available.
Orange Communication with the McAfee GTI server is unavailable to display the site
rating.
Black This site is a phishing site, or the site is explicitly blocked by Web Control
settings.
Blue The site is internal or in a private IP address range.

4
Web Control
Button Color Description

Silver The Web Control setting is disabled.
White Web Control configuration allows the site.
For Chrome browser, the rating button appears on the right side of the address bar.
The safety rating applies to HTTP and HTTPS protocol URLs only.
Color icons
When users type keywords in the Google search engine, the color-coded icon appears next to each
site listed in the search results.
Icon color Description

The site is safe. Tests revealed no significant problems.
Tests revealed some issues that users must know about. For example, the site tried to
change browser defaults, displayed pop-ups, or sent testers a significant amount of
non-spam email.
This site has some serious issues that users must consider carefully before accessing.
For example, the site sent spam email or bundled adware with a download.
This site is unrated.

The difference between the Unrated and Unverified sites is:
• Unrated sites — Site information is not available because the site is not verified by
McAfee GTI.
• Unverified sites — Site has a McAfee GTI rating of 15.
Site safety report

The site safety report provides the test result details of a site.
The site safety information is available when you access a site, and access sites through the Google
search engine.
• Safety rating at search engine — Displays the safety rating balloon that summarizes the safety
report for a site. The Read Site Report link provides the safety report summary of the site.
• Safety rating at site level — Displays the safety rating at the left top of the browser. You can
view the test result report in the McAfee website.
Site rating action

Allow or block access to sites based on the safety rating.
By default, the software allows access to green-rated sites. You can configure the action for sites rated
as Red, Yellow, Unrated, or Unverified.
The default settings for these categories are:

4
Web Control
Rating color Configuration

Red Block access — Prevents users from accessing the site and displays a message that the
site is blocked.
Yellow Warn — Displays a warning to notify users of potential dangers associated with the site.
User can decide whether to access the site by selecting Continue or Cancel.
Unrated Allow access — Permits users to access the site.
Unverified Allow access — Permits users to access the site.
Web Control does not scan files that are downloaded from allowed sites. However, if you installed the
Threat Prevention module and enabled on-access scanning, files are scanned for threats.
Blocking sites based on the content category

Enable Web Category Blocking blocks sites based on their content category, which McAfee defines.
Web Control provides more filtering options. Enable Web Category Blocking classifies sites based on their
content and block them. Use this option to block access to sites that are categorized as malicious
content, such as pornography, spyware, adware, or phishing.
Enable Web Category Blocking overrides the Rating Actions for Sites configuration. For example, the Rating Actions
for Sites is set to Allow for yellow-rated sites with Enable Web Category Blocking enabled for all categories. If
you visit a yellow-rated site that belongs to the blocked category, the software blocks the site although
the Rating Actions for Sites configuration allows access to yellow-rated sites.
These categories are enabled by default:

• Potential Hacking/Computer Crime • Phishing
• Malicious Sites • Browser Exploits
• Pornography • Malicious Downloads
• Spyware/Adware/Keyloggers
Block and Allow List

Define access permission for each site.
You can include sites in this list and specify access permission for each site.
Block and Allow List configuration overrides the Enable Web Category Blocking and Rating Actions for Sites
configuration. You can allow sites that are blocked by other settings, or block sites that are allowed by
other settings. Using Block and Allow List option, you can define access for sites regardless of their rating.
Use this option to allow access to business-specific sites and block unwanted sites.
Add or remove sites to Block and Allow List

Use the Block and Allow List option to explicitly allow or block access to sites.
Task
1 Click the McAfee Menulet on the status bar, then select Preferences.
2 Click the Web Control tab.
3 Click , then type the administrator password when prompted.

4
4
Under Block and Allow List, click
5 Type the URL in the Site area and define the permission in the Action field.
To add another URL, click then define the settings. To remove the URL from the list, click .
To change the permission for an existing URL, click the URL, then change the permission. You can
use ? and * wildcards to define sites.
Configure Web Control on a standalone Mac

Configure the Web Control options on your standalone Mac to access or block sites as required.
Task
1 Click the McAfee menulet on the status bar, select Preferences, then click the Web Control tab.
2
3
Under Block and Allow List, click , type the URL in the Site column, then select an action from the
Action drop-down list.
• Allow — Allows access to the site
• Block — Blocks access to the site
The action set for sites in the Block and Allow List overrides the actions defined in Enable Web Category
Blocking and Rating Actions for Sites.
4 In Enable Web Category Blocking, select the categories as needed.
5 In Rating Actions for Sites, define the action for Red, Yellow, Unrated, and Unverified sites.
• Allow — Allows access to the site
• Warn — Displays a warning message with the option to Continue or Cancel navigation to the site
• Block — Blocks access to the site
6

Configure the repository list that needs to be accessed to update the DAT or Engine, the proxy
connection settings, and the update schedule.
Tasks
• Configure the repository list on page 58
Always keep your DAT file up to date to secure your Mac from the latest threats.
• Configure proxy settings on page 58
Configure Proxy settings if you use proxy servers to connect to the Internet for retrieving
packages.
• Configure the DAT update schedule on page 59
Periodic DAT updates secure your Mac from latest threats.

4
Configure the repository list

Always keep your DAT file up to date to secure your Mac from the latest threats.
The software is shipped with the configuration that allows access to the McAfee FTP server and HTTP
server to download the latest DAT file while your Mac is connected to the Internet.
Task
2 Click Update.
3
4 In Repository Name list box, on the Repository List tab:

• — To add a repository.
•
— To delete an existing repository.
•
— To deprioritize repositories.
•
— To prioritize repositories.
5 In Repository Type, select FTP, HTTP, or a Local repository from where the latest DATs can be
downloaded.
6 Specify a Repository URL, Port, User Name, and Password for the repository.
7 On the Schedule tab, define the schedule, then click Apply.
8
Configure proxy settings

Configure Proxy settings if you use proxy servers to connect to the Internet for retrieving packages.
Task
2 Click Update, then click the Proxy Settings tab.
3
4 Select whether to use a proxy.

• Do not use a proxy
• Configure proxy settings manually
5 Select Use these settings for all proxy types to specify the same IP address and port number for all proxy
types.
6 Select FTP or HTTP server, then type the IP address and port number of the selected server.
7 Select Use authentication, then type the user name and password for the server.

4
Debug logging
8 To bypass a proxy server for specific domains, select the Specify exceptions, then type the domain
name.
9
Configure the DAT update schedule

Periodic DAT updates secure your Mac from latest threats.
Task
2 On the Update tab, click Schedule.
3
4 Click the drop-down list to select the update frequency, then click Apply.
• Never — Never run the update
We recommend not to select this option. Always keep your DAT files and Engine up to date to
protect your Mac from the latest threats.
• Hourly — To run the update on the selected hours.
• Daily — To run the update daily at a specific time.
• Weekly — To run the update weekly at a specified time on weekdays.
• Monthly — To run the update once in a month at a specified time.
5
Debug logging
Debug logs provide important information that you can use for troubleshooting purposes.
Enabling debug logs for a module logs details for all components of the module.
For example, if you enable logging for Threat Prevention, logs are stored for on-access scanning and
on-demand scanning activity.
• You can find the Threat Prevention logs at /var/log/system.log and /var/log/
McAfeeSecurity.log. You can identify and filter the Threat Prevention logs by its name MFE_AV.
• You can find the Firewall logs at /var/log/system.log. You can identify and filter the firewall logs
by its name MFE_FW.
• You can find the Web Control logs at /var/log/McAfeeSecurity.log. You can identify and filter
the Web Control specific log by its name MFE_WC.

4
Debug logging
Enable or disable debug logging

Configure the debug logging option for the installed modules.
Task
2 Click the Logging tab.
3
4 Select the modules as required.
5

5 Troubleshooting
Identify and troubleshoot issues when using the standalone version of McAfee Endpoint Security for
Mac .
Run the repairMSC utility

Use the repairMSC utility to troubleshoot McAfee Endpoint Security for Mac issues. It generates
diagnostic reports, which can be uploaded to the McAfee server for analysis.
Task
1 Open a Terminal window, type the following command, then press return.
/usr/local/McAfee/repairMSC
2 Type the administrator password when prompted, then press return.
3 Type Y to continue, then press return.
A consolidated diagnostic report is generated in home directory for issue analysis. A list of issues
appears with each category relating to a number from 1 to 8.
4 Type a number that best describes the issue, then press return. The repairMSC runs a repair utility
based on the number selected and provides a solution.
5 Type y or n to confirm whether the issue was fixed, then follow the on-screen instructions.
The report file repairMSC.zip is available in your home directory. (Users/<user>).
Contact McAfee support for troubleshooting assistance.

5
Troubleshooting
Run the repairMSC utility

Install the required extensions and deploy a security strategy to protect your
managed Mac systems from threats.
Chapter 6 Installing the software on a Mac managed with McAfee ePO

Chapter 7 Installing the software on a Mac managed with McAfee ePO Cloud
Chapter 8 Managing the software with McAfee ePO and McAfee ePO Cloud


6 Installing the software on a Mac
managed with McAfee ePO
Install the software on the McAfee ePO server and deploy it to your managed Mac.
Contents
System requirements
Check in the package to the McAfee ePO server
Install the extensions on the McAfee ePO server
Install the client software on a managed Mac using the installation URL
Deploy the software from McAfee ePO
Remove the software from a managed Mac
System requirements
Make sure that these requirements are met and you have administrator permission.
Component Requirements
Hardware Mac that can run with the supported operating system configuration.
®
If you are using McAfee Agent 5.x on your Mac, you must upgrade it to
McAfee Agent 5.0.2 with Hotfix HF1085179 before upgrading the operating
®
system to El Capitan. Otherwise, the communication between the McAfee
® ™
ePolicy Orchestrator (McAfee ePO ) server and the Mac fails, and you would
be unable to manage the Mac from the McAfee ePO server. For more
information about the McAfee Agent 5.0.2 known issues with El Capitan, see
McAfee KnowledgeBase article KB83895.

Browser Safari 7.1.x, 8.0.x, and 9.0.x

McAfee Agent McAfee Agent 5.0.2 with Hotfix HF1085179 and later
McAfee ePolicy 5.1.1 and later
Orchestrator

6
Installing the software on a Mac managed with McAfee ePO

You can check in the package using the Software Manager or check in the package manually.
Tasks
• Check in the package using Software Manager on page 66
Check in, update, or remove McAfee Endpoint Security for Mac using the Software Manager.
• Check in the package manually on page 66
Check in the McAfee Endpoint Security for Mac deployment package to the McAfee ePO
Master Repository.
Check in the package using Software Manager

Check in, update, or remove McAfee Endpoint Security for Mac using the Software Manager.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Log on to the McAfee ePO server as an administrator.
2 Select Menu | Software | Software Manager.
3 From the Product Categories list under Software (By Label), select Endpoint Security, select the package file,
then click Check in All.
4 On the summary page, accept the McAfee End User License Agreement, then click OK.
Check in the package manually

Check in the McAfee Endpoint Security for Mac deployment package to the McAfee ePO Master
Repository.
Task
1 Download the .zip file to a temporary location on the McAfee ePO server.
3 Select Menu | Software | Master Repository | Check In Package.

a For Package type, select Product or Update (.ZIP).
b Click Choose File, select the file, click Choose, then click Next.
4 Select Current, then click Save.
Install the extensions on the McAfee ePO server

Install the software on the McAfee ePO server to configure and deploy policies for managed Mac.
Tasks
• Install the extensions using Software Manager on page 67
Install the extensions using the Software Manager.
• Install the extensions manually on page 67
Install Endpoint Security extensions on the McAfee ePO server manually.

6
Install the client software on a managed Mac using the installation URL
Install the extensions using Software Manager

Install the extensions using the Software Manager.
Task
2 Select Menu, Software, then click Software Manager.
3 From the Software Manager | Product Categories | Software (By Label), select Endpoint Security | McAfee Endpoint
Security 10.2.0, select from the right pane, then check in the extensions.
Install the extensions manually

Install Endpoint Security extensions on the McAfee ePO server manually.
You must install the extensions to enable the features of the product.
Task
2 Select Menu | Software | Extensions, then click Install Extension.
3 Click Choose File and select the file that contains the extension, then click OK.
After installing the Endpoint Security extensions, you can use the migration tasks to migrate McAfee
Endpoint Protection for Mac 2.3 or McAfee VirusScan for Mac 9.8 policies and tasks. For more
information, see Endpoint Security migration help.
Install the client software on a managed Mac using the

installation URL
McAfee ePO administrators can create an installation URL to install Endpoint Security for Mac client
software on managed Mac.
Tasks
• Create an installation URL on page 67
Create an installation URL and send it to the user to install McAfee Agent on a managed
Mac.
• Install the software with an installation URL on a managed Mac on page 68
The Mac user can access the URL to install the client software on a managed Mac.
Create an installation URL

Create an installation URL and send it to the user to install McAfee Agent on a managed Mac.
Task
2 Select Menu | Dashboards, then select Getting Started with ePolicy Orchestrator from the drop-down list.

6
3 On the Product Deployment page, click Start Deployment, define these settings, then click Deploy.
• System Tree Group
• McAfee Agent
• Software and Policies
• Auto Update
4 On the Initial Product Deployment Summary page, click OK.

On the Dashboard page, the installation URL appears under Product Deployment section.
5 Email the URL with instructions to install the client software on the Mac to the user.
After successful installation, McAfee Agent checks back with the McAfee ePO server for assigned
tasks for that system group, then installs the software accordingly.
Install the software with an installation URL on a managed Mac

The Mac user can access the URL to install the client software on a managed Mac.
Before you begin

Make sure that your managed Mac meets the hardware and software requirements.
You must have an installation URL that you created or received from your administrator.
Task
1 Open a browser window, paste the installation URL in the address bar, then press Enter.
2 Follow the on screen instructions. If the installation does not start automatically, click Install.

Use McAfee ePO to deploy the client software to systems in your network that are managed.
Task
2 Select Menu | Systems | System Tree, then select a group or systems.
3 On the Assigned Client Tasks tab, click Actions, then click New Client Task Assignment.
4 Complete these options, then click Create New Task:

a For Product, select McAfee Agent.
b For Task Type, select Product Deployment.

6
5 On the Client Task Catalog page:

a Type a name for the task.
b Select Mac as the target platform.
c In Products and components, select the product , select Install as the action, then click Save.
You can add more products by using .
6 In the Client Task Assignment Builder page:

a Select the task, then click Next.
b Schedule the task to run immediately, click Next to view a summary of the task, then click Save.
7 In the System Tree, select the systems or groups where you assigned the task, then click Wake Up
Agents.
8 Select Force complete policy and task update, then click OK.

After deploying the software, verify that the client software is installed and updated correctly on
managed Mac systems.
Task
1 Wait for client systems to report back to the McAfee ePO server (typically after an hour).
2 On the McAfee ePO console, select Menu | Dashboards, then select Endpoint Security: Installation Status for a
complete list of managed Mac and their installation status.

Remove the client software from the managed Mac systems and remove the extensions from the
McAfee ePO server.
Tasks
• Remove the software extensions on page 69
Remove the McAfee Endpoint Security for Mac extensions from the McAfee ePO server.
• Remove the software on page 70
Create a client task on the McAfee ePO server to remove McAfee Endpoint Security for Mac
from the managed Mac.
Remove the software extensions

Remove the McAfee Endpoint Security for Mac extensions from the McAfee ePO server.

6
Task
2 Select Menu | Software | Extensions.
3 In the left pane, select the extension and click Remove.
4 Select Force removal, bypassing any checks or errors, then click OK.
Remove the software

Create a client task on the McAfee ePO server to remove McAfee Endpoint Security for Mac from the
managed Mac.
Task
2 Select Menu | Systems | System Tree, then select a group or systems.
3 Click the Assigned Client Tasks tab, then click New Client Task Assignment.
4 Complete these options, then click Create New Task.

a For Products, select McAfee Agent.
b For Task Type, select Product Deployment.
5 On the Client Task Catalog page:

a Type a name for the task.
b Select Mac as the Target platform.
c In Products and components, select the product, select Remove as the action, then click Save.
6 On the Client Task Assignment Builder page:

a Select the task, then click Next.
b Schedule the task to run immediately. Click Next to view a summary of the task, then click Save.
7 In the System Tree, select the systems or groups for which you assigned the task, then click Wake Up
Agents.
8 Select Force complete policy and task update, then click OK.

7 Installing the software on a Mac
managed with McAfee ePO Cloud
Install and manage the software on a Mac that is managed with McAfee ePO Cloud.
McAfee ePO Cloud is an extensible management platform that enables centralized policy management
and enforcement of your security products and the systems where they are installed.
It also provides comprehensive reporting and product deployment capabilities, all through a single
point of control. Using McAfee ePO Cloud, you can deploy security products, patches, and service
packs to the managed systems in your network.
Contents
McAfee ePO Cloud components
System requirements
Accessing the McAfee ePO Cloud account
Install the client software on a managed systems using the installation URL
Deploy the client software from McAfee ePO Cloud
McAfee ePO Cloud components

These components make up McAfee ePO Cloud software.
• McAfee ePO Cloud — The center of your managed environment. McAfee ePO Cloud delivers
security policies and tasks, controls updates, and processes events for all managed Mac.
• McAfee Agent — A vehicle of information and enforcement between the McAfee ePO Cloud and
each managed Mac. The agent retrieves updates, ensures task implementation, enforces policies,
and forwards events for each managed Mac.
• Master Repository — The central location for all McAfee updates and signatures, residing on
McAfee ePO Cloud. The Master Repository retrieves user-specified updates and signatures from
McAfee.

7
Installing the software on a Mac managed with McAfee ePO Cloud
System requirements
System requirements
Make sure that your managed Mac meet these requirements, and you have a valid account with the
McAfee ePO Cloud.
Component Requirements
Hardware Mac that can run with the supported operating system configuration.
®
If you are using McAfee Agent 5.x on your Mac, you must upgrade it to McAfee
Agent 5.0.2 with Hotfix HF1085179 before upgrading the operating system to El
®
Capitan. Otherwise, the communication between the McAfee ePolicy
® ™
Orchestrator (McAfee ePO ) server and the Mac fails, and you would be unable
to manage the Mac from the McAfee ePO server. For more information about the
McAfee Agent 5.0.2 known issues with El Capitan, see McAfee KnowledgeBase
article KB83895.

Browser Safari 7.1.x, 8.0.x, and 9.0.x

Accessing the McAfee ePO Cloud account

These are the high level actions to set up the McAfee ePO Cloud account.
1 The enterprise administrator requests access to use McAfee ePO Cloud.
2 McAfee emails the McAfee ePO Cloud URL and logon information to the enterprise administrator.
3 Log on to the McAfee ePO Cloud server.
Install the client software on a managed systems using the

installation URL
Create an installation URL and send it to users to install the client software on managed systems.
Tasks
• Create an installation URL on page 72
Create an installation URL to install the software on managed Mac.
• Install the software with an installation URL on page 73
The managed Mac user can install the software on a local Mac with an installation URL.
Create an installation URL

Create an installation URL to install the software on managed Mac.

7
Task
1 Log on to McAfee ePO Cloud as an administrator.
2 Click Menu | Getting Started | Customize.
3 On the Customize Software Installation page, define these settings, then click Done.
• Group Name — Type a name of the group.
• Operating System — Select McAfee Agent for Mac.
• Software and Policies — Select McAfee Endpoint Security software modules as required.
• Auto Update — Select this option to download updates for the software.
The default policies and tasks of the module are selected by default.
4 Click Done.
5 From the Dashboards drop-down list, select Getting Started with ePolicy Orchestrator.
On the right side pane under Getting Started, the URL that you created appears.
6 Email the URL with installation instructions to the Mac users.
After successful installation, McAfee Agent checks back with the McAfee ePO server for assigned
tasks for that system group, then installs the software accordingly.
Install the software with an installation URL

The managed Mac user can install the software on a local Mac with an installation URL.
Before you begin

• Make sure that your Mac meets the hardware and software requirements.
• You must have an installation URL that you created or received from your administrator.
Task
1 Open a browser window, paste the installation URL in the address bar, then press Enter.
2 Follow the on-screen instructions.

Deploy the client software to systems in your network that are managed.
Task
2 Select Menu | Software | Product Deployment

7
3 In the Product Deployment page, define these settings, then click Save.
• Name • Language
• Description • Branch
• Type • Command line
• Auto Update • Select the systems
• Package • Select a start time

8 Managing the software with McAfee ePO
and McAfee ePO Cloud
Integrate and manage McAfee Endpoint Security for Mac using McAfee ePO or McAfee ePO Cloud.
The primary differences in managing policies in two environments are:
• McAfee ePO — Organizations maintain McAfee ePO server in their premises and administrators
check in and install the software on the server, create policy settings, and enforce them on multiple
managed Mac systems using deployment tasks.
• McAfee ePO Cloud — McAfee or the service provider maintains the McAfee ePO server including
checking in and installing the software. After setting up the cloud account from McAfee or other
service providers, local administrators create policies and enforce them on managed Mac systems
using deployment tasks.
For instructions about setting up and using McAfee ePO and McAfee Agent, see the product guide for
your version of the product.
Contents
Using Endpoint Security extensions as common extensions
Manage policies
Common policy
Threat Prevention policy
Firewall policy
Web Control policy
Queries and reports
Using Endpoint Security extensions as common extensions

Use the latest Endpoint Security extensions as common extensions to manage your Microsoft
Windows, Macintosh, and Linux systems.
You can use Endpoint Security extensions to configure and deploy policies for your Macintosh and
Windows systems. On each policy page, a tag indicates that the option applies only for specific
operating systems. For example:
• Windows only — Applies only to Windows-based systems.
• Linux only — Applies only to Linux-based systems.
• Windows and Mac only — Applies only to Windows and Macintosh-based systems.
• Windows and Linux only — Applies only to Windows and Linux-based systems.

8
Managing the software with McAfee ePO and McAfee ePO Cloud
Manage policies
The policy options that don't contain any tag are applicable for Windows, Mac, and Linux systems.
To view the Windows only tag in the policy and task options, you must have installed the licensing
extension on your McAfee ePO.
For the list of features supported for Microsoft Windows, Macintosh, and Linux operating system, see
McAfee KnowledgeBase article KB84410.
Manage policies
McAfee Endpoint Security for Mac policies provide options to configure features, feature
administration, and to log details on managed systems.
You can find these policies on the Policy Catalog page under Product:
• Endpoint Security Threat Prevention
• Endpoint Security Firewall
• Endpoint Security Web Control
• Endpoint Security Common
Configure these policies with your preferences, then assign them to groups of the managed Mac. For
generic information about policies, see the product guide for your version of McAfee ePO.
Create or modify policies

You can create and edit policies for a specific group in the System Tree.
Task
2 From the Policy Catalog, select a Product and Category.
3 Perform these steps to create or modify a policy.
To create a policy To modify a policy

1 Click New Policy. 1 Click the policy you want to modify.
2 Type the Policy Name. 2 Modify the settings.
3 Click OK.
4 Configure the settings.
4 Click Save.
Assign policies
When you have created or modified policies, assign them to the systems that are managed by McAfee
ePO.

8
Common policy
Task
2 Navigate to System Tree, select a group or systems, then click the Assigned Policies tab.
3 Select a product from the product list, select a policy, then click Edit Assignment.
4 Select the policy to assign, select appropriate inheritance options, then click Save.
Monitor the McAfee Agent status

Monitor the McAfee Agent status for information about the collection and transmission of properties on
the managed Mac.
You can also send events, enforce policies, collect and send properties, and check for new policies and
tasks.
Task
1 On the managed Mac, click the McAfee menulet on the status bar, then select McAfee Agent Status
Monitor.
2 Select one of these options as required:

• Collect and Send Props — Send properties to the McAfee ePO server.
• Send Events — Send events to the McAfee ePO server.
• Check New Policies — Trigger the agent to communicate with the server to update policy and tasks.
• Enforce Policies — Enforce all configured policies on the managed system on demand.
• Save Contents to Desktop — Save the content of the McAfee Agent log to desktop.
• Close — Close the McAfee Agent Status Monitor interface.
Common policy
The Common policy options can be used to configure protection settings for your managed Mac.
Configure the Options page settings in the Common policy to:
• Enable self-protection for software files.
• Configure password-protection for the client interface.
• Prevent uninstalling the client software.
• Prevent changing the protection settings.
• Configure preferences for debug logging.
For the list of features supported for Microsoft Windows and Macintosh operating systems, see McAfee
KnowledgeBase article KB84410.
Contents
Configuring client interface access
Preventing client software uninstallation
Self Protection

8
Common policy
Configuring debug logging

Default Client Update
Configure the Common policy
Configuring client interface access

Classify your user group and determine the required access level for them.
The Client Interface Mode provides three levels of access.
• Full access — Allows the managed Mac user to view or change all feature settings using the local Mac
password credentials.
You can provide Full access to users for whom you don't want to restrict any action.
• Standard access — Allows the managed Mac users to run software updates and to run scheduled
scans. To view or change the protection preferences, the managed Mac user must provide the
password defined by the McAfee ePO administrator. The default password is mcafee.
• Lock client interface — The user is prompted for the McAfee ePO administrator password to start the
client console.
If the managed Mac user changes the protection preferences locally, the subsequent policy enforcement
overrides the changes.
Preventing client software uninstallation

Administrators can configure the Uninstallation option settings to prevent accidental removal of client
software from the managed Mac.
When Require password to uninstall the client is selected, the user is prompted for the McAfee ePO password
to uninstall the client software. The default password is mcafee.
Self Protection
The Self Protection option protects the security software files from threats.
One of the first things that malware attempts to do during an attack is to change, delete, or disable
your system security software. Configure the Self Protection settings to protect Endpoint Security for Mac
files and its module files from being changed or deleted. We recommend that you enable this option
always because malware attacks primarily target the software files first.
For managed Mac, deselecting Enable Self Protection or Files and folders disables Self Protection.
For a standalone Mac, Self Protection is always enabled.
Endpoint Security for Mac supports only the Files and Folders option in Self Protection.
Configuring debug logging

Administrators can enable or disable debug logging for the installed modules.
When you enable debug logging for a module, events are logged for all components of the module.
For example, if you enable debug logging for Threat Prevention, events are logged for on-access
scanning, and on-demand scanning at user level and at the kext level.

8
Common policy
Default Client Update

The Default Client Update option allows administrators to enable or disable the update schedule on a
managed Mac.
Administrators can enable or disable the default update task schedule on a managed Mac.
By default, the software checks for updates at 4:45 p.m every day. When you deselect Enable default
update task schedule in the client, the update schedule is set to Never in the client interface.
After deselecting Enable default update task schedule in the client, if you select it again, the user must configure
the update schedule.
Whichever options you select under What to update, the software updates the DAT files and Engine, and
the product.
Configure the Common policy

Configure the Common policy settings to enable or disable Self Protection, debug logging,
uninstallation, and to define client interface access.
Task
2 From the Policy Catalog, select Endpoint Security Common as the product, then Options as the category.
3 Click New Policy, type a name for the policy, then click OK.
4 On the Policy Catalog page, click Show Advanced, then define these options:
In this In this Configure...

section... category...
Client Interface • Full access — Allows the managed Mac user to view or change all
Mode feature settings using the local Mac password credentials.
• Standard access — Allows the managed Mac users to run software
updates, and to run scheduled scans.
• Lock client interface — Prompts the user for the password set by the
McAfee ePO administrator to start the client software console.
Uninstallation Require a • Password — Type a password.

password to
uninstall the client • Confirm Password — Retype the password.
Self Protection Enable Self Files and Folders — Protects the Endpoint Security for Mac software
Protection files from threats.
• Block and Report — Prevents the user from changing or deleting the
software files. An event is sent to the McAfee ePO server.
• Block only — Prevents the user from changing or deleting the
software files. No McAfee ePO events are generated for this
activity.
• Report only — Allows the managed Mac user to delete or change the
software files. An event is sent to the McAfee ePO server.
The default option is Block and Report.

8
In this In this Configure...

section... category...
Client logging Debug Logging Configure these logging preferences:
• Enable for Threat Prevention — Enables debug logging for Threat
Prevention. You can find the logs at:
/var/log/system.log and /var/log/McAfeeSecurity.log.
You can identify and filter the Threat Prevention log by its name
MFE–AV.
• Enable for Firewall — Enables debug logging for firewall. You can find
the firewall logs at:
/var/log/system.log
You can identify and filter the firewall log by its name MFE–FW.
• Enable for Web Control — Enables debug logging for Web Control. You
can find the logs at:
/var/log/McAfeeSecurity.log
Default Client Enable Default Update task schedule in the client — Enables or disables the
Update update task on managed Mac.
5 Click Save.
6 In the System Tree, select the systems or groups.
7 In the right pane, click the Group Details tab, then click Wake Up Agents.
8 In Force policy update, select Force complete policy and task update, then click OK.

Threat Prevention checks for malware and other threats by scanning items on your managed Mac
systems.
Use Endpoint Security Threat Prevention policy to configure scanning settings for your managed Mac.
Product Category Available options

Endpoint Security Threat On-Access Scan • Enable or disable on-access scanning on managed Mac.
Prevention
• Specify time limit to scan each file.
• Specify when to scan files.
• Scan specific types of files.
• Define actions for detected items and unwanted programs.
• Exclude files and directories.
On-Demand Scan • Run full scan and quick scan on managed Mac.
• Scan specific directories and their subdirectories.

• Scan specific types of files.
• Define actions for detected items and unwanted programs.
• Exclude files and directories from scanning.

8
For the list of features supported for Microsoft Windows and Macintosh operating system, see McAfee
Configure On-Access Scan policy

Create an on-access policy to enable or disable on-access scan, define scanning time limit for each
file, and to define exclusions.
Task
2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Access Scan
as the category.
4 Click the policy that you created, click Show Advanced.
5 In the On-Access Scan section, define these settings.
In... Configure...
On-Access • Enable On-Access Scan — Enables or disables on-access scanning on managed Mac.
Scan
• Specify maximum number of seconds for each file scan — Specify the scan timeout value to scan
each item. If you unselect this option, the value is set to 45 seconds.
McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network look up for suspicious
files.
Select the Sensitivity level as required:
• Very low — The detections and risk of false positives are the same as with regular DAT
content files. A detection is made available to Threat Prevention when McAfee Labs
publishes it instead of waiting for the next DAT content file update.
• Low — This setting is the minimum recommendation for systems with a strong
security footprint.
• Medium — Use this level when the regular risk of exposure to malware is greater than
the risk of a false positive. McAfee Labs proprietary, heuristic checks result in
detections that are likely to be malware. However, some detections might result in a
false positive. With this setting, McAfee Labs checks that popular applications and
operating system files don't result in a false positive.
• High — Use this setting for deployment to systems or areas which are regularly
infected.
• Very high — Detections found with this level are presumed malicious, but haven't been
fully tested to determine if they are false positives. McAfee recommends to use this
level for systems that require highest security.
Process Use Standard settings for all processes — Applies standard settings when performing
Settings on-access scanning.

8
In... Configure...
In the Standard process type:
• In Specify when to scan:
• When writing to disk — Scans files when they are written to.
• When reading from disk — Scans all files when they are read.
• Let McAfee decide — Scans files when written to or read.
• On network drives — Scans files in mounted-network volumes.
• In File type to scan:
• All files — Scans files with any extension.
• Default and specified file types — Scans files with extensions defined in the software, and
the extensions you specify. For the list of the default file types, see McAfee
KnowledgeBase article KB 84411.
• Also scan for macros in all files — Scans macros in the files.
• Specified file types only — Scans only files with extensions that you specify, and
optionally, files with no extension.
• In Specify what to scan:
• Compressed archive files — Scans the contents of compressed archive files.
Scanning compressed archive files requires additional time.
• Compressed MIME-encoded files — Scans Apple email messages.

• Detect unwanted programs — Enables the scanner to detect potentially unwanted
programs.
In Actions | Threat detection first response:

• Deny access to files — Prevents users from accessing any files with potential threats.
• Delete files — Deletes files that contain malware.
• Clean files — Removes threats from the detected file.
You can also configure a secondary response using the If first response fails option, in case
the primary response is unsuccessful.
In Unwanted program first response:
• Clean files — Removes the threat from the detected file.
• Delete files — Deletes the file that contains threats.
• Deny access to files — Prevents users from accessing files with potential threats.
• Allow access to files — Allows users to access the detected file.
In the Exclusions section, click:
• Add — To add files to the exclusion list.
• Edit — To edit the exclusion settings.
• Delete — To remove the selected item from the exclusion list.
• Clear All — To remove all items from the exclusion list.

8
In... Configure...
Enable Overwrite exclusions configured on the client to overwrite the exclusions list created by
the managed Mac user.
For more information about configuring exclusions, see Exclude files or directories
from scanning.
6 Click Save.
Configure On-Demand Scan policy (Full Scan)

Configure On-Demand Full Scan policy settings for your managed Mac.
Task
1 Log on to McAfee ePO as an administrator.
2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Demand Scan
as the category.
4 Click the policy that you created, click the Full Scan tab, then define these settings.
In... Configure...
Full Scan • Detect unwanted programs — Enables the scanner to detect potentially unwanted
programs.
• Decode MIME encoded files — Scans Apple mail messages.
• Scan inside archives — Scans the contents of compressed archive files.
• Find unknown program threats — Detects files that contain code resembling malware.
• Find unknown macro threats — Detects unknown macro threats.
Scan • Scan subfolders — Examines all subfolders in the specified volumes when any of these
Locations options are selected.
• Home folder • All local drives
• Temp folder • All fixed drives
• User profile folder • All removable drives
• File or folder • All mapped drives
You can add locations by clicking . Click to remove the locations from scanning.

8
In... Configure...
File Types to • All files — Scans all files regardless of extension.
Scan
McAfee strongly recommends that you enable All files to make sure that no malware
threat resides in your managed Mac systems.
• Default and specified file types — Scans files with extensions defined in the software and
extensions you specify. For the list of the default file types, see McAfee
KnowledgeBase article KB 84411.
Also scan for macros in all files — Enables scanning for macros in all files.
• Specified file types only — Scans only files with extensions that you specify. Select Include
files with no extension to scan files that contains no extension.
McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network look up for suspicious
files.
Select the Sensitivity level as required:
• Very low — The detections and risk of false positives are the same as with regular
DAT content files. A detection is made available to Threat Prevention when McAfee
Labs publishes it instead of waiting for the next DAT content file update.
• Low — This setting is the minimum recommendation for systems with a strong
security footprint.
• Medium — Use this level when the regular risk of exposure to malware is greater than
the risk of a false positive. McAfee Labs proprietary, heuristic checks result in
detections that are likely to be malware. However, some detections might result in a
false positive. With this setting, McAfee Labs checks that popular applications and
operating system files don't result in a false positive.
• High — Use this setting for deployment to systems or areas which are regularly
infected.
• Very high — Detections found with this level are presumed malicious, but haven't
been fully tested to determine if they are false positives. McAfee recommends to
use this level for systems that require highest security.
Exclusions In the Exclusions section, click:

For more information about configuring exclusions, see Exclude files or directories
from scanning.

8
In... Configure...
Actions In Threat detection first response:
• Continue scanning — Continues scanning files when a threat is detected. The scanner
doesn't move items to the quarantine.
• Delete files — Delete the file that contains malware.
• Delete files — Delete the file that contains malware.
Scheduled • Scan only when the system is idle — Runs the scan only when the system is idle. The
Scan Options system is considered as idle when there is no keyboard or mouse activity for 5
minutes.
The User can resume paused scans option is not supported for Mac systems.
• Scan anytime — Runs the scan even if the user is active and specifies options for the
scan.
The User can defer scans, User can pause and cancel scans, and Do not scan when the system is in
presentation mode options are not supported for Mac systems.
• Do not scan when the system is on battery power — Postpones the scan when the system is
using battery power.
5 Click Save.
For scheduling the task, see the product guide for your version of McAfee ePO.
Endpoint Security for Mac does not support the Right-Click Scan option.
Configure an On-Demand Scan policy (Quick Scan)

Configure an On-Demand Quick Scan policy settings for your managed Mac.
Task
2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Demand Scan
as the category.
4 Click the policy that you created, click the Quick Scan tab, then define these settings.

8
In... Configure...
Quick Scan • Detect unwanted programs — Enables the scanner to detect potentially unwanted
programs.
• Decode MIME encoded files — Scans Apple mail messages.
• Scan inside archives — Scans the contents of compressed archive files.
• Find unknown program threats — Detects files that contain code resembling malware.
• Find unknown macro threats — Detects unknown macro threats.
Scan • Scan subfolders — Examines all subfolders in the specified volumes when any of these
Locations options are selected.
• Home folder
• Temp folder
• File or folder
• All removable drives
Select the directory from the Specify locations drop-down list. You can add directories by
clicking . Click to remove the directory from scanning.
File Types to • All files — Scans all files regardless of extension.

Scan
Best Practice: Enable All files to make sure that no malware threat resides in your
managed Mac.
• Default and specified file types — Scans files with extensions defined in the software and
extensions you specify. For the list of the default and specified file types, see
McAfee KnowledgeBase article KB 84411.
Also scan for macros in all files — Enables scanning for macros in all files.
• Specified file types only — Scans only files with extensions that you specify. Select Include
files with no extension to scan files that contains no extension.
McAfee GTI • Enable McAfee GTI — Enables McAfee GTI, a heuristic network check for suspicious
files.
Exclusions In the Exclusions section, click

For more information on configuring exclusions, see Exclude files or directories from
scanning.

8
In... Configure...
Actions In Threat detection first response:
• Delete files — Deletes the file that contains malware.
You can also configure a secondary response using the If first response fails option, in
case the primary response is unsuccessful.
• Delete files — Deletes the file that contains malware.
You can also configure a secondary response using the If first response fails option, in
case the primary response is unsuccessful.
Scheduled • Scan only when the system is idle — Runs the scan only when the system is idle.
Scan Options
The User can resume paused scans option is not supported for Mac.
• Scan anytime — Runs the scan even if the user is active and specifies options for the
scan.
The User can defer scans, User can pause and cancel scans, and Do not scan when the system is in
presentation mode options are not supported for Mac.
• Do not scan when the system is on battery power — Postpones the scan when the system is
using battery power.
5 Click Save.
For scheduling the task, see the product guide of your version of McAfee ePO.
Endpoint Security for Mac does not support the Right-Click Scan option.
Exclude files or directories from scanning

Exclude files or directories from on-access scanning and on-demand scanning.
Task
2 From the Policy Catalog, select Endpoint Security Threat Prevention as the product, then select On-Access Scan
or On-Demand Scan as required.
3 Click the policy, then click Show Advanced.
If you haven't created a policy, click New Policy, type a name for the policy, then click OK.
4 In the Exclusion area under Process Settings, click Add and define these settings as required, then click
Save.

8
In... Configure...
What to • Pattern (can include wildcards * or ?) — Specifies the file pattern to exclude.
exclude
For example, to exclude all files in the desktop from scanning, specify the path as /
Users/user/Desktop/*
• Also exclude subfolders — Excludes files and directories from the specified location.
• File type (can include wildcard ?) — Excludes files that contains the extension.
• File Age — Excludes files based on their age in terms of creation date and modified
date.
• Modified — Excludes files that were edited earlier to the days specified in the Minimum
age in days field.
• Created — Excludes files that were created earlier to the days specified in the
Minimum age in days field.
• Accessed —Excludes files that were accessed earlier to the days specified in the
Minimum age in days field.
The Accessed option is applicable for On-Demand Scan policies only.
Select the option Overwrite exclusions configured on the client to overwrite the client exclusion
list.
You can apply this option for On-Access Scan policies only.
When to • On read — Excludes from scanning when the file is accessed.

exclude
• On write — Excludes from scanning when the file is changed.
These two options are applicable for On-Access Scan policies only.
Schedule a full or quick scan on managed Mac

Schedule an on-demand scan to detect malware threats in the managed Mac.
Task
2 Click Menu | Systems | System Tree, then select a group or systems.
3 Click the Assigned Client Tasks tab, then click Actions | New Client Task Assignment.
a For Product, select Endpoint Security Threat Prevention.
b For Task Type, select Policy Based On-Demand Scan, then select the task from the Task Name list.
4 Click Next.
5 Define these parameters, then click Next.

• Schedule status • Start time
• Schedule type • Task runs according to
• Effective period • Options
6 In the Summary page, click Save.

8
7 In the System Tree, select the systems or groups where you assigned the task.
8 In the right pane, click the Group Details tab, then click Wake Up Agents.
Schedule a custom on-demand scan

Schedule a custom on-demand scan for managed Mac.
Task
2 Click Menu | Client Task Catalog.
3 In Client Task Types, expand Endpoint Security Threat Prevention, select Custom On-Demand Scan, then click New
Task.
4 Select Custom On-Demand Scan from the Task Type drop-down list.
5 Define these settings, then click Save.

• Name • McAfee GTI
• Description • Exclusions
• Scan Options • Actions
• Scan Locations • Scheduled scan options
• File Types to Scan
6 On the Client Task Catalog page, select the custom scan that you created, click Assign, select a group to
assign the task, then click OK.
7 On the Select Task page, define the settings, then click Next.
8 On the Schedule page, define the settings, then click Next.
9 On the Summary page, review the settings, then click Save.
Schedule the DAT update

Schedule an update to keep the content files and engine up to date.
Task
2 Click Menu | Systems | System Tree, then select a group or systems.
3 On the Assigned Client Tasks tab, click Actions, then select New Client Task Assignment.
a For product, select McAfee Agent.
b For Task Type, select Product Update.
c Click Create New Task to open the Client Task Catalog.

8
Firewall policy
d Type a name for the task, select Mac Engine and DAT in Signatures and engines from Package types, then
click Save. The task is listed under Task Name.
e Select the task, then click Next.
4 On the Schedule page, define the schedule for the task.

a In the System Tree, select the systems or groups where you want to assign the task.
b Set these values, then click Next.

• Schedule status • Start time
• Schedule type • Task runs according to
• Effective period • Options
5 On the Summary page, click Save.
6 In the right pane, select Group Details, then click Wake Up Agents.
Firewall policy
Define firewall policies and rules and enforce them on a managed Mac to control incoming and
outgoing network traffic.
McAfee Endpoint Security for Mac uses the McAfee Endpoint Security Firewall extension to manage the
Mac.
This table lists the policies that you can create under each product category.
Because Firewall uses McAfee Endpoint Security Firewall extensions as common extensions, the features
specific to McAfee Endpoint Security are marked as Windows only.
Use Endpoint Security Firewall policy to create and enforce firewall rules, rule groups, to block access
to domains, and to create location-specific rules for your managed Mac systems.

Endpoint Security Options • Enable or disable Firewall protection for managed Mac.
Firewall
• Enable or disable Adaptive mode on client Mac.
• Retain existing Adaptive mode client rules when enforce Firewall
policy.
• Define maximum time limit to establish TCP, UDP, and ICMP
connections.
• Define networks.
Rules • Create firewall rules. • Add group from catalog.

• Create rule groups. • Configure location awareness
settings.
• Add rules from catalog.
For the list of features supported for Microsoft Windows and Macintosh operating system, see McAfee

8
Firewall policy
Configure a firewall rules policy

Create Firewall rules and enforce it on managed Mac.
Use the Firewall Rules policy to
• Create firewall rules. • Define the network protocols.
• Create rule groups. • Define the transport protocols.
• Add rules from catalog. • Configure location awareness settings.
Task
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Rules as the category.
4 On the Policy Catalog page, click the policy that you created, then define these settings.
5 Click Advanced to view all options.
6 On the Firewall Rules page, configure these options, then click Save.
• Move Up — Move up the selected rule one row.
If the item previous to the selected rule is a rule group, make sure that the rule group is not
expanded. Otherwise, the rule is added to the rule group.
• Move Down — Move the selected rule one row down.
If the item after the selected rule is a rule group, make sure that the rule group is not expanded.
Otherwise, the rule is added to the rule group.
• Duplicate — Copy the rule settings in a new name in the Firewall rules list.
• Delete — Delete the selected rule from Firewall rules list.
• Add Rule — Add a rule to the Firewall rules list.

For more information, see Create a Firewall rule.
• Add Group — Add a rule group to the Firewall rules list.

For more information, see Create a rule group and move rules to the group.
• Add Rule from Catalog — Add rule from the catalog.
• Add Group from Catalog — Add rule group from the catalog.
• Export — Export the rules as a .xml file. You can select multiple rules by using the Ctrl key.
Create a firewall rule

Create a firewall rule for managed Mac.

8
Firewall policy
Task
4 On the Policy Catalog page, click the policy that you created, then define these settings:
5 Click Add Rule to create a Firewall rule, define these settings, then click Save.
In this category... In this section... Configure these options...

Description Name Type a name of the policy.
Status Select Enable rule to enable the Firewall rules on managed
Mac.
Actions Allow — Allows the network traffic through the firewall.
Block — Blocks the network traffic.
Treat match as intrusion — Treats traffic that matches the rule
as an attack and generates an event that is sent to the
McAfee ePO server.
Log matching traffic — Logs a record of matching traffic in
the system log in client Mac.
Direction Either — Matches incoming and outgoing traffic.
In — Matches incoming traffic.
Out — Matches outgoing traffic.
Notes You can store additional information.
Networks Network Protocol IP protocol — Supports only IPv4 protocol.
Any protocol — Supports only IPv4 protocol.
Connection types Wired

Wireless
Virtual
Specify networks Add Local — Adds local networks.
Add Remote — Adds remote networks.
Add from Catalog (Local) — Adds local networks from the
catalog.
Add from Catalog (Remote) — Adds remote networks from the
catalog.
Transport Transport protocol ICMP — Matches ICMP protocol.
TCP — Matches TCP protocol.
UDP — Matches UDP protocol.
All protocol — Matches ICMP, TCP, or UDP protocol.
Create a firewall rule group

Create rule groups and add related rules to the group for better management.

8
Firewall policy
Task
3 Click Add Group to create a Firewall group, define these settings, then click Save.
In this In this Configure these options...

category... section...
Description Name Type a name of the group.
Status Select Enable group to enable the rule group on managed Mac.
Direction • Either — Matches incoming and outgoing traffic.
• In — Matches incoming traffic.
• Out — Matches outgoing traffic.
Notes You can store additional information.

Location awareness Enable location Enable or disable location information of the group. For
awareness more information, see Configure location awareness options.
Require the ePolicy Enables the group to match only if there is communication
Orchestrator be with the McAfee ePO server and the FQDN of the server is
reachable resolved.
Location criteria Define criteria for Firewall to identify network location.
Networks Network Protocol • Any protocol — Supports only IPv4 protocol.

• IP protocol — Supports only IPv4 protocol.
Connection types • Wired

• Wireless
• Virtual
Specify networks • Add Local — Adds local networks.

• Add Remote — Adds remote networks.
• Add from Catalog (Local) — Adds local networks from the
catalog.
• Add from Catalog (Remote) — Adds remote networks from the
catalog.
Transport Transport protocol • ICMP — Matches ICMP protocol.

• TCP — Matches TCP protocol.
• UDP — Matches UDP protocol.
• All protocol — Matches ICMP, TCP, or UDP protocol.
4 Verify the configuration details, then click Save.
Add rules to a rule group

Create a rule group and add rules to the group for easier management of rules.

8
Firewall policy
Task
4 On the Policy Catalog page, click the policy that you created.
5 In the Firewall Rules page, click Add Group, then define these settings, then click Save.
• Description
• Location
• Network
• Transport
6 Verify the configuration details, then click Save. The rule group appears on the Firewall Rules page.
7
Select the rule group, then click to expand the rule group.
8 Select the rule that you want to move to the rule group, then click Move Up or Move Down according to
the rule's position toward the rule group, until the rule is moved into the rule group.
• Click Move Up if the rule appears after the rule group.
• Click Move Down if the rule appears before the rule group.
Always expand the rule group before moving rules into the group. Otherwise, the rules are not
placed inside the rule group.
Configure a Firewall Options policy

Configure the Firewall Options policy and enforce it to managed Mac.
You can define these settings in the Firewall Options policy.
• Enable or disable Firewall protection on managed Mac.
• Enable or disable Adaptive mode on managed Mac.
• Retain existing client rules when enforce Firewall policy.
• Define maximum time limit for TCP, UDP, and ICMP connections time out.
• Define networks
Task
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Options as the
category.

8
Firewall policy
In... Configure...
Firewall Enable Firewall — Enables or disables Firewall protection on managed Mac.
Tuning Options • Enable Adaptive mode (create rules on the clients automatically — Enables Adaptive mode on
managed Mac.
• Retain existing user added rules and Adaptive mode rules when this policy is enforced — Retains rules
created locally on the managed Mac and the Adaptive mode rules.
Stateful • No. of seconds (1 -240) before TCP connections time out

Firewall
• No. of seconds (1 -240) before UDP and ICMP echo virtual connections time out
The default value is 30 seconds.
• Use FTP Protocol Inspection — Creates dynamic rules for FTP data connections by
actively monitoring the FTP commands on the control channel.
DNS Blocking Domain Name — Specify domain names.

For more information, see Configure DNS Blocking.
Defined In Add Defined Networks

Networks
• Single IP • Fully qualified domain name
• Subnet • Any local IP address
• Local Subnet • Any IPV4 Address
• Range
Select the option from the Trusted drop-down list.

• Yes — The network is trusted automatically.
• No — The network is not trusted automatically. The network is allowed or blocked
according to the rule settings.
5 Click Save.
Configure location awareness options

A location awareness policy enables administrators to enforce rules based on the network to which the
Mac is connected.
A location awareness policy contains a set of defined rules. When a network packet matches certain
criteria with the group definitions, such as ePO reachability or DNS server address, the group becomes
active. When the location awareness group is active, the rules in the group are also considered for
matching.
Task
3 Click the policy that you want to configure location awareness settings. .
To create a new policy, click New Policy, type a name for the policy, then click OK to open the policy
page.
4 Click Add Group to add a group.

8
Firewall policy
5 Type a name for the Group, select Enable group, then select Direction options.
6 Select Enable Location Awareness.
7 On the Location section, define these parameters, then click Next.

• Name — Type a name for the policy.
• Require that ePolicy Orchestrator be reachable — Enable the group to match only if there is
communication with the McAfee ePO server and the FQDN of the server is resolved.
• Location criteria
• Connection-specific DNS suffix — Specify a connection-specific DNS suffix in the format:
domain.com.
• Default gateway — Specify a single IP address for a default gateway in IPv4 format.
• DHCP server — Specify a single IP address for a DHCP server in IPv4 format.
• DNS server — Specify a single IP address for a domain name server in IPv4 format.
• Primary WINS — Specify a single IP address for a primary WINS server in IPv4 format.
• Secondary WINS — Specify a single IP address for a secondary WINS server in IPv4 format.
• Domain reachability (HTTPS) — Specify a domain name.
You can use the Add from Catalog option to add settings from the catalog.
Configure DNS blocking options

Configure DNS settings to block access to unwanted domains.
Task
2 From the Policy Catalog, select Endpoint Security Firewall as the product, then select Options as the
category.
3 Click New Policy, type a name for the policy, then click OK to open the policy page.
To configure the DNS settings for the policy that you have already created , click the policy.
4 In the DNS Blocking section, click Add, type the domain name, then click Save.
• Add — To add domains to the list.
• Edit — To edit the domain in the list.
• Delete — To remove the selected item from the list.
• Clear All — To remove all items from the list.
You can use wildcards ? and * to define domains.

8
Web Control policy
Web Control policy

Use the Web Control policy to protect your managed Mac from browser-based threats.
Web Control is a browser-based threat prevention solution that you can deploy and manage from
McAfee ePO or McAfee ePO Cloud.
When enabled, the software monitors each site that you access or browse, verifies its safety ratings,
and allows or blocks navigation to the site according to the configuration. You can also block access to
sites based on the content of the site.
Use Endpoint Security Web Control policies to configure protection settings for your managed Mac.

Endpoint Security Web Block and Allow List • Define sites in the Block and Allow List.
Control
Content Actions • Enable or disable web category blocking.
• Configure rating actions for sites.
Options • Enable or disable Web Control on managed Mac systems.

• Log web categories for green-rated sites.
• Log events for allowed sites configured in the Block and Allow List.
• Actions for sites that are unverified by McAfee GTI.
• Block access to phishing pages for all sites.
For the list of features supported for Microsoft Windows and Macintosh operating systems, see McAfee
Enable or disable Web Control

Use the Web Control Options policy to enable or disable Web Control on managed Mac systems.
Task
2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then select Options as the
category.
3 Select Enable Web Control.
Configure site rating actions

Configure permission for sites based on their reputation rating.
Task
2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then Content Actions as the
category.

8
Web Control policy
To edit the existing policy, click the name of the policy.
4 In Rating Actions, define Rating actions for sites, then click Save.
For more information about site rating and its descriptions, see Color-coded buttons.
Web Control does not scan files that are downloaded from allowed sites. However, if you installed
the Threat Prevention module and enabled on-access scanning, files are scanned for threats.
Configuring actions for unverified sites

Configure actions for sites that are not verified by McAfee GTI, or sites blocked by default when
McAfee GTI is not reachable.
You can configure these settings in the Web Control Options policy. For more information, see
Configure Web Control Options policy.
Define Block and Allow List

Configure Block and Allow List policy settings to define access to sites based on the domain or URL.
Before you begin

You must have enabled Web Control in the Options policy.
Task
2 From the Policy Catalog page, select Endpoint Security Web Control as the product, then select Block and Allow
List as the category.
3 Click New Policy.
4 On the Create a New Policy dialog box, type a name and description for the policy.
5 On the Policy Catalog page, click the policy that you created.
6 Click Show Advanced.
7 On the Block and Allow List tab, define these settings:

• Add — Add sites to the Block and Allow List. You can enter URLs or partial URLs (site patterns) of
at least three characters. For multiple sites, enter a comma-separated list or enter each site on
a separate line.
• Delete — Delete sites from the Block and Allow List.
• Edit — Change information (URL, site pattern, or comment) for a site.
• Search — Search the Block and Allow List. This feature is useful for finding sites in large lists.

8
Web Control policy
• Test Pattern — Test whether specific sites match the patterns in the Block and Allow List.
• Enable allowed sites to take precedence over blocked sites — By default, when a site is set to both Allow and
Block, the block action takes precedence and the site is blocked. Select this option to override
the default behavior and make sure that users can access allowed sites, even if they are also
blocked.
When selecting this option, make sure that allowed sites are safe so that client systems remain
protected from web-based threats.
8 Click Save.
Configure browser events

Use Options policy settings to configure Web Control events sent from a managed Mac to the McAfee
ePO database.
Task
category.
To edit the existing policy, click the name of the policy.
4 Configure these settings in the Client Logging section as needed.

• Log web categories for green rated sites
• Log events for allowed sites configured in the Block and Allow List
5 Click Save.
Events are always generated for red or yellow-rated sites.
Configure Web Control Options policy

Configure the Web Control Options policy to enable or disable the web protection, configure logging
preferences, and enforce actions for specific scenarios.
Task
1 Log on to the McAfee ePO sever as an administrator.
category.

8
Queries and reports
In ... Configure...
Web Control Enable Web Control — Enables or disables Web Control on managed Mac systems.
Event Logging • Log web categories for green rated sites — Logs content category details for the
green-rated sites that you access.
• Log events for allowed sites configured in the Block and Allow List — Logs events for sites listed
in the Block and Allow List with Allow permission.
Action Apply this action to sites not yet verified by McAfee GTI:
Enforcement
• Allow — Allows access to unverified sites
• Block — Blocks access to unverified sites
• Warn — Displays a warning for unverified sites. You can either select Continue or
Cancel the navigation.
• Blocks site by default if McAfee GTI ratings server is not reachable — Blocks access to sites if
McAfee GTI is not reachable for site rating.
• Blocks phishing pages for all sites (Includes Allowed sites and overrides content rating actions) —
Blocks access to phishing sites although the Block Allow List allows access to the site
and the content rating is enabled.
Exclusions Allow all IP addresses in the local network — Allows the IP addresses of the local network.
Specify IP addresses or ranges to exclude from Web Control rating or blocking — Excludes the IP
addresses from Web Control rating and blocking.
Specify only a single IP address or the IP address range. The software doesn't
support Classless Inter-Domain Routing (CIDR) IP address format.
5 Click Save.
Queries and reports

Run predefined queries to generate reports, or modify them to generate custom reports.
Queries for Threat Prevention

Here is the list of queries that you can view or customize for Threat Prevention.
Query... Displays...
Endpoint Security Threat Prevention: Hotfixes Installed The hotfixes installed for the software.
Endpoint Security Threat Prevention: On-Access Scan This is the On-Access Scan compliance status.
Compliance Status
Endpoint Security Threat Prevention: Duration of The duration of completed Full Scan in the last seven
Completed Full Scans in the Last 7 Days days.
Endpoint Security Threat Prevention: Systems Not The number of systems that have not completed a Full
Completed a Full Scan in the Last 7 Days Scan in the last seven days but within the last month.
Endpoint Security Threat Prevention: Systems Not The number of systems that have not completed a Full
Completed a Full Scan in the Last Month Scan in the last month.
Endpoint Security Threat Prevention: Duration of The duration of completed Quick Scan in the last seven
Completed Quick Scans in the Last 7 Days days.
Endpoint Security Threat Prevention: Detection The number of threats on which an action was taken
Response Summary (Clean, or Delete), versus the number threats on which
no action was taken, in the last three months.

8
Queries and reports
Endpoint Security Threat Prevention: Threats Detected The threats detected in the previous two quarters. No
Over the Previous 2 Quarters cookies.
Endpoint Security Threat Prevention: Threat Count by Slice count is the number of events. Slices are the
Severity different event severities. All in the last three months.
Endpoint Security Threat Prevention: Top 10 Detected The top 10 detected items in the last three months.
Threats
Endpoint Security Threat Prevention: Top 10 Threat The top 10 computers which are the source for a threat
Sources in the last three months.
Endpoint Security Threat Prevention: Top 10 Computers The 10 ten computers with the most detections in the
with the Most Detections last three months.
Endpoint Security Threat Prevention: Top 10 Threats The top 10 threats per threat category in the last three
Per Threat Category months, grouped by threat category then by threat
name.
Endpoint Security Threat Prevention: Top 10 Users with The top 10 users with the most detections in the last
the Most Detections three months.
Endpoint Security Threat Prevention On-Access Scan This reports displays the McAfee GTI sensitivity level for
McAfee GTI Sensitivity level On-Access Scans.
Endpoint Security Threat Prevention On-Demand Scan This reports displays the McAfee GTI sensitivity level for
Full Scan GTI sensitivity level On-Demand Full Scans.
Endpoint Security Threat Prevention On-Demand Scan This reports displays the McAfee GTI sensitivity level for
Quick Scan GTI sensitivity level On-Demand Quick Scans.
Queries for Firewall

Here is the list of queries that you can view or customize for Firewall.
Endpoint Security Firewall : Intrusion events in the last 24 The number of intrusion events in the last twenty-four
hours hours.
Endpoint Security Firewall : Traffic Block events in the last The number of traffic blocked events in the last
24 hours twenty-four hours.
Endpoint Security Firewall: Hotfixes Installed The hotfixes installed for Endpoint Security software.
Endpoint Security Firewall Status The Endpoint Security Firewall status.
Endpoint Security Firewall : Compliance Status Whether the firewall status is enabled or disabled on
managed Mac.
Endpoint Security Firewall : Count of Firewall Client Rules The number of Firewall client rules created over time.
Endpoint Security Firewall : Client Rules By Protocol/ Firewall client rules listed by protocol and system
System Name name.
Endpoint Security Firewall : Events in the last 24 hours The number of Firewall events in the last twenty-four
hours.
Queries for Web Control

Here is the list of queries that you can view or customize for Web Control.
Endpoint Security Web Control: Visit Log The detailed event log for site navigation log activity for
the last thirty days.
Endpoint Security Web Control: Top 100 Blocked Red The top 100 red category sites that were blocked in the
Sites last thirty days.

8
Queries and reports
Endpoint Security Web Control: Top 100 Blocked The top 100 blocked sites that were blocked in the last
Sites thirty days.
Endpoint Security Web Control: Top 100 Visited Red The top 100 red category sites visited in the last thirty
Sites days.
Endpoint Security Web Control: Top 100 Red Sites on The top 100 red category sites allowed because of Allow
Allow List or Block list policy in the last thirty days.
Endpoint Security Web Control: Top 100 Sites on The top 100 sites allowed because of Allow or Block list
Allow List policy in the last thirty days.
Endpoint Security Web Control: Top 100 Sites on The top 100 sites blocked because of Allow or Block list
Block List policy in the last thirty days.
Endpoint Security Web Control: Top 100 Visited The top 100 unrated sites visited in the last thirty days.
Unrated Sites
Endpoint Security Web Control: Top 100 The top 100 sites that were warned-cancelled in the last
Warned-Cancelled Sites thirty days.
Endpoint Security Web Control: Top 100 The top 100 sites that were warned-continued in the last
Warned-Continued Sites thirty days.
Endpoint Security Web Control: Top 100 Visited The top 100 yellow category sites visited in the last thirty
Yellow Sites days.
Endpoint Security Web Control: Top Sites Grouped The top sites grouped by contents in the last thirty days.
by Content
Endpoint Security Web Control: Visits by Action The chart depicting the number of visits to each content
Grouped by Content category in the last thirty days, grouped by policy-based
actions.
Endpoint Security Web Control: Visits by Action The chart depicting number of visits in the last thirty
days, grouped by policy-based actions.
Endpoint Security Web Control: Visits by Content The chart depicting number of visits in the last thirty
days, grouped by site content.
Endpoint Security Web Control: Visits by Rating The chart depicting number of visits in the last thirty
days, grouped by site rating.
Endpoint Security Web Control: Web Content The web content category with the most infections in the
Categories that Caused the Most Infections in the last seven days.
Last 7 Days
Endpoint Security Web Control: Compliance Status The Web Control Compliance Status report.
Endpoint Security Web Control: Hotfixes Installed The hotfixes installed for Endpoint Security.
Other queries
Run these queries to generate reports, or modify them to generate custom reports.
Query.. Displays...
Endpoint Security: Top Infected Users in the Last 7 The list of top infected users in the last seven days.
Days
Endpoint Security: Primary Vectors of Attack in the The list of Primary Vectors of Attack in the last seven
Last 7 Days days.
Endpoint Security: Top Threats in the Last 48 Hours The list of top threats in the last forty-eight hours.
Endpoint Security: Threats Detected in the Last 24 The number of threat events generated in the last
Hours twenty-four hours.
Endpoint Security: Threats Detected in the Last 7 The number of threat events generated in the last seven
Days days.

8
Queries and reports
Query.. Displays...
Endpoint Security: Summary of Threats Detected in The summary of threats detected in the last twenty-four
the Last 24 Hours hours.
Endpoint Security: Summary of Threats Detected in The summary of threats detected in the last seven days.
the Last 7 Days
Endpoint Security: Currently Enabled Technology The list of technology that are currently enabled on each
managed Mac.
Endpoint Security: Policy Compliance by Computer Two lists of computers which do and do not have the
Name latest policy applied.
Endpoint Security: Policy Compliance by Policy Name A boolean pie chart showing which policies have and have
not been updated on the client Mac.
Endpoint Security: Self Protection Compliance Status The list of self-protection compliance status report.
Endpoint Security Platform: Hotfixes Installed The list of hot fixes installed for the software.
Endpoint Security: Installation Status Report The stacked bar chart of multiple modules and their
installation status.

8
Queries and reports

Index
A conventions and icons used in this guide 7

creation
about this guide 7
installation url 72
adaptive mode 40
adaptive rules 42
anti-malware D
best practices 39 DAT update, ePolicy Orchestrator
configuring anti-malware 39 scheduling 89
defining exclusions 39 debug log
enabling debug log 59
B default settings
firewall 22
best practices
general 22
firewall rules 51
repository list 22
browser
threat prevention 22
supported versions 65
web control 22
deployment, ePolicy Orchestrator 68
C
desktop firewall
check-in package, ePolicy Orchestrator stateful filter 41
checking in package 66 detection status
client software viewing detection details 28
configuring access 79 documentation
installation 72 audience for this guide 7
installing using url 68 product-specific, finding 8
installing with URL 73 typographical conventions and icons 7
preventing uninstallation 79 Domain Name System (DNS) 43
protecting accidental uninstallation 78
client software access E
full access 78
events
locking client interface 78
viewing summary 28
standard access 78
examples, firewall rules 49
command-line installation 18
configuration
F
disabling web control 99
enabling debug logging 79 features
enabling web control 99 protection, viewing status 27
logging preferences 99 firewall
proxy settings 58 creating rules 47
repository list 58 editing rule 47
scan task 30 rules 44
scheduling anti-malware engine update 59 testing the feature 19
standalone web protection 57 firewall rules
unverified sites 99 examples 49
content files update, ePolicy Orchestrator organization 46
scheduling 89

Index
H policies (continued)
create 76
how the software works 10
management 76
I modify 76
policy creation
installation
DNS blocking 96
client software 67, 68, 72
location awareness 95
command line 18
post installation tasks 25
extensions 66
protection
silent 18
browser-based threats 52
testing 19
enabling web control 97
using software manager 67
online threats 52
using url 68
using URL 73
using urls 67
Q
using wizard 18 quarantine
installation URLs malware 29
McAfee ePO cloud 72 removing malware 29
installation, standalone Mac restoring malware 29
command line 18
wizard 18 R
rating color
M configuring permissions 55
malware default permissions 55
quarantine 29 regular firewall protection 41
removing quarantined items 29 removal of quarantined item 29
restoring quarantined items 29 removal of software 70
managed environment removal of software extension 69
hardware requirements 65 requirements
software requirements 65 browser 17
McAfee ServicePortal, accessing 8 hardware 17, 65
operating system 17
N software 65
rule group
need for security 9
grouping rules 93
O
S
on-access scan 36
on-demand scan 30 safety rating
configuring preferences 38 calculating criteria 53
creating a task 31 description 54
removing scan task 32 icons 55
scheduling custom scans 89 scan
scheduling for standalone Mac 31 scheduling custom scans 89
scheduling from ePolicy Orchestrator 88 scan task
on-demand-scan create 31
viewing detection details 28 modify 31
search engine
P viewing site rating 52
ServicePortal, finding product documentation 8
package
silent installation 18
checking in 66
site category
packages
blocking sites 56
checking in 66
site rating
policies
viewing safety rating 52
assign 76

Index
sites system requirements

adding to allow list 56 managed Mac 72
adding to block list 56
compiling safety rating 53 T
software
technical support, finding product information 8
protecting from threats 78
repair 61
U
updating DAT files 30
stateful filter 41 urls
stateful FTP 44 installing client software 67
status
monitoring McAfee Agent status 77 W
scan task 28 workflow
viewing events summary 27 on-access scanning 35
viewing protections enabled 27 on-demand scanning 35
viewing security status 27
summary
viewing recent events 27

0-00

Mcafee

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Mcafee

Загружено:

Авторское право:

Доступные форматы

Product Guide

McAfee Endpoint Security for Mac 10.2.0

2 McAfee Endpoint Security for Mac 10.2.0 Product Guide

Protecting your standalone Mac

3 Using the software on a standalone Mac 27

McAfee Endpoint Security for Mac 10.2.0 Product Guide 3

4 Configuring protection settings on a standalone Mac 33

Protecting your managed Mac

4 McAfee Endpoint Security for Mac 10.2.0 Product Guide

Remove the software from a managed Mac . . . . . . . . . . . . . . . . . . . . . . . 69

7 Installing the software on a Mac managed with McAfee ePO Cloud 71

McAfee Endpoint Security for Mac 10.2.0 Product Guide 5

6 McAfee Endpoint Security for Mac 10.2.0 Product Guide

About this guide

Italic Title of a book, chapter, or topic; a new term; emphasis

Caution: Important advice to protect your computer system, software installation,

McAfee Endpoint Security for Mac 10.2.0 Product Guide 7

Find product documentation

8 McAfee Endpoint Security for Mac 10.2.0 Product Guide

• McAfee® ePolicy Orchestrator® Cloud (McAfee ePO™ Cloud)

Why you need security for Mac

Threat category Potential threat

McAfee Endpoint Security for Mac 10.2.0 Product Guide 9

Threat category Potential threat

How McAfee Endpoint Security for Mac protects your system

The software uses the latest anti-malware engine that:

• Decodes the contents of the item you access.

The system must have Internet connection to access McAfee GTI.

You can run Firewall protection in two ways:

10 McAfee Endpoint Security for Mac 10.2.0 Product Guide

The software supports only the Google search engine.

• Displays a safety rating button for each site

McAfee Endpoint Security for Mac 10.2.0 Product Guide 11

• Management of rules — Create and manage rules using rule group.

The software supports only the Google search engine.

12 McAfee Endpoint Security for Mac 10.2.0 Product Guide

• Block phishing pages — Block access to phishing sites.

• Web categories for green-rated sites

• Red or yellow-rated site visits

ePO manually from the managed system.

McAfee Endpoint Security for Mac 10.2.0 Product Guide 13

14 McAfee Endpoint Security for Mac 10.2.0 Product Guide

Chapter 2 Installing the software on a standalone Mac

McAfee Endpoint Security for Mac 10.2.0 Product Guide 15

16 McAfee Endpoint Security for Mac 10.2.0 Product Guide

Hardware and software requirements

• Yosemite 10.10.x (client and server)

Browser Safari 7.1.x, 8.0.x, and 9.0.x.

McAfee Endpoint Security for Mac 10.2.0 Product Guide 17

Install the software

Before you begin

Install the software using wizard

3 Follow the prompts to install the software.

Install the software from the command line (silent installation)

2 Copy the McAfee-Endpoint-Security-for-Mac-<version>-standalone-<build_number>.pkg file

18 McAfee Endpoint Security for Mac 10.2.0 Product Guide

4 Type the following command, then press return.

The Install was successful.

Test the installation

Test the Threat Prevention feature

2 Click DOWNLOAD ANTI MALWARE TESTFILE, then click DOWNLOAD.

Test the Firewall feature

4 Select Regular Mode.

McAfee Endpoint Security for Mac 10.2.0 Product Guide 19