CA Total Defense r12 Admin Guide

CA Total Defense
Administration Guide
r12
This documentation and any related computer software help programs (hereinafter referred to as the
"Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part,
without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may
not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and
CA.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation,
you may print a reasonable number of copies of the Documentation for internal use by you and your employees in
connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print copies of the Documentation is limited to the period during which the applicable license for such
software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify
in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER
OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION,
INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR
LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and
is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section
252.227-7014(b)(3), as applicable, or their successors.
Copyright © 2010 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein
belong to their respective companies.
CA Product References
This document references the following CA products:
■ CA Total Defense
■ CA Total Defense for Unified Network Control
Contact CA
Contact Technical Support
For your convenience, CA provides one site where you can access the
information you need for your Home Office, Small Business, and Enterprise CA
products. At http://ca.com/support, you can access the following:
■ Online and telephone contact information for technical assistance and
customer services
■ Information about user communities and forums
■ Product and documentation downloads
■ CA Support policies and guidelines
■ Other helpful resources appropriate for your product
Contents
Chapter 1: Introduction 13
Types of Protection ............................................................................. 13
Anti-Malware ............................................................................... 13
Proactive Protection ......................................................................... 13
Groupware ................................................................................. 14
CA Gateway Security ........................................................................ 14
CA Total Defense for Unified Network Control ................................................ 15
Product Infrastructure .......................................................................... 15
Client-Server Communication ................................................................... 15
Phone Home ................................................................................ 15
Internet Information Services (IIS) .......................................................... 16
Data Flow between Endpoints and Servers ................................................... 18
Data Flow Using Proxies ..................................................................... 20
The Management Console ....................................................................... 21
Management Console Navigation ............................................................ 22
Filter and Find Tools ........................................................................ 23
Ease of Use Features ........................................................................ 24
Open the Management Console .............................................................. 25
Install the CA Security Certificate ............................................................ 25
Chapter 2: Monitoring Your Network's Health 27

Dashboard ..................................................................................... 27
Custom Dashboards......................................................................... 28
The Dashboard and Partitions ............................................................... 29
The Dashboard and User Roles .............................................................. 29
Reports ........................................................................................ 29
Report Generation .......................................................................... 30
Report Viewing Methods ..................................................................... 31
Predefined Reports .......................................................................... 32
Unified Network Control Report Configuration ................................................ 33
Custom Reports............................................................................. 33
Report Formats and Layouts................................................................. 34
Report Maintenance ......................................................................... 35
Reports and Partitions ....................................................................... 36
Reports and User Roles ..................................................................... 36
Events ......................................................................................... 37
Event Management ......................................................................... 37
Contents 5
Viewing Events ............................................................................. 38
Events Statistics ............................................................................ 39
Record Deletion and Archival ................................................................ 39
Events and User Roles ...................................................................... 41
High Severity Events ........................................................................ 42
Event Insight ............................................................................... 43
Events Flow Diagram ........................................................................ 44
Chapter 3: Maintaining Your Environment 47

Policy and Partition Tree Concepts ............................................................... 47
The Root Branch ............................................................................ 48
Parent and Child Branches .................................................................. 49
About the Other Endpoints Branch ........................................................... 51
Branch Subdivision Options.................................................................. 52
How Endpoints Are Assigned to Partitions and Branches ...................................... 54
Policy Assignment Tree...................................................................... 55
Partition Assignment Tree ................................................................... 56
How to Design Policy or Partition Assignment Trees .......................................... 57
Tree Operations ................................................................................ 58
Locking Trees ............................................................................... 59
Tree Modifications .......................................................................... 59
Branch Deletion ............................................................................. 59
User Roles and Tree Management ........................................................... 60
Policy Concepts ................................................................................. 60
CA-Recommended Default Policies ........................................................... 60
Policy Assignment........................................................................... 61
Global Policies .............................................................................. 62
Partition Policies ............................................................................ 63
Endpoint Management .......................................................................... 63
Viewing Endpoints .......................................................................... 63
Find Specific Endpoints ...................................................................... 64
Detailed Endpoint Information ............................................................... 65
Product Component Updates ................................................................ 65
Remote Deployments ....................................................................... 66
Chapter 4: Configuring Your Environment 67

License Management............................................................................ 67
How the Licensing Process Works ............................................................ 68
The Node-id and Organization Chart ......................................................... 71
Product Subscription Management Tool ...................................................... 72
Synchronization ............................................................................. 73
6 Administration Guide
License Expiration .......................................................................... 73
Renewals and Migration ..................................................................... 74
New License Keys ........................................................................... 74
License Reassignment ....................................................................... 75
Proxy or Server Component License Assignment ............................................. 75
Offline License Synchronization .............................................................. 76
Management Server Proxy Implementation ...................................................... 77
Activating a Proxy in a DMZ ................................................................. 78
Endpoint Discovery ............................................................................. 79
How Endpoint Discovery Works .............................................................. 79
Discovery Scanning Methods ................................................................ 82
Operating System Detection Methods ........................................................ 84
Endpoint Discovery Network Map ............................................................ 85
Unknown Host Found ....................................................................... 85
Differences between Full and Incremental Discovery .......................................... 86
IP Address Exclusion List .................................................................... 86
Timeout, Delay and Retry Ranges ........................................................... 87
Optimizing Endpoint Discovery Configuration ................................................. 88
Viewing Endpoint Discovery Scan Engines Performance Statistics ............................. 89
View Service Logs During a Scan ............................................................ 89
Revert to Older Signatures ...................................................................... 89
Directory Services .............................................................................. 90
Conditions for Using Active Directory ........................................................ 91
Server Database Management................................................................... 92
Management Server Database ............................................................... 92
Event Server Database ...................................................................... 94
Endpoint Discovery Database ................................................................ 96
User Role Management ......................................................................... 96
Assigning User Roles ........................................................................ 96
User Role Authentication .................................................................... 97
Group Inheritance .......................................................................... 98
Global and Partition-Specific Roles ........................................................... 98
User Role Descriptions ...................................................................... 98
Appendix A: Procedures 101

Management Console .......................................................................... 101
Set General Preferences.................................................................... 101
Set Locale Preferences ..................................................................... 102
Refresh Dashboard Content ................................................................ 104
Manage Dashboards ....................................................................... 104
Create Custom Dashboards................................................................. 106
View the Signatures Panel .................................................................. 107
Contents 7
View the Endpoints Panel................................................................... 107
View the Malware Panel .................................................................... 108
View the CA Global Advisor Panel ........................................................... 109
View the Server Monitor Panel .............................................................. 110
Reports ....................................................................................... 112
View Report Filters ......................................................................... 112
Create Report Filters ....................................................................... 112
Manage Report Filters ...................................................................... 114
View Reports .............................................................................. 115
Report Configuration ....................................................................... 116
View Scheduled Tasks ...................................................................... 150
Create Scheduled Tasks .................................................................... 151
Manage Scheduled Tasks ................................................................... 151
View Run History .......................................................................... 152
Customize Report Scheme ................................................................. 153
Maintain Report Storage ................................................................... 154
Set Reporter Permissions ................................................................... 154
Events ........................................................................................ 156
View Events ............................................................................... 156
Delete Events .............................................................................. 157
View Event Filters .......................................................................... 157
Create Event Filters ........................................................................ 159
View Statistics ............................................................................. 160
Event Notification Configuration ............................................................ 160
Endpoints ..................................................................................... 168
View Endpoints ............................................................................ 168
Filter the Endpoint View .................................................................... 170
View Managed Endpoint Details ............................................................. 174
Manage Centralized Deployments ........................................................... 176
Create New Installation Packages ........................................................... 179
Save an Installation Package to Disk ........................................................ 180
Deploy Installation Packages to Endpoints .................................................. 181
Delete Endpoints ........................................................................... 183
Review Deployment Jobs ................................................................... 183
Filter Deployment Job Records.............................................................. 185
Purge Deployment Job Records ............................................................. 186
Partition Assignment Tree ...................................................................... 187
View the Partition Assignment Tree ......................................................... 187
View Partition Branch Details ............................................................... 189
Lock the Partition Assignment Tree ......................................................... 191
Create or Edit a Partition Branch ............................................................ 192
Subdivide Partition Branches ............................................................... 194
Using the Branch Subdivision Page ......................................................... 196
Using the Branch Properties Page ........................................................... 198
Manage Partition Branches ................................................................. 200
Policy Assignment Tree ........................................................................ 201
Lock the Policy Assignment Tree ............................................................ 201
Assign Policies ............................................................................. 202
Manage Policy Assignment Branches ........................................................ 203
Common Tree Procedures ...................................................................... 206
Manage Server Change History ............................................................. 206
Set Change History Parameters............................................................. 207
View Partition Assignment Tree Change History ............................................. 207
View Policy Assignment Tree Change History ................................................ 209
View Policies Change History ............................................................... 213
View Advanced Policy Components Change History .......................................... 216
Manage Locked Trees ...................................................................... 218
View Change History Details ................................................................ 221
Policies ........................................................................................ 222
Manage Policies ............................................................................ 222
Create General Policies ..................................................................... 224
Create Anti-Malware Policies ................................................................ 250
Create Proactive Protection Policies ......................................................... 279
Manage Proactive Protection Advanced Configuration ........................................ 309
Create Groupware Policies .................................................................. 479
Licensing ...................................................................................... 526
Manage License Status ..................................................................... 526
Licensing Messages ........................................................................ 527
Complete the Licensing Registration Process ................................................ 528
Product Subscription Management Tool ..................................................... 529
View Endpoint Details .......................................................................... 529
Filter the Endpoint List ..................................................................... 530
Reassign Licenses .......................................................................... 530
Unassign Licenses ......................................................................... 531
View Product Information ...................................................................... 531
Edit Contact Details ........................................................................ 533
Link an Order to Your Account .............................................................. 534
View Support Contact Details ............................................................... 534
Manage License Requests ...................................................................... 535
Renew or Upgrade a License ............................................................... 537
Migrate a License .......................................................................... 538
Endpoint Discovery ............................................................................ 539
Manage Endpoint Discovery ................................................................ 540
Configure Endpoint Discovery .............................................................. 543
Contents 9
Schedule Endpoint Discovery ............................................................... 544
Specify Endpoint Discovery Methods ........................................................ 546
Enter Authentication Credentials ............................................................ 547
Specify IP Range Exclusions ................................................................ 548
Specify Port Scanning Parameters .......................................................... 549
Specify Advanced Parameters .............................................................. 551
Specify Endpoint Discovery Logging Options ................................................ 553
Management Server Proxy ..................................................................... 554
Manage Proxy Servers ..................................................................... 554
Add Management Proxy Servers ............................................................ 557
Configure Management Proxy Servers ...................................................... 559
Active Directory ............................................................................... 560
Using Active Directory Servers ............................................................. 560
Add Active Directory Servers ............................................................... 561
Manage Active Directory Servers ........................................................... 563
Server Databases .............................................................................. 564
Configure Management Server Databases ................................................... 565
Event Server .............................................................................. 566
Set Database Storage Connection .......................................................... 567
Set Storage Preferences.................................................................... 568
Maintain the Event Server .................................................................. 569
Schedule Event Server Maintenance ........................................................ 570
View Event Server History .................................................................. 572
Archive the Event Server ................................................................... 573
View Archive History ....................................................................... 575
View Archived Databases ................................................................... 576
User Roles ..................................................................................... 577
Manage User Roles ......................................................................... 577
View the User Role Details ................................................................. 579
Add or Remove Users from User Roles ...................................................... 580
Revert to Older Signatures ..................................................................... 582
Appendix B: Command Line Scanner 583

Command Line Parameters ..................................................................... 583
Appendix C: Database Migrations 585

Migrate the Management Server Database ...................................................... 585
Migrate the Events, Notifications, and Reports Databases ........................................ 586
Appendix D: Troubleshooting 589

Certificate Creation Error ....................................................................... 589
Microsoft SQL Server Connection ............................................................... 589
Database Connectivity ..................................................................... 590
Management Console Connection ............................................................... 590
Active Directory Server Configuration ........................................................... 591
Discovery or Remote Deployment Issue ........................................................ 591
Log Shows “Service creation failed with retCode [50029]” ....................................... 591
Endpoint Discovery Does Not Start ............................................................. 592
Endpoint Discovery Failed to Locate Endpoints .................................................. 592
Endpoint Discovery Runs for a Prolonged Time .................................................. 593
An Endpoint is Listed without an IP Address ..................................................... 593
Turn on Management Server Logging ........................................................... 594
Generate a Diagnostic Report .................................................................. 594
Diagnose a Report Failure ...................................................................... 595
Contents 11
Chapter 1: Introduction
This section contains the following topics:
Types of Protection (see page 13)

Product Infrastructure (see page 15)
Client-Server Communication (see page 15)
The Management Console (see page 21)
Types of Protection
CA Total Defense provides multiple layers of protection to safeguard your
network against malicious programs, viruses, spyware, and other threats. The
following sections provide a brief overview of Total Defense protection policies.
Anti-Malware
Detects, analyzes and provides remediation for an entire range of

threats—including viruses, worms, spyware, key loggers, Trojans and other
malicious code.
Proactive Protection
The Proactive Protection policies include the following types of protection:

Firewall
Controls network traffic between the endpoint and other computers and
networks. Performs stateful packet inspection so that it can identify and
permit only traffic that matches known legitimate connection behavior.
Application Controls
Keeps track of authorized applications and stops non-authorized applications
from executing on the endpoint.
OS Security
Protects against malicious or accidental access to specific files, folders, and

system configurations such as the Windows Registry. It can also restrict
access to devices so that exploits cannot be introduced through devices such
as USB storage drives.
Types of Protection
Intrusion Protection
Inspects inbound and outbound network traffic from multiple sources to
identify suspicious patterns that can indicate a network attack. The intrusion
policy generates alerts and actions if suspicious activity is detected based on
sets of rules that identify such traffic and makes decisions about what
happens when an anomalous event is detected.
Vulnerability Assessment
Assesses endpoint vulnerability by examining account and password settings
and reports whether an endpoint is out of compliance.
Groupware
Groupware policies include the following types of protection:
Microsoft Exchange Real-Time Scans and Scheduled Scans

Provides real-time scanning of for the Microsoft Exchange server. Performs
scheduled scans of the Microsoft Exchange server, mailboxes, and Public
Folders.
Lotus Domino Real-Time Scans and Scheduled Scans
Provides real-time scanning for the Lotus Domino server. Performs
scheduled scans of the Lotus Domino server and mailboxes.
Microsoft SharePoint Real-Time Scans and Scheduled Scans

Provides real-time scanning of the Microsoft SharePoint server. Performs
scheduled scans of the SharePoint server and Document Libraries.
NetApp Real-Time Scans
Provides real-time scanning of NetApp appliances.
CA Gateway Security
CA Gateway Security provides gateway protection using SMTP/HTTP filtering and

the 7.1 anti-virus scan engine. It safeguards your business from incoming Web
and messaging threats or spam, and from data confidentiality breaches through
outgoing email traffic. You can generate and view CA Gateway Security reports
using the Total Defense Management Console.
For information about CA Gateway Security, refer to the product documentation

located in the CA Gateway Security Docs directory or on the CA Support website.
Product Infrastructure
CA Total Defense for Unified Network Control
CA Total Defense for Unified Network Control ensures that every endpoint
connected to your corporate network complies with your established security
policies. If an endpoint is not compliant, CA Total Defense for Unified Network
Control puts the device into network quarantine, which limits its access to
network resources. A device in network quarantine can access only those
remediation servers that bring the device back into compliance.
Once a device achieves compliance, CA Total Defense for Unified Network

Control grants it full access to the network. CA Total Defense for Unified Network
Control operates across all remote and local access methods that endpoints use
to connect to the network. You can view CA Total Defense for Unified Network
Control reports from the Total Defense Management Console.
For more information refer to the product documentation located in the CA Total
Defense for Unified Network Control Docs directory or from the CA Support
website.
Product Infrastructure
For detailed information about the CA Total Defense product architecture, see
the Product Infrastructure section in the CA Total Defense Implementation Guide
for Distributed Installations.
Client-Server Communication
This section describes the communications that occur between endpoints and CA
Total Defense server components.
Phone Home
The Phone Home feature enables an endpoint to contact a designated

Management Server (or Management Server Proxy) to report information about
itself and check for policy updates or partition changes. The server or proxy
server records the endpoint's information in its database, and if necessary,
instructs the endpoint to pull any new or updated policies.
Phone Home contains an automatic optimization feature that minimizes the

amount of network traffic and server processing time if an information exchange
is unnecessary. The information exchange is unnecessary when there are no
changes on the Management Server.
The default CA-recommended Phone Home policy automatically contains the

fully qualified domain name of your Management Server as the primary server to
contact. In addition, the default policy also specifies that endpoints contact the
primary Management Server 5 minutes after installation, and then every 10
minutes thereafter. The default policy also instructs endpoints to contact the
server at every system start-up and when the system wakes up from stand-by
mode. You can simply deploy the default Phone Home policy to endpoints
without making any modifications to it.
To modify the default settings of the Phone Home policy, you can copy and paste
the default policy and create a customized policy for your environment. For
example, you can adjust the phone home settings to stagger them so that
different groups of endpoints contact the server at different times to avoid peaks
of heavy network traffic. You might also choose to designate a secondary server
as a back-up in case the primary server is unavailable, or have certain endpoints
contact a Management Server Proxy instead of the Master Management Server.
To modify the Phone Home policy, you use the Policy Editor from within the
Management Console.
Note: Any time that you modify the name of the primary or secondary server,
you must use the server's fully qualified domain name.
Best Practice Tip! In large organizations that use proxy servers, CA

recommends specifying a Management Server Proxy as the primary server for
endpoints to contact. This helps alleviate network traffic to the Master
Management Server and improves overall load balance.
More Information
Create Phone Home Policies (see page 225)

Configure Phone Home Policy Name and General Settings (see page 225)
Configure Phone Home Settings (see page 227)
Internet Information Services (IIS)
The following table shows the CA Total Defense components that use IIS:
Component Description in Port
Computer
Management
Window
Management Server TDR12 HTTP: 8008

HTTPS: 44344
Event Sever TDR12EventServer HTTP: 8218

HTTPS: 44366
Redistribution Server TDR12RS TCP/IP: 42511

HTTPS: 44377
Component Description in Port

Computer
Management
Window
Certificates TDR12Certs TCP/IP: 8118 for Distribution

TCP/IP: 44333 for Revocation
To view IIS
1. Log onto the computer hosting the Management Server and go to the Control
Panel
2. Double-click Computer Management.

3. When the Computer Management window opens, expand Services and
Applications, and then Internet Information Services.
For more information on IIS, refer to the official Microsoft IIS website at
www.iis.net.
The following screen-shot shows the CA Total Defense IIS services:
Data Flow between Endpoints and Servers
The following diagram shows the data flow between unmanaged, managed and
mobile endpoints and CA Total Defense server components. This example
represents a Distributed Installation in an organization's main IT department.
The data flow is the same in a Standalone installation except that all of the server
components are installed on a single host machine.
Data Flow Using Proxies
The following diagram shows the communication and data flow when proxies are
used at remote office:
The Management Console

The Management Console is a web-based graphical user interface that allows
you to interact with the Management Server to administer and manage the
endpoints on your network. You can use the Start menu to open the console on
the computer that hosts the Management Server, or you can use the console's
URL to open it on any other computer.
The main functional areas of the Management Console (the numbered sections in
the following illustration) provide access to the following features, functions, and
information:
1. The Navigation Pane, on the left of the console, helps you quickly move from
one area of the console to another. The following section in this guide
provides additional information about the Navigation Pane.
2. The Toolbar, at the top of the main panel in the console display, provides
task-oriented buttons and drop-down menus that perform actions related to
the content displayed in the Work Area. The items on the Toolbar vary
depending on the task you are performing or the content you are viewing.
3. The Work Area, located just below the Toolbar, displays information or
configuration options that you can set. When you select an item in the
Navigation Pane, this area of the console displays the appropriate content.
4. The Link Menu, in the top right corner, lets you refresh the console data, set
personal preferences, view product version information, and access the
online help procedures.
Management Console Navigation
When you first log into the Management Console, the Dashboard page appears.
The navigation pane, on the left side of the page, provides quick and easy access
to different functional areas in which you perform specific management tasks.
The functional areas group similar tasks together and include the following
categories:
Overview
Provides access to the Dashboard, which displays an instant assessment of
CA Total Defense and the endpoints in your organization. Check the
Dashboard at the beginning of each day for a view of the overall status of
your network's health.
Monitor
Provides access to the event viewing and reporting areas. Use these areas of
the console regularly to review high-priority events and to view, schedule,
and generate reports.
Maintain
Provides access to policies, partitions, endpoints, and endpoint deployment.
In most cases, you will use this area of the console primarily during product
implementation, and only periodically after implementation to adjust
policies, deploy the product to new endpoints, or add new product features
to endpoints.
Configure
Provides access to features such as User Management, Endpoint Discovery,

Licensing, Management Server Proxies, and Database Maintenance that may
require periodic use or configuration. Typically, you will use this area less
frequently than other areas of the console.
The following screenshot shows the navigation pane:
To access the functions in the categories, expand the headings to navigate to the
area you want to access. A down arrow indicates the heading is fully expanded.
A right arrow indicates that you can drill down further into a functional area.
Filter and Find Tools
The Management Console provides a Filter tool and a Find tool to help you
quickly locate and work with specific items or information.
These tools appear on pages that can potentially display long lists of data. To use
these tools, click the down arrow to the left of the tool's label to expand the pane
and display the options available for filtering or searching. The options available
vary, based upon the content of the page.
The Find tool finds the first item that matches criteria you specify and highlights
that item in the list, keeping all non-matching items on the page for your
reference. You can use the Next and Previous buttons to move to the next or
previous occurrence of the item. This allows you to view or work with a selected
item and still refer to other items on the page.
The Filter tool allows you to display only the items that match the specified filter
criteria and removes all other data from the page. This allows you to view or
work with only a subset of the data.
The Filter tool also provides the Retrieve New List option to help you to view an
updated list from the Management Server before you perform any filtering
operations. When you select the Retrieve New List option and click Submit, the
Management Console retrieves the new list and applies the specified filter
options to display only the items that match your criteria.
You can use the Filter tool on the Managed Endpoints and Unmanaged Endpoints
pages to enter a character or text string into the Endpoint Name option, to view
only the items with the matching character or text string.
You can use the * wild card to represent one or more characters, or the ? to
represent a single character. For example, to find all endpoints with names
beginning with XP, enter XP* in the Endpoint Name field. The filter displays all
endpoint names beginning with XP, regardless of the length of the name. If you
enter XP? in the Endpoint Name field, the filter displays only those endpoints
named XPA, XPB, XPC, and so on.
Ease of Use Features
When working in the Management Console, consider using the following features
for easy access to functions and to personalize your work-space:
■ Hover your cursor over buttons, drop-down menus, and links to view tool
tips.
■ Use right-click pop-up menus, rather than Toolbar buttons or drop-down
menus, to access functions in the Work Area.
■ Hover your cursor over table data to view additional text descriptions.
■ Click column headings to sort the data in either ascending or descending

order.
Some tables provide multiple column sorting. If so, you will see a number
displayed in the column heading. Specify a primary and secondary column,
and so on, before sorting the columns.
■ Drag and drop columns in tables to place them in a different order.
■ Drag and drop installation packages to assign them to specific managed or

unmanaged endpoints.
■ Drag and drop policies to assign them to branches in the Policy Assignment
Tree.
■ Use page numbers and arrow buttons to quickly access specific pages in a
table.
Open the Management Console
You can open the Management Console on the computer that hosts the
Management Server or from a remote computer using a web browser.
To open the console from the Start menu on the computer hosting the
Management Server
1. Click Start, Programs, CA, Total Defense, Endpoint Protection, Management

Console.
The Login dialog appears.
2. Enter your user name and password.

The user name is not case-sensitive, but the password is.
Note: The Domain field is only required if the user account you are logging
in as is not a user on the local system.
3. Click Login.
The Management Console appears and displays the default Dashboard
panels.
To open the console from any system using a web browser
1. Enter one of the following URLs in the address bar of the browser, and then
click Go:
■ https://<servername>/catd
■ https://<servername>:CA Portal/catd
Where:
<servername> is the name or IP address of the computer hosting the

Management Server.
CA Portal is required if you specified an alternate port number during

installation of the Management Server.
2. Follow steps 2 and 3 in the previous procedure.
Install the CA Security Certificate
The first time you open the Management Console, a Security Alert Dialog may
appear. To avoid this dialog in the future, click View Certificate, Install
Certificate, and follow the prompts in the wizard.
Chapter 2: Monitoring Your Network's
Health
Dashboard (see page 27)
Reports (see page 29)
Events (see page 37)
Dashboard
The Dashboard provides information that helps you monitor the health of the
endpoints on your network. Check it at the beginning of your day to see the
activity of the last 24 hours. You may also want to view the Dashboard
periodically for updates as data is refreshed or to view the activity of the last
7-day period.
When you first log into the Management Console, it displays four default
Dashboard panels, in a side-by-side layout. The default panels include the
following information:
■ Signature status
Lets you review the latest signature version and download date, and the
number of endpoints that have valid or out-of-date signatures.
■ Malware status
Shows you the number of endpoints that require attention, whether they are
currently
■ Infected
■ Require a reboot to complete the cleaning process
You can also see the number of endpoints that fall into these categories:
■ Clean
■ Infection was disarmed
■ Information not yet reported to the Management Server

Dashboard
■ Endpoint Status
Shows you the number of managed and unmanaged endpoints, as well as
the number of unsuccessful deployments of the CA Total Defense
Agent/Client. Managed endpoints are workstations, desktops, laptops, or
servers in your organization that are running the Client and that have
phoned home to the Management Server. Unmanaged endpoints do not
have the Agent/Client installed and are at risk.
■ CA Global Advisor
Gives you immediate access to the latest research and blogs from the CA
Security Advisor website. Click a link to view an article or go directly to the
CA Global Security Advisor website.
An additional panel, the Server Monitor, is also available, but not part of the
default Dashboard. This panel provides basic operating, hardware, and
networking information on the system running the Management Server. You can
view this panel by expanding Panels in the Navigation Pane and then selecting
the Server Monitor.
More Information
Refresh Dashboard Content (see page 104)

Manage Dashboards (see page 104)
Custom Dashboards
The Management Console lets you create a custom Dashboard that contains the
information that you find most useful. To create a custom Dashboard, you can
click the New button and set the options in the Create Custom Dashboard dialog
to choose the panels to include and the panel layout to use. You can choose
panels by selecting them from a dialog or by dragging and dropping them into a
new, blank Dashboard.
You can also specify whether this custom Dashboard should be the new default
Dashboard. If you save your custom Dashboard as the new default Dashboard,
the Management Console displays it automatically each time you log in.
Once you have created a custom Dashboard, it appears in the Navigation Pane
on the left side of the Management Console, just beneath the Dashboards item.
To view a custom Dashboard that is not the new default Dashboard, click the
Dashboard's name in the Navigation pane. You can also edit or delete custom
Dashboards.
More Information
Create Custom Dashboards (see page 106)
Reports
The Dashboard and Partitions
Note: This information only applies to your implementation of CA Total Defense

if you using multiple partitions (branches) in your Partition Assignment Tree. If
you have not added partitions to the Partition Assignment Tree, you can skip this
section.
If you have created multiple partitions to allow other users, or groups of users, to
manage specific endpoints, these users can view partition-specific information
for the Signatures and Malware panels. To view partition-specific information,
you select the appropriate partition from the Partition drop-down menu. The
Dashboard then displays information for the selected partition only in these two
panels. The Endpoints panel does not support partition-specific views.
More Information
Policy and Partition Tree Concepts (see page 47)

User Role Management (see page 96)
The Dashboard and User Roles
If you have assigned User Roles within your organization, certain roles may or
may not have privileges to view the data presented in the Dashboard. The
Partition drop-down menu only presents the partitions that a user has the rights
to view. If the user does not have any partition privileges, the partition-specific
panels display a message stating the information is unavailable for this user.
For example, a User Manager cannot view the Signatures or Malware panels. If
he attempts to view these panels, they display a message that states he does not
have the privileges to view the information. However the User Manager can view
the Global Security Advisor panel.
Reports
CA Total Defense provides numerous out-of-the-box reports for all product
components, as well as easy-to-use templates that let you create fully
customized reports. You can also choose from several output formats and
viewing options.

Reports
The Report Server gathers data from several different resources when
generating reports. Depending on the type of report, the report data comes from
one of the following resources:
■ The Events database provides information about endpoint events related to
CA Total Defense product components, such as Anti-Malware, Proactive
Protection, and Groupware Option.
■ The CA Total Defense Management Server database provides information for
reports that provide information regarding policies and endpoints.
■ The CA Total Defense for Unified Network Control Management Server
database provides information for reports related to CA Total Defense for
Unified Network Control.
All reports are saved locally on the Report Server. You can view all reports using
the Management Console or any of the additional methods described in this
section.
More Information
Predefined Reports (see page 32)

Reports and Partitions (see page 36)
Reports and User Roles (see page 36)
Report Generation
You can manually generate reports at any time, or schedule report generation to
occur automatically at a specific time or at regular intervals.
You can manually generate reports using one of the following three methods:
■ From Configure Reports, select a product component, then one or more
reports, and click Generate.
■ From View Reports, select a report and click Regenerate.
■ From Scheduled Tasks, select the task and click Go.
To schedule report generation at regular intervals:

■ From Scheduled Tasks, select the task and click New or Edit, and specify the
time and frequency for report generation using the Scheduler options.
When you schedule reports, you can set all time-related fields, including the
report generation time, to match the time zone of the person who receives
the report. The time zone option lets you send the most current information
available to recipients in time zones that are different from your own.
Reports
More Information
View Reports (see page 115)

Create Scheduled Tasks (see page 151)
Configure Anti-Malware Endpoint Reports (see page 119)
Configure Anti-Malware Groupware Reports (see page 121)
Configure Firewall Reports (see page 124)
Configure Application Control Reports (see page 127)
Configure OS Security Reports (see page 129)
Configure Intrusion Protection Reports (see page 132)
Configure Vulnerability Assessment Reports (see page 135)
Configure SMTP Scanner Reports (see page 138)
Configure HTTP Scanner Reports (see page 141)
Configure Unified Network Control Reports (see page 143)
Configure Scorecard Reports (see page 145)
Configure Endpoints Reports (see page 146)
Configure Policies Reports (see page 148)
Report Viewing Methods
The Report Server provides different viewing methods and actions that allow you
use the data in a variety of ways. When you configure reports, you specify the
viewing method or report of your choice. When the report is successfully
generated, the Report Server notifies you that it is ready for viewing.
You can view reports using the following methods:
Report Viewer
Displays reports directly from the Management Console. Use predefined or
custom filters to display only the reports you want to view. The Report
Server provides several predefined Report Filters and easy-to-use templates
that help you create custom filters.
Note: The web browser you use to view reports must have the pop-up
blocker disabled for the Total Defense Management Console URL. If pop-ups
are not disabled, any reports that you attempt to view from the View Reports
page in the Management Console will be blocked or result in a new page
overriding the console's current page.
Email
Delivers reports as email attachments or as emails that contain links to the

Report Catalog. This delivery action provides two options:
■ Send emails with attached reports to a list of recipients.
Note: Do not use this report action when you expect reports to be large.
■ Send emails that include HTML links to the generated reports to a list of
recipients. Click the links to view the reports through your web browser.

Reports
RSS Reader
Delivers generated reports to an RSS feed. When a report generation
completes, the Report RSS server is notified with a user-configurable
message. You must also set your RSS reader application to the Report RSS.
In addition, you can have the RSS message include a link to the Report
Catalog. The catalog displays all reports that were generated in this task,
with the size and the report type. When you click the link, you can view the
report through the web interface.
Print
Sends generated reports to a printer. The user initiating the report must
have permission to access the printer. Additionally, to print reports you must
have the following applications installed on the Report Server machine:
■ A valid printer configured on the Report Server machine.
■ Adobe Acrobat Reader installed on the Report Server machine to print

reports in PDF format.
■ Microsoft Office Word 2003 (minimum) installed on the Report Server

machine to print reports in Microsoft Word format.
Upload
Uploads reports to an external folder located on the Report Server. The user
initiating the report must have permission to access the designated folder.
Run
Sends the report to an external application. The user initiating the report
must have permission to start and run the specified application.
More Information
View Report Filters (see page 112)

Create Report Filters (see page 112)
Manage Report Filters (see page 114)
Predefined Reports
The View Reports page in the Management Console provides quick and easy
access to dozens of out-of-the-box reports that require no user configuration.
These reports are available once your product implementation is complete.
The following list describes some of the predefined reports:

■ Management Server reports that provide information about managed and
unmanaged endpoints, endpoints that do not have current signatures, and
textual descriptions of policies
■ Anti-Malware reports
Reports
■ Proactive Protection reports, such as firewall, application white-listing,

IDS/IPS, and OS security
■ Groupware reports
■ Security information reports, including reports concerning disabled
accounts, locked accounts, and accounts with expired passwords
■ Gateway Security reports for SMTP and HTTP
By default, predefined reports contain data for the previous seven days, but you
can customize the reporting period. You can also choose to run reports against
the current database or archived databases. These options are available when
you configure a new report or edit an existing report.
Unified Network Control Report Configuration
If you are using CA Total Defense for Unified Network Control, you can generate
and view certain UNC reports using the CA Total Defense Management Console.
To generate the reports, the Report Server queries the CA Total Defense for
Unified Network Control Management Server for the necessary report data.
Before this communication between products can occur, you must specify the
location of the CA Total Defense for Unified Network Control Management
Server.
To specify the location of the CA Total Defense for Unified Network

Control Management Server
1. On the computer hosting the Report Server, using a text editor open the
following:
<Install_dir>\Program
Files\CA\TotalDefense\EventSettingManager\SettMngr_EventSettingManag
er_exe\Topology.XML
2. And add the following entries to the file, replacing UNC_Server_Location
with the appropriate information for your site:
<TopologyNode Type="EverestReporter">
<HostDNS>UNC_Server_Location</HostDNS>
<HostWCFURL>https://UNC_Server_Location:34443/UNCWS/managemen
t.asmx</HostWCFURL>
3. Save the file and restart the "CA Total Defense Setting Manager” service.
Custom Reports
The Report Server provides a powerful report customization feature that lets you
create your own reports that include only the data you need. You can filter report
data down to the smallest detail of an event.

Reports
To create a new report, navigate to Monitor, Reports, Configure Reports. Select

the product component for which you want to create a report and the existing
report templates for that component appear. Select a template and click New to
create a new report, Duplicate to make an editable copy, or Edit to modify the
existing template.
With the report template open, you can specify the content for the report. Once
you have saved the report, click Generate to submit the report for generation.
More Information
Customize Report Scheme (see page 153)
Custom Report Logo
You can include your company logo on your reports, and modify the header and
footer information to customize the look and feel of your reports.
You can replace the CA logo that appears in both default and custom reports with
your company logo.
To fit properly in the logo space of the report, the logo image you use must fit
within the following guidelines:
■ Width up to 145 pixels
■ Height up to 45 pixels
■ Background color: RDH 0x2D3133 (Decimal values: Red = 45, Green = 49,
Blue = 51)
For more information on the size and background color requirements, use an
image editor to view the default image properties on the Report server at
<installation_directory>\GeneratedData\Images.
Report Formats and Layouts
When creating reports, you can choose from the following output formats:
■ HTML
Note: We do not recommend using the HTML format for large amounts of
data.
■ PDF
Reports
■ Microsoft Word
■ CSV (comma separated values)
Note: The CSV report output uses UTF-8 encoding and should be used for
importing data to other applications and not for report viewing.
Note: To print reports in Microsoft Word format, the user account issuing the
print command must have Administrator permissions. You can set up the
account and the appropriate privileges once the print command is issued from
the Management Console. If necessary, you can create an account for an
existing, active user with the appropriate print permissions and a non-expiring
password. To set up this user in the Management Console, go to the Reports,
Settings, Reporter Permissions page.
The layout of the report depends on the report data type. For example, certain
types of data display better in a given format. The following report layouts are
available:
■ Table
■ Pie chart
■ Bar chart
Report Maintenance
By default, the maintenance process automatically purges any reports older than
seven days. When reports are purged, they are permanently deleted from the
Report Server. However, you can exclude a report from purge so it is not deleted.
To change this setting, you can modify the purge date on your reports from the
Monitor, Reports, Settings, Maintenance page.
You can also use Report Filters to help you remove a group of older reports you
no longer need. To do this, you create a custom Report Filter specifying criteria
that matches the reports you want to delete. Apply the filter by selecting it on the
View Reports page, and, when the matching reports appear, select the entire
group using the Shift or Control keys and click Delete. The reports are
permanently deleted.
More Information
Maintain Report Storage (see page 154)


Reports
Reports and Partitions
Note: The following information is only applicable if you are using multiple
partitions to manage endpoints.
The Report Server enforces partition assignments for the Reporter user role in
the following scenarios:
When reports are generated

Only events generated from partitions the user is assigned to are included in
the reports that the user generates. If the database contains events from
partitions the user is not assigned to, the generated reports are empty.
Partition enforcement also applies to Scheduled Tasks. All reports hosted
within the task use partition enforcement for the user that executed or
configured the task.
When reports are viewed through the Reports, View Reports page
Only events generated from partitions the user is assigned to appear in the
reports that the user views through in the Management Console. If the
requested report includes data from partitions the user is not assigned to,
the request to view the report is denied.
Note: When you send a report as an email attachment to a printer, or upload

it to an external folder, you bypass the partition enforcement. The partition
enforcement for a user can only be made when viewing reports through the
Event Viewer in the Management Console. Avoid using the Email, Print, and
Upload actions to ensure that partition owners can view only their assigned
partition content in reports.
Note: Partition enforcement does not apply to CA Total Defense for Unified
Network Control reports.
Reports and User Roles
The following user roles can view delete, create, modify, and schedule reports
regardless of their partition assignments:
■ Administrator
■ Global Policy Manager
■ Partition Policy Manager

■ Global Reporter
■ Partition Reporter Roles
Once they generate a report, the data presented in the report is filtered to only
include events from the partition they are entitled to manage based on their role
assignment.
Events
More Information
Manage User Roles (see page 577)

View the User Role Details (see page 579)
Add or Remove Users from User Roles (see page 580)
Events
An event is any CA Total Defense related action or condition that occurs on an
endpoint running the Client or any of the server or proxy components. The
following product components generate events:
■ Anti-Malware
■ Proactive Protection (Firewall, Intrusion Detection, Application Control, and
OS Security)
■ Vulnerability Assessment
■ Groupware Option
■ CA Gateway Security
■ CA Total Defense Server
■ CA Total Defense Agent
■ CA Total Defense for Unified Network Control
Events are categorized as High, Medium, or Low severity, allowing you to filter
the events you want to monitor.
Event Management
Based on your configuration, managed endpoints forward their events directly to

the Event Server or to an Event Server Proxy. If events are forwarded to an
Event Server Proxy, the proxy acts as a "store a forward" device, collecting
events and then sending them to the Event Server. The Event Server stores
events in the central Events database, which maintains a wide variety of events
data that you can search and view using the Event Viewer in the Management
Console.
The Event Management policy controls the type of information sent to the Event
Server. If you do nothing, the endpoints in your organization receive the
CA-recommended Event Management policy when you deploy the Client to the
endpoints. In addition the policy controls the number of times an attempt is
made to forward events and the total number of attempts made if the initial
attempt to forward the event fails.

Events
The default CA-recommended policy specifies that events are forwarded directly
to the Event Server. You can modify the policy to change the types of events that
are forwarded, how frequently they are forwarded, and whether they are
forwarded directly to the Event Server or to an Event Server Proxy.
If you are in a large enterprise organization, or have offices that are widely
dispersed, CA recommends forwarding events to a set of Event Proxy Servers.
The proxies then forward all events directly to the central Event Server located in
your organization's IT headquarters. Smaller organizations can choose to
forward events directly to the Event Server.
More Information
Create Event Management Policies (see page 239)

Configure Event Management Policy Name and General Settings (see page 240)
Configure Event Server Settings (see page 241)
Configure Event Management Filter Options (see page 243)
Configure Event Management Transmission Options (see page 245)
Viewing Events
Once events are stored in the Event Server database, you can view and analyze
the content of the events using the Event Viewer. The Event Viewer provides
default event filters that help you filter the events to display only the events you
are interested in viewing. You can create your own event filters to display the
specific information from the events database.
Best Practice Tip! The larger your organization, the larger your Events
database will be. We recommend creating filters that use a two week time
interval (or less). This creates a filter with a reasonable execution time that
returns a reasonable amount of data. If you need data from a greater period of
time, we recommended scheduling a report task to generate a report. You can
then analyze the requested data using the report.
More Information
View Events (see page 156)

View Event Filters (see page 157)
Create Event Filters (see page 159)
Events
Events Statistics
The Statistics page helps you view the status of the Events database. It shows
the current amount of disk space that the database is using. When the used disk
space becomes too large, you can perform immediate maintenance by going to
Configure, Environment, Maintenance, Run Now. You can also specify that upon
archiving the database, the Event Server switches into a new database.
Note: We recommend scheduling regular maintenance to avoid accidentally

running out of disk space or overloading the database. To set up regular
maintenance, go to Configure, Environment, Maintenance, Schedule.
You can also use the Statistics page to review all events by their producer and by
their severity type. Based on your selection, the page displays the information in
graphical bar charts, percentage tables, and numerical tables.
More Information
View Statistics (see page 160)

Maintain the Event Server (see page 569)
Archive the Event Server (see page 573)
Set Storage Preferences (see page 568)
Record Deletion and Archival
Over a period of time the Events database grows in size and can become quite
large. A large database can increase the event filter execution time and slow
down other database operations. However you can perform the following
procedures to maintain and control the size of the database:
Maintenance
Delete old records or delete records that match a custom filter you create to
find the records you want to delete. You can choose to delete older records
from the database manually, using the Run now option, or automatically
using the Scheduler option.
If the database is quite large it may take a long time to delete the records. If
you do not want to engage the database and use up CPU cycles on the record
deletion task, you can specify that the deletion not run longer than a set
period of time. Upon reaching the allotted period of time, the current
deletion operation will stop at its first available opportunity. Note that using
this option may prevent the deletion of some of the older data in the
database.

Events
Additionally you can delete records using an event filter. For example, go to
Monitor, Events, Events Viewer, Filter Events in the Management Console.
Then click New to create a new filter based on a type of event, such as all Low
severity events for the Anti-Malware component. Once the filter is created,
go to the Events Viewer, select the new filter you created and click Delete
Events.
Best Practice Tip! We recommend performing data deletion operations

during off-peak hours when there are fewer operational demands on the
database.
Archiving
Switch to a new, fresh database and keep the previous database as an

archive.
As part of regular database maintenance, you can perform archiving on a
conditional basis, when the database reaches a specific size, or automatically
using regularly scheduled time. Once an archival action occurs, the Events
database switches to an entirely new database placing the previous
database in an archived state on the Microsoft SQL Server. Note that you
may still create and execute filters and reports using the archived data.
Note: If you selected Microsoft SQL Server Express Edition during the
installation of CA Total Defense, archiving is critical using as the database
size is limited to 4 GB. At this point new data cannot be inserted into the
database. You must configure archiving to occur when the database reaches
3.5 GB to avoid operational errors.
Best Practice Tip! We recommend that you schedule maintenance to occur
on a regular basis to improve event filtering performance.
More Information

Schedule Event Server Maintenance (see page 570)
View Archive History (see page 575)
View Archived Databases (see page 576)
Events
Events and User Roles
Note: The following information only applies to your environment if you have
assigned CA Total Defense User Roles to specific users or groups of users. If you
have not assigned User Roles, you can ignore this section.
CA Total Defense User Roles enforce user permissions when viewing events on
the Event Viewer page. The following list describes the permissions for each role:
Administrator
Views and deletes events generated from all partitions, including the
Unassigned partition.
Global Policy Manager
Global Reporter
Partition Policy Manager

Views events generated only from the partitions the user manages.
Partition Reporter
Views events generated only from the partitions for which the user is
assigned the Reporter role.
Audit Archivists and User Managers cannot view any events.
Note: If you filter events against partitions that you are not entitled to view, no
events will be displayed in the Event Viewer.
More Information
Assigning User Roles (see page 96)

Manage User Roles (see page 577)
Unassigned Partition
If you have endpoints in your organization that have not yet phoned home to the
Management Server, and therefore have not yet been assigned to a partition,
the events for those endpoints are placed in the Unassigned Partition. This
partition lets you view the events for those endpoints that do not yet belong to a
specific partition. When the endpoint eventually phones home and is placed into
a partition, its events will no longer appear in the Unassigned Partition.

Events
High Severity Events
High severity events vary by component, and include:

Management Server
■ Active Directory synchronization failed
■ Management Server Proxy synchronization failed
■ Internal error occurred. Contact Technical Support if this occurs.
■ License is in the grace period and less than 15 days remain prior to license
expiration
■ License expired and you are unable to log into the Management Console.
Anti-Malware and Groupware
Sends high-severity events when malware items rated High or Critical risk
are detected.
Proactive Protection Application Control / Intrusion Protection /

Firewall / OS Security
By default, Proactive Protection policies do not send events with High
severity.
Agent
Sends high-severity events when accepted real time policy fails to be applied
to the client.
CA Gateway Security SMTP
Sends high-severity events under the following circumstances:

■ A malware item with High or Critical risk level is detected.
■ A scanned message is classified as a phishing message.
■ A scanned message includes an embedded URL link classified as a

Malicious site or Spyware
■ A scanned message is classified with the Confidential Lost report
attribute.
CA Gateway Security HTTP

■ A malware item with High or Critical risk level is detected.

■ A URL link classified as Malicious site or Spyware is accessed.
■ A scanned object is classified with the Confidential Lost report attribute.
Events
Proactive Protection Vulnerability Assessment

■ The Vulnerability Assessment client encounters an error while scanning

the local security configuration and is not able to complete its report.
■ The Vulnerability Assessment client reports a local user account that

does not require a password to sign on.
■ The Vulnerability Assessment client reports a share that allows access
without requesting user credentials.
Event Insight
Event Insight is a sub component of the Event Layer that monitors the events
stream and generates email notifications with a statistical summary when
certain conditions are met. The statistical information includes the following:
■ Total events matches the Event Insight Filter
■ Measurement time interval
■ First’s event occurrence
■ Last's event occurrence
The following list contains the supported Event Insight filters:

■ Total Viruses with infection still present
■ Total Spyware with infection still present
■ Total Malware with High or Critical risk level
■ Total High severity events accepted
■ Total Medium severity events accepted
■ Total Low severity events accepted

■ Total events indicating that the Management Server may be unable to
function properly
■ Total License events accepted

■ Total Proactive Protection High severity events accepted
■ Total events indicating a Policy deployment failure on the Endpoint
■ Total events indicating that scanning is disabled on an Endpoint
The Event Insight module does not have a graphical user interface. For
information on tuning and setting Event Insight, contact CA Support.

Events
Events Flow Diagram
Events from endpoints and/or Event Server Proxies are posted to the IIS Event
site either by HTTPS or HTTP protocol (based on your specification) from the
event bus.
On the IIS Event site, the events are captured and forwarded to the Event Server
using an MSMQ channel and stored in a local storage queue (MSMQ queue).
The database server pulls the stored events from the Event Server using the
MSMQ channel and stores them on the Microsoft SQL Server database (or
Microsoft SQL Server Express).
The Notification Consumer component is registered to the Event Server events

bus, and accepts only Notification Events from the events bus.
Notification Events are events containing an action to be taken, such as email,

RSS, or Windows message. The Notification Events are then pushed to the
Notification Processor component for execution using the WCF channel.
Requests from the Management Console are handled by the TD R12 site on the
IIS machine.
The site hosts the Event layer client component that acts as a proxy between the
Management Console and the Event Management components. Communication
between the client proxy and the Event Management is implemented by a WCF
channel.
Three Event components are accessed by the client proxy:
Settings Manager
Stores general event settings such as database connections, database

archiving settings and history, database maintenance settings and history.
Settings Manager is also a distributing component that distributes the
settings file to all other event components each time the settings file is
changed through the Management Console (using MSMQ channel).
Report Server
Provides access to the client proxy to manage any operation related to
Reports and Event filters, such as create, delete, view, or generate.
Notification Processor
Provides access to the client proxy to manage any operation related to
Notification management, such as view, edit, delete, or generate.
Events
This flow is represented in the following diagram:

Chapter 3: Maintaining Your
Environment
Policy and Partition Tree Concepts (see page 47)
Tree Operations (see page 58)
Policy Concepts (see page 60)
Endpoint Management (see page 63)
Policy and Partition Tree Concepts

CA Total Defense allows you to group endpoints according to specific attributes
to assign policies to endpoints and to allow different IT groups to manage local
endpoints. These groupings are defined in two types of tree structures:
Policy Assignment Trees
Lets you assign specific policies to different groups of endpoints within a
partition. For example, you can have an Anti-Malware Real-time policy for all
desktops in your organization and a different Anti-Malware Real-time policy
for all application and database servers. Using the Anti-Malware Real-time
Policy Assignment Tree you can create two separate branches. One branch is
assigned the desktop Anti-Malware Real-time policy and the other branch is
assigned the application and database policy.
Note: Each policy type in CA Total Defense has its own unique Policy
Assignment Tree.
Partition Assignment Tree

Lets you group endpoints together for the sole purpose of delegating the
management of those endpoints to other users or groups. For example, you
can create separate partitions so that regional IT departments can manage
local endpoints. There is only one Partition Assignment Tree for your entire
organization. It may or may not contain multiple partitions. Creating
partitions is optional and is not necessary if a single user or group manages
all of the endpoints for your organization.
Important! If you create multiple partitions in your Partition Assignment

Tree, a unique set of Policy Assignment Trees exists for each policy type, in
each partition. For this reason, it is important to consider whether creating
partitions in the Partition Assignment Tree is necessary for your
organization.

When you install the Management Server, a default Partition Assignment Tree
and default Policy Assignment Trees for each policy type are automatically
created for you. These default trees are set up so that all endpoints are initially
accounted for and receive the default CA-recommended policies. You can use all
of the default trees as initially installed or you can modify some or all of the trees
to meet specific management requirements within your organization.
Best Practice Tip! We recommend that you carefully read and fully understand
how these trees work before making any modifications to them.
The Root Branch
Each tree has a root branch that is automatically created when you install the
Management Server.
The root branch of each Policy Assignment Tree is called Policy Tree Root. You
cannot change this name.
The root branch of the Partition Assignment Tree is called Managed Endpoints.
You can change the name of the root branch of the Partition Assignment Tree to
something that is more meaningful to your organization or you can use the
default name.
To change the name of the Partition Assignment Tree root branch
1. Open the Partition Assignment Tree page, and select Managed Endpoints.
2. Click Lock to lock the tree.
3. Click Edit.
4. On the Branch Properties page, enter a new name in the Name field.
5. (Optional) Enter a description in the Description field.

6. Click Apply to save your changes.
Parent and Child Branches
To achieve specific management goals, you can subdivide the root branch of the
tree structures and create additional branches. These branches can also have
sub-branches, forming a parent and child relationship. The child branches can
also have child branches, and so on.
You create a new branch by subdividing the root branch or a previously created
branch. Each branch can be subdivided according to one of five different
dimensions, or criteria. When you subdivide a branch for the first time, you must
select one of the five branch subdivision options. You can only subdivide a
specific branch using one subdivision option. Sibling branches (branches at the
same level of the tree with the same parent) can only be added using the same
the same subdivision option as the initial child branch. However you can use
other options to subdivide any of the child branches. That is, the initial method
you choose to subdivide one branch does not affect the choices available for
subdividing any of its child branches. This gives you complete flexibility when
creating trees.

The following diagram shows a root branch subdivided initially by the IP Address.
Its sibling branch must also be based on the IP Address option. However, the
child branches are defined using the Platform option.
Note: You must assign each branch in the Partition Assignment Tree a unique
name. Duplicate names are not allowed in this tree. However, duplicate names
are permitted in the Policy Assignment Tree, as long as they are not both
children of the same parent branch.
More Information
Branch Subdivision Options (see page 52)
More Information
Manage Policy Assignment Branches (see page 203)
About the Other Endpoints Branch
Each time you initially subdivide a specific branch, the Management Server
creates an additional branch for all endpoints that do not fall into the new
branch. In Policy Assignment Trees, the name of this branch is always “Other
Endpoints.” In the Partition Assignment Tree, the name of the additional branch
is Other Endpoints or Other Endpoints (n) where n is an incremented integer
starting at 1. The integer is incremented for each new branch, as partition names
in the Partition Assignment Tree must be unique.
For example, if you subdivide the root branch of the Partition Assignment Tree by
platform type and specify Windows 2000, all endpoints with this operating
system are assigned to this partition when they phone home. Endpoints with a
different operating system are assigned to the Other Endpoints partition.
Best Practice Tip! We recommend that you change the name of the Other
Endpoints branch when the Management Console prompts you to do so. The
branch name should have some meaning that fits within your organization.

Branch Subdivision Options
The following list describes the options available for subdividing branches:
IP Address
Subdivides the branch by IP address. A branch can be defined by a single IP
address string or by a list of addresses. In addition, each string can point to
a single address, or, using wild cards or other notations, to a range of
addresses. This option supports trailing wild cards, Classless Inter-Domain
Routing (CIDR) notation, address and netmask notation, and IPv6 notation
to specify a subnet range.
Example Explanation
127.0.0.1 A single IP address
141.89.*.* A range of IP addresses using wild cards

141.89.* using trailing wild cards. Embedded wild
cards, such as 141.*.89.* are not
permitted.
121.23.4.0/255.255.255.0 A range of IP addresses using an address

and a netmask
192.168.0.0/16 (IPv4) A range of IPv4 or IPv6 IP addresses using

2001:db8::/32 (IPv6) CIDR notation
2001:db8:85a3::8a2e:370:7 IPv6 notation

334
Endpoint Name
Subdivides the branch using the names of the managed endpoints. You can
use an asterisk (*) wild-card to represent multiple characters, or a question
mark (?) to represent a single character. For example, an organization based
in Australia might use "AUS" at the beginning of each endpoint name.
Entering AUS* places all endpoints located in Australia into this branch.
Platform
Subdivides the branch based on operating system type. Using this category
you can create a partition for all endpoints running one or more specific
operating systems. For example if you chose Windows 2008 Server, you
could create a partition for all the servers in your organization running this
operating system.
Active Directory
Subdivides the branch using your existing Active Directory structure. If you
are currently using Active Directory to manage the endpoints in your
organization, you can select any of the existing Active Directory structures
and use them to create one or more partitions in the Partition Assignment
Tree or branches in a Policy Assignment Tree. When you use this option, the
Management Console displays a representation of your Active Directory tree.
You only need to select the objects to use. You must first specify your Active
Directory instance using the Directory Services page under Configure,
Environment.
Custom Variable
Subdivides the branch based on a CA-provided variable or a custom variable
that you define on your endpoint.
For example, if you create a variable named ORACLE and set its value to 1,
and you then define a branch with the custom variable ORACLE and value of
1, then all endpoints with this variable and value would be placed into this
branch.
If more than one custom variable is defined for a branch, an endpoint only
needs to match one of the custom variables to be assigned to the branch.
To help identify specific components of CA Total Defense, CA pre-defines the

following variables with a value of 1 on endpoints with the indicated
component:
■ TDCLIENT for managed endpoints
■ TDMGMTSRV for the Management Server
■ TDMGMTPROXY for a Management Server Proxy
■ TDEVENTSRV for the Event Server
■ TDEVENTPROXY for an Event Server Proxy
■ TDREPORTSRV for the Report Server
■ TDGWMSEXCH for Groupware Exchange
■ TDGWMSSP for Groupware Microsoft SharePoint

■ TDGWLOTUSDOM for Groupware Lotus Domino

■ TDGWNETAPP for Groupware NetApp
■ TDCAGS for CA Gateway Security

To create a custom variable, use regedit to modify the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\CA\TD\CustomVariables
Adding a new entry under this key with a specific value defines a custom
variable with the same name and value as the registry entry.
Note: When you save a newly created branch, the Management Server scans
the new branch's subdivision rule(s) and compares it to your existing tree
structure. If the new branch's subdivision options are a subset of the parent
branch or found to be an overlapping range of the parent branch, an invalid tree
structure message is returned. Review the existing tree structure and correct the
values specified in subdivision option.
More Information
Subdivide Partition Branches (see page 194)

Create or Edit a Partition Branch (see page 192)
Assigning User Roles (see page 96)
How Endpoints Are Assigned to Partitions and Branches
The partition and branch assignment process follows the subdivision rules until
an endpoint falls into an undivided branch or partition whose attributes match
those of the endpoint. The endpoint is then assigned to that branch or partition.
The following steps describe how endpoints are assigned to partitions and
branches:
1. The endpoint phones home to the Management Server.

2. The Management Server evaluates the endpoints attributes and assigns it to
the appropriate partition in the Partition Assignment Tree.
3. Within that assigned partition, the Management Server then assigns the
endpoint to a particular branch in each of the Policy Assignment Trees (one
for each policy type) in that partition.
If you make modifications to a tree, the endpoint may then be assigned to a

different branch based on your changes. However, this will not occur until the
next time the endpoint phones home, at which time it will be assigned to its new
branch.
Note: Once a parent branch is subdivided, it is no longer a container for

endpoints that phone home. Any endpoint that fell into the parent branch will fall
into one of the new child branches the next time it phones home to the
Management Server. However, the endpoints that were initially assigned to the
parent branch remain there temporarily until their next phone home. When all
endpoints have phoned home, the parent branch no longer contains any
endpoints.
Policy Assignment Tree
The Policy Assignment Tree lets you create and assign policies to branches that
house groups of endpoints that you want to manage the same way. Each policy
type has its own Policy Assignment Tree. This provides you complete flexibility in
creating policies based on an endpoint's role or function.
Note: Each branch is assigned a single policy in each Policy Assignment Tree.
While a different policy can be assigned to each branch, a specific policy can also
be assigned to more than one branch. A branch can also have NO policy assigned
to it, which means that the endpoint users can set their own values for the
settings defined in this policy type.
For example, you could create three different Anti-Malware policies to protect
endpoints with the following functional roles:
■ Research & Development
■ Critical Application Servers
■ Desktops
Each Anti-Malware policy would have specific settings based on its general
function. To implement this policy coverage, you would create two sibling
branches (branches at the same level of the tree) in the Anti-Malware Policy
Assignment Tree. Suppose your organization uses a standard endpoint naming
scheme, so you decide to use the Endpoint Name subdivision option. The
Management Server creates the third branch automatically for all other
endpoints. All endpoints that do not fall into the first two branches will fall into
this branch.

The following illustration shows the resulting Anti-Malware Policy Assignment

Tree with three branches:
As endpoints phone home to the Management Server, they fall into the matching
branch and pull the policy assigned to that branch. An endpoint from Research
and Development named RDdoe picks up the policy from the Research and
Development branch. An endpoint named CASsqldb picks up its Anti-Malware
policy from the Critical Application Servers branch. An endpoint named OTjane
picks up the policy from the Other Endpoints branch.
For organizations that have a single user or a single group of users responsible
for managing all of the organization's endpoints, there is no need to create
additional partitions beyond the default partition, Managed Endpoints. When you
use the default partition, all endpoints are managed by a single user or group.
Note that you can still assign different, customized policies to various endpoints
even though all endpoints are assigned to the same partition. To achieve this,
you use the Policy Assignment Tree.
The only reason to modify the Partition Assignment Tree is if there are different
users or groups of users who manage a specific groups of endpoints. For
example, an IT department may have a group responsible for managing
database servers and another group responsible for managing all desktops. As
the CA Total Defense Administrator, you can create a partition for the database
servers and another one for the desktops. You can then assign certain
individuals. or the entire group, the appropriate user roles to manage the
endpoints.
Note: Creating multiple partitions adds a layer of complexity to the process of

managing endpoints, as you would assign individual users or groups of users to
manage each partition that you create. In addition, each partition has its own
unique set of Policy Assignment Trees for each policy type. This adds overhead to
your implementation and overall management of the product, as well as to the
Management Server. Carefully consider your management requirements before
you create additional partitions in the Partition Assignment Tree.
More information:
User Roles and Tree Management (see page 60)
How to Design Policy or Partition Assignment Trees
Each Policy Assignment Tree and the Partition Assignment Tree can easily
function using its root branch alone. If necessary, however, you can subdivide
the root branch of a tree to create additional partitions or branches and child
branches.
First, determine whether subdividing each of the default tree structures is

necessary to accomplish a specific management goal. Answer the following
questions to make this decision:
Does my organization have different users or different groups that are

required to manage certain groups of endpoints?
The only reason to modify the Partition Assignment Tree is if you have different
groups of users that are required to manage certain sets of endpoints. If you
have a small number of IT Administrators or a single Administrators group that
will manage all endpoints in the organization, you do not need to modify the
Partition Assignment Tree. Subdividing the Partition Assignment Tree adds
management overhead and is not recommended unless it is necessary to satisfy
your IT management organization.

Tree Operations
Will the policies you I need have different settings based on the types
of endpoints they protect?
The only reason to modify a Policy Assignment Tree is if you need to assign
specific policy settings to different groups of endpoints for a given policy type.
For example if you need an Anti-Malware Real-time policy for servers and a
different Anti-Malware Real-time policy for other endpoints, you should
subdivide the root partition to support this implementation.
The following steps provide a general outline for designing a tree structure:
1. If subdividing a tree structure is necessary, plan the organization of the tree

using a simple hand-written diagram or other visual aide that shows the full
tree structure, including branches and any sub-branches.
2. Determine which subdivision options to use, based on your current network
organization or endpoint hierarchy.
If your organization uses a specific IP address or endpoint naming syntax,

these might be the easiest options to use to accomplish your goals. For
example, if there is a specific IP range for all endpoints in the Americas and
another IP range for endpoints in Europe, you can use the IP Address as the
subdivision option. You might then use the Platform or Endpoint Name
option to further divide the tree into business and application servers, file
and print servers, and then desktops and laptops.
If your organization uses Active Directory at the Organizational Unit (OU)

level and the structure is kept current, you may be able to create the tree
layout using your pre-existing Active Directory hierarchy. If the previous
options do not suffice, you can use custom variables to explicitly identify
specific endpoints that cannot easily be distinguished using one of the other
four branch subdivision options.
3. With your tree structure visually laid out, use the Management Console to
lock the default tree to avoid potential collisions with other users.
4. Create the new branches and sub-branches, as needed, by referring to your
diagrammed notes.
5. Review the changes and then save the new tree structure.
Tree Operations
The following sections describe behavior when common operations are
performed on the tree structures.
Tree Operations
Locking Trees
Before you can modify a tree, you must first lock it by clicking the Lock button.
Locking the tree avoids collisions with other users who might also be attempting
to modify the same tree at the same time. Unless the tree is locked you cannot
make modifications to it. When you are finished modifying the tree, you then
click the Apply button to save your changes to the tree. Your changes are
committed to the Management Server database and the tree is unlocked.
Note: If a user accidentally leaves a tree locked and does not return to unlock it,
other users will be unable to modify the locked tree. However, a user with the
Administrator or Global Policy Manager role can use the Locked Trees page to
unlock a tree.
More Information
Manage Locked Trees (see page 218)
Tree Modifications
As you modify a tree structure, the Management Console retains your changes
until you are ready to finalize them and displays information about any branches
that have been added or modified in italic font. Before you save the changes,
verify that the tree structure satisfies your needs, and then click Apply. Once you
save the changes to the database, the Management Console displays the new
tree structure in normal, non-italic font.
Branch Deletion
If you have modified the default tree structures by adding additional branches to
the Policy Assignment Tree, or additional partitions to the Partition Assignment
Tree, you can delete a branch or partition at any time. When a branch or partition
is deleted, each endpoint in the deleted branch will receive a new branch
assignment the next time the endpoint phones home to the Management Server.
Before you delete a branch or partition, you can determine the endpoint's new
branch assignment by viewing the remaining partitions or branches subdivision
options and determining where each endpoint will land. In most cases, the
endpoint will fall into the Other Endpoints branch at the same level of the deleted
branch.
Note: If you are deleting a partition from the Partition Assignment Tree that has
child-partitions, you must first delete all of the lower level child partitions before
you can delete the parent partition. However, you can delete a branch in the
Policy Assignment Tree that contains child-branches.

Policy Concepts
User Roles and Tree Management
Only specific CA Total Defense user roles can modify the Partition Assignment
Tree or Policy Assignment Trees. The following list describes each user's
permissions related to the tree structures:
User Role Read Write Modify No Access
Administrator X X X
Global Policy Manager X X X
Partition Policy Manager Assigned Assigned Assigned

Partitions Only Partitions Only Partitions Only
Global Reporter X
Partition Reporter Assigned

Partitions Only
User Manager X
Audit Archivist X
Policy Concepts
This section contains a description of the three policy categories that are
available in CA Total Defense Endpoint Protection:
■ CA-recommended Default Policies
■ Global Policies
■ Partition Policies
CA-Recommended Default Policies
CA Total Defense provides a default policy with preset options, based on best
practice experience, for each policy type. The recommended policies are
automatically assigned to the root branch of each Policy Assignment Tree and
provide immediate, "out of the box" protection. If you install the Management
Server and make no changes to policies or the Policy Assignment Trees, the
endpoints in your organization pull the default policies when they phone home to
the server.
Policy Concepts
The default settings for each policy are used as the default values any time you
create a new policy. However, you can always change the default values to
settings that work for your particular environment. You can then specify that the
newly modified policy should be the new default policy. Each time you create a
policy of that type in the future, it will contain your site-specific values.
Note: You can easily recognize the default policy as it appears in bold font in the
Management Console.
Default policies are also automatically placed into each new Remote Installation
package that you create. For example, if you install the Anti-Malware product
component, the default policies associated with this policy type include:
Real-time, Scheduled Jobs, Scheduled Scan Options, and Malware Submission. A
default policy exists for each of these policies and is automatically included in
your installation package. To use the default policies you do not need to do
anything but select the product component you want to deploy. If you want to
create a policy with different settings, you can remove the default policy and
include your modified policy instead.
This greatly reduces the overhead of endpoint deployment and provides you with
immediate protection. Some organizations may choose to use the default
policies for all endpoints, while other organizations may choose to modify some
policies.
Best Practices Tip! To create custom policies, use the default policies as a
starting point. Make a copy of the CA-recommended policy and use the copy as
a basis for creating a custom policy. If the CA-recommended default policy is the
default policy, it cannot be deleted. If you create a custom policy and make it the
new default policy, you can then delete the CA-recommended default policy. We
recommend that you do not delete the CA-recommended default policy, but save
it as a copy of the original policy before you make any modifications.
More Information
Types of Protection (see page 13)

Policy Assignment
You can assign a policy to one or more branches of the Policy Assignment Tree
for a specific policy type. Policies can be assigned to branch in one of the
following ways:
■ A single policy is a assigned to a single branch of the tree
The policy contains settings that are specific to the endpoints in the branch it
is assigned to. It contains settings that you do not want to apply to the
endpoints in other branches of the tree.

Policy Concepts
■ A single policy to more than one branch of the tree

The policy contains settings that are appropriate for the endpoints in multiple
branches.
■ No policy to a branch
If a policy is not assigned to a branch, the endpoint users can set their own
options for that policy type.
More Information
Assign Policies (see page 202)

Global Policies
Global policies are available to all Partition Policy Managers to use in the
partitions they manage. If you are using multiple partitions to delegate
management tasks for specific endpoints to other users in your organization, you
may consider creating global policies.
Global policies provide the following benefits:

■ They allow you to create policies with specific settings that Partition Policy
Managers can use in their own partitions without having to create them from
scratch on their own.
This saves the Partition Policy Managers time because they can simply use
the global policy as a starting point for their own policies, or apply the policy
(without making any changes) directly to the partitions they manage
■ They allow you to create and enforce a standard set of policy options for your
entire organization across all partitions.
The Management Console displays a globe icon to the left of a global policy name
in policy lists.
Administrators and Global Policy Managers are the only users with permission to
create, edit, or delete global policies.
Endpoint Management
Partition Policies
Partition-specific policies are only available for use in a specific partition. Users
that are assigned the Partition Policy Manager role create and manage partition
policies.
Best Practice Tip! We recommend that you only use partition policies if you
have created multiple partitions in the Partition Assignment Tree, or intend to do
so in the future.
If you are a CA Total Defense Administrator or Global Policy Manager, you can
promote policies that are created within a single partition to become global
policies for general availability across all partitions.
Endpoint Management
The Maintain Endpoints page provides a view of all managed and unmanaged
endpoints on your network. Managed endpoints have the CA Total Defense
Agent/Client installed. Unmanaged endpoints have been discovered by the
Endpoint Discovery tool, but do not have the CA Total Defense Agent/Client
installed. You can also deploy the CA Total Defense client and review the status
of deployment jobs from this page.
Viewing Endpoints
When the Endpoint Discovery tool locates unmanaged endpoints in your

organization, the Management Console displays them in the Unmanaged
Endpoints list. You can view these endpoints using the Maintain Endpoints page.
To change your view between managed and unmanaged endpoints, select the
type of endpoints you want to view from the Managed/Unmanaged drop-down
menu.
Both the Managed and Unmanaged endpoint lists provide general information
about each endpoint:
■ The Unmanaged list displays the endpoint's name, IP address, platform, and
when the endpoint was discovered.
■ The Managed list provides the same information, plus the name of the
partition the endpoint belongs to in the Partition Assignment Tree, and the
CA Total Defense Endpoint Protection products currently installed.

Endpoint Management
Find Specific Endpoints
If the list of managed or unmanaged endpoints fills more than one page, you can
use the navigational aids at the bottom of the page to go to a specific page
number, move to the next or previous page, or jump to the first or last page.
The following illustrates the page navigation options:
In addition, you can quickly locate a specific endpoint using the Filter tool.
Note: The Filter panel is collapsed when you open the View Endpoints page.
To open and use the Filter
1. Click the down arrows to the left of the Filter label.

The Filter panel expands.
2. Use the available criteria to locate a specific endpoint or a range of

endpoints.
■ You can use a single criterion to locate endpoints. For example, to find a
specific endpoint, enter the exact name in the Endpoint Name field.
■ Alternatively, you can use multiple criteria to narrow your search. For
example, to find all endpoints using Windows XP that begin with the
name "aus," enter "aus" in the Endpoint Name field and select Windows
XP from the Platform drop-down menu.
More Information
Filter the Endpoint View (see page 170)
Endpoint Management
Detailed Endpoint Information
For detailed information about a managed endpoint, select the endpoint from the
Managed list and click the Details button. For information about a group of
endpoints, you can select them using the Shift or Control keys.
The Details button opens the Endpoint Details page, with four tabs of detailed
information:
General
Displays detailed information about an endpoint's system information and
interfaces. From this tab you can quickly determine the partition the
endpoint belongs to and the last time it phoned home to the Management
Server.
Products
Displays the product components installed on the endpoint and indicates
whether they are up to date with the latest version available. Use this tab to
check if an endpoint's product components are up to date, and if necessary,
initiate a content update request.
Policies
Displays the policies assigned to an endpoint, and the branch to which the
endpoint belongs. Use this page to check if an endpoint has downloaded the
latest policies.
Custom Variables
Displays any custom variables and the associated values assigned to the
endpoint.
If you selected multiple endpoints from the Managed Endpoints list, the Endpoint
Details page lists each endpoint in the Endpoint Name list on the left. Click an
endpoint name to view detailed information for that endpoint.
Product Component Updates
The Content Update policy specifies the settings that endpoints use to contact a
Redistribution Server for content updates that include new signature files,
product updates, and patches. The Content Update policy specifies when the
update action occurs.

Endpoint Management
The View Endpoints, Details page displays whether the product components for a
particular endpoint are up to date. To access the Details page, select an
endpoint, and click the Details button. If a component is up to date, the Up to
Date? field displays a green check mark. If an endpoint is not up to date with the
latest component updates, the Up to Date? column displays a red "X."
If an endpoint does not have the latest version of one or more product
components, you can click the Update button to send an update request to the
endpoint that lists a series of tasks to perform. When the endpoint phones home
to the Management Server (at its regularly scheduled time), it picks up the
Update request and gets the latest component from the update source specified
in the Content Update policy.
Remote Deployments
The Centralized Deployment page lets you perform new product deployments of
the CA Total Defense Agent/Client and policies to any unmanaged endpoints in
your organization. You can also add product components to endpoints that
already have the CA Total Defense Agent/Client installed.
You can use an existing installation package, modify an existing package, or

create a new package. Select the target endpoints and either drag and drop the
package on top of the endpoints or use the Package drop-down menu and select
Assign Package.
When the package has been assigned, use the Set Up drop-down menu to enter
the administrative credentials necessary to access each endpoint. You can also
test the login credentials before you start the deployment. The Set Up
drop-down menu provides several other options, but only the login credentials
are required before you can start the deployment. The other options include
specifying an alternate target directory for the installation, specifying the
endpoint's locale, setting a reboot option for the endpoint, and running the
competitive uninstaller to remove any third-party anti-malware programs from
the endpoint.
Best Practices Tip! We recommend using the competitive uninstaller on all

endpoints currently running a third-party anti-malware product to avoid
installation or run-time errors during the installation of the CA Total Defense
Agent/Client.
Chapter 4: Configuring Your
Environment
Use the Configure, Environment pages to configure the following aspects of the
CA Total Defense environment:
■ Licensing Management
■ Endpoint Discovery
■ Directory Services
■ Management Server Proxies

■ Signature Rollbacks
■ Database Management
License Management (see page 67)

Management Server Proxy Implementation (see page 77)
Endpoint Discovery (see page 79)
Revert to Older Signatures (see page 89)
Directory Services (see page 90)
Server Database Management (see page 92)
User Role Management (see page 96)
License Management
The Product Subscription Management (PSM) tool lets you proactively manage
your CA Total Defense licenses. Using PSM you can easily do the following:
■ Assign, unassign, and reassign specific endpoints to licenses in your license
pool
Your license pool contains the total the number of available licenses for a
given license key. For example, if your company purchases a license for 100
endpoints, the license pool initially contains 100 licenses. If 75 endpoints are
using licenses, 25 licenses are still available in the license pool.
■ See a consolidated view of all Assigned Endpoints and Unassigned Endpoints
An assigned endpoint is currently using one license from the license pool and
can actively run the CA Total Defense products that the license entitles it to
run. An unassigned endpoint is not using a license and cannot run any of the
CA Total Defense products.

License Management
■ Request a product renewal, migration, or upgrade

A product renewal occurs when you renew your subscription for the currently
installed products for a certain period of time.
A migration occurs when you purchase additional product components to

add to your existing products, or you move to higher version of the product.
For example, moving from CA Total Defense r12 to r12.1 or adding CA Total
Defense for Unified Network Control to your current CA Total Defense
installation is considered a migration.
An upgrade occurs when the 30-day grace period that occurs after your
subscription runs out and you have not renewed the product. At this point
you must perform an upgrade to the product.
■ Access contact information for Support and Sales
Note: The PSM tool resides on the CA Entitlement Management System (EMS).
To access the PSM tool you must have an active Internet connection.
The following sections describe the concepts and tasks associated with licensing
your CA Total Defense products.
How the Licensing Process Works
The following steps describe the licensing process:

1. When an order is entered in the CA Order Management System, a custom
License Certificate is generated for your site by the CA Open License
Program (OLP).
2. An electronic version of the License Certificate is sent to you in email and a
hard-copy is sent in regular mail. The certificate contains the license key you
must enter during installation.
3. After downloading an electronic version of the product or receiving your

product DVD, you start your installation. The Installation Wizard prompts
you to enter the license from the License certificate and your user
registration information.
4. If you have an Internet connection, the Installation Wizard sends this

information in real-time to the CA Entitlement Management System (EMS).
■ The EMS verifies the products you are entitled to install based on the
products your company purchased and displays those applications in the
Installation Wizard's product selection menus.
■ The EMS sends you an email with a license activation link within 24 hours
of your installation.
License Management
If you do not have an Internet connect or the license is not found, you may
continue the installation and complete the license activation using CA Total
Defense Offline Licensing tool. The product runs in a 30-day trial mode with
full functionality until your license registration and activation.
5. When you receive the license activation email, you must click the link in the
email to activate your license.
6. After activating your license, you must then click the Synchronize button
located in the Management Console to immediately end the trial period. This
causes the Management Server to immediately generate a unique Node-id.
The PSM sends the node-id to the EMS.
7. The EMS creates a license pool and assigns it to the node-id of the
Management Server.
8. After the Client/Agent is deployed to your endpoints, each endpoint checks
for an entitlements.xml file before it starts running the CA Total Defense
products.
The entitlements.xml file authorizes the product components to run. If the

file is not present, the endpoint contacts the Management Server and
downloads the entitlements.xml file.

License Management
The following illustration shows the communication flow between the managed
endpoints running the CA Total Defense Client or CA Total Defense for Unified
Network Control Agent and the CA Entitlement Management System.
License Management
The Node-id and Organization Chart
The PSM tool collects information from each endpoint to create a unique node-id
for every endpoint. This information is used to create an organization chart that
provides ease of management as it displays all the Assigned Endpoints and
Unassigned Endpoints in your organization with the PSM graphical user interface.
The following list describes the properties that are collected from every
endpoint:
SID
Unique number generated by a product component installed on the

endpoint, such as the Proxy Communication Server for CA Total Defense for
Unified Network Control or the Anti-Malware for CA Total Defense.
Host-Name
The endpoint's name as registered in the operating system.
Hardware Architecture
The physical hardware platform, such as X86.
MAC Address
The Media Access Control address; which uniquely identifies the endpoint's
Network Interface Card.
HDD Serial Number

The Hard Disk Drive serial number as assigned by the manufacturer.
BIOS Serial Number

The BIOS serial number as assigned by the manufacturer.
Motherboard Serial Number
The motherboard serial number as assigned by the manufacturer.
The following screenshots show how this might look.
In the first snapshot, Comp34 represents a Management Server. Proxy6010210

represents a CA Total Defense for Unified Network Control Communication
Server or a Management Server Proxy in CA Total Defense:

License Management
Note: In CA Total Defense the use of a Management Server Proxy is optional. If

your organization does not have a proxy installed, this item would not appear in
the PSM organizational hierarchy.
With Assigned Endpoints selected, the lower right side of the page displays the
endpoints that are currently assigned a license from your license pool:
Product Subscription Management Tool
Because the PSM resides on the CA Entitlement Management System, you must
have an active Internet connection when you launch the tool. The PSM uses
several security mechanisms to protect all communications between the PSM
and the Entitlement Management System. These security mechanisms include:
■ User authentication when logging in to the Management Console
■ Encryption of data
■ HTTPS/SSL over a designated port
To launch the PSM, click the Manage Licenses button in your CA Total Defense or
CA Total Defense for Unified Network Control Management Console. The PSM
opens in a separate web browser window. The following snapshot shows the PSM
populated with artificial, "test" data:
License Management
You can then perform your licensing tasks as necessary. When you are finished
with all licensing tasks, close the browser window to close the PSM. Return to the
Management Console and click the Manual Synchronization button to
immediately send all changes to the Entitlement Management System.
Synchronization
Every 24 hours the PSM automatically transmits the entire organization structure
to the Entitlement Management System, which maintains a current copy of the
organization, as well additional historical copies. You can configure the time that
this synchronization occurs by changing the settings on the Manage Licenses
page in the Management Console. Since the Entitlement Management System
maintains several historical copies, any discrepancies in the current organization
chart from the PSM are compared to the historical charts and discrepancies are
resolved.
Best Practices Tip! We recommend that you perform a manual synchronization

after performing any licensing tasks. A manual synchronization allows the
changes to take effect immediately instead of waiting for the next automatic
synchronization, which could be the next day, based on the 24-hour automatic
synchronization period.
License Expiration
The Management Console begins to display alerts when you log into the console
and in the banner area of the main console page beginning 90 days prior to the
license expiration date. It displays additional alerts at 60 and 30 days. This
allows you time to evaluate your licensing needs and purchase additional
licenses or renew your existing licenses. If your license expires and you choose
not renew it, the following actions occur for each installed product:
■ 90 days before the license expires, each user logging into the Management
Console receives a message about the coming expiration. This message
appears once, the first time the user logs in after the 90-day point has been
reached.
■ 60 days before the license expires, the same notification is sent to each user
logging into the Management Console. Again, the message appears only
once when the user logs into the console after the 60-day point has been
reached. In addition, a similar message appears at the top of the
Management Console (in the “Logged in as” line) for the duration.
■ Starting on the expiration day, and continuing for the next 15 days, a
message with a yellow background appears and remains in the same
location within the Management Console.

License Management
■ Starting at 15 days after expiration, and continuing until the 30-day point is
reached, the same message appears with a red background and remains in
the same location in the Management Console.
■ At 30 days after expiration, you can no longer log into the Management
Console. Instead, a pop-up window appears and allows you to access the
Product Subscription Management tool. With the tool, you can request a new
license key and upgrade your license.
Renewals and Migration
Every unique purchase of this product comes with a specific subscription length
of 1, 2, or 3 years. CA provides a 30-day grace period at the end of the
subscription to allow time for product renewal. Prior to the end of the grace
period, you must purchase a new license for an additional period of 1, 2, or 3
years. When you renew the product, the CA Entitlement Management System
sends you a new license for the additional period and deducts the number of
grace days (if any were used) from the current subscription.
If after your initial purchase of this product, you decide to add additional
components, you can use the PSM to request a migration to a product with
additional features. If you purchase additional components, CA sends you a new
license key with the additional products. The same is true for upgrading your
product to a higher version.
If you decide to reduce the number of licenses during a renewal period, the
Product Subscription Management tool transfers some endpoints to key-less trial
mode. During the 30-day period of the key-less trial mode, you must unassign a
license from a few non-critical endpoints and reassign the licenses to protect the
most critical endpoints in your organization. This allows you to stay within the
new license count.
New License Keys
If you add more endpoints, renew, migrate, or upgrade your CA Total Defense or
CA Total Defense for Unified Network Control product, the OLP sends you a new
license key. If you are renewing, upgrading or migrating your existing product
and not adding new components, you can simply enter the new license key using
the Link Order tab in the Product Subscription Management tool. You access this
tab by clicking Product Information on the left side of the Product Subscription
Management page.
License Management
When the Link Order page opens, you enter the order number and the new
license key number from the email or hard-copy certificate you received from
CA, and then click Submit. After you submit the information, close the Product
Subscription Management tool and return to the Management Console. At the
next regularly scheduled synchronization time, the Product Subscription
Management tool sends the information to the CA Entitlement System and
associates the new key with the server's node-id. To send the information
immediately, click the Synchronize Licenses button on the Management
Console's License Management page.
If you are migrating to new product components, you install the components
from your product DVD, and when prompted by the Installation Wizard, enter
the new license key number. The license key sends the information to the CA
Entitlement Management System and associates the node-id of the system
where you are installing the component with the license key.
License Reassignment
The PSM application lets you easily manage the assignment, unassignment, and
reassignment of endpoints to and from your license pool.
To perform this task on an endpoint, you must first unassign the license from one
or more currently licensed endpoints and then reassign the free licenses to new
endpoints. These new endpoints are identified by their unique node-id and the
change in your licensing are sent to the Entitlement Management System during
the next synchronization.
The Entitlement Management System also keeps a record of the unlicensed

endpoints and associated node-id for future use. If additional licenses are
purchased a later time, you simply assign the endpoint to one of the newly
purchased licenses,
Proxy or Server Component License Assignment
If you install a new Management Server Proxy or Communication Server in your

organization, you are prompted during installation to enter the license key. Enter
your existing licensing key. When the installation is complete, you can then use
the Management Console and follow the normal steps to designate the proxy or
server as secondary system to the master Management Server or another
Communication Server. When the proxy or server starts up, it contacts the
Management Server and downloads an entitlement.xml file, which allows the
product to run.

License Management
If you have reached the maximum number of licenses available in the license
pool, you can unassign a license from an existing server component and reassign
it to the server. After assigning the license to the new proxy or server, you can
then designate that component as the primary point of contact for
Clients/Agents.
The Entitlement Management System keeps a record of all unassigned endpoints

and other product components (such as servers and proxies) and their
associated node-id for future use. If your company purchases additional licenses
in the future you can simply reassign a new license to these components, and
they are ready for use.
Offline License Synchronization
If you did not activate the license for your CA Total Defense product, the
Management Console displays the following message:
Your license registration is not complete. Click here for help.
This message appears if you did not activate your license when you installed the
product. You must activate your license within 30 days or the product will no
longer work.
Note: Only a user with Administrator privileges on the Management Console can
complete the registration process.
There are two options for completing the licensing registration process and
activating your license, online license activation and offline license activation.
Online license activation
Online license activation requires Internet access for the Management
Server and the license activation email. The CA Entitlement Management
System sends you this email after you have entered a valid license key
during installation. The email should arrive quickly, but at most within 24
hours. If you cannot find the activation email, contact your sales
representative or visit the CA Support website and click the Licensing link.
Offline license activation
For offline license activation, you must download and install the CA Total
Defense Licensing Utility, then follow the instructions provided in the help for
that utility. Visit this site https://ems.ca.com/synctool to download the
utility.
Management Server Proxy Implementation
To perform online license activation

1. Locate and open your license activation email.
2. Click the link in the email to activate your license.

After activating your license, you must then click the Synchronize button
located in on the Licensing page in the Management Console to immediately
end the trial period.
3. Click Environment, Licensing in the Management Console.
4. Click Licensing.
The Licensing page opens, listing the days remaining until your license
expires and when the synchronization occurs.
5. Click Synchronize Licenses.
The licenses synchronization runs. The Management Console reports the

results once the synchronization is complete.
Note: You must have an active Internet connection during the license activation
and manual synchronization steps.

A Management Server Proxy off-loads network traffic from the Master
Management Server by serving in its place when endpoints phone home. Each
Management Server Proxy contains a duplicate copy of all the policy information
for your organization. They perform the same tasks associated with the phone
home operation by gathering endpoint data and making updated policies
available to endpoints.
The following steps describe the process for implementing a Management Server
Proxy in your environment:
1. Determine where in your organization you should install a Management
Server Proxy.
Depending on the size and geographical layout of your organization, you

may choose to install multiple proxies in remote offices or regional hubs.
2. Review the hardware and operating system requirements for Management
Server Proxies in the CA Total Defense Release Notes and choose the
appropriate system to host the proxy.
3. Install the Management Server Proxy component from the CA Total Defense
DVD.
When the proxy is installed, it automatically appears in the Management

Console.

4. Use the Management Console to activate the new proxy.

Select the proxy in the list of proxy servers and click Activate.
5. Modify the Phone Home policy to add the name of the proxy as either the
primary or secondary server for endpoints to contact.
The next time the endpoints phone home to the Master Management Server,
they retrieve the modified Phone Home policy that tells them which
Management Server Proxy to contact in the future.
From that point forward, the endpoint phones home to the designated
Management Server Proxy instead of the Master Management Server.
Activating a Proxy in a DMZ
When you install a Management Server Proxy, the Installation Wizard generates
a certificate that allows the proxy to communicate with the Master Management
Server. However, if you install the Management Server Proxy in a DMZ, the
proxy cannot contact the Master Management Server to synchronize policy or
endpoint information.
To enable communication between the Master Management Server and a proxy

located in a DMZ, you must manually add the proxy information in the
Management Console after you install the proxy server. This process also
automatically activates the proxy so that it is immediately available and
endpoints are able to phone home to the proxy.
Note: You must ensure that a copy of the security certificate is accessible from
the Management Console.
To manually add proxy information
1. Click Environment.
2. Click Management Proxy Servers.
The Management Proxy Servers page opens.
3. Click Add.
The Add Installed Proxy page opens.
4. Enter the proxy name and click Browse to upload the certificate that was
created during the proxy installation.
Endpoint Discovery
5. Specify how frequently data is synchronized between the Master

Management Server and the proxy.
6. Click Add.
The server is added to the proxy server list.
Note: You can click Discard to remove any changes you made, but stay on
this page or click Cancel to cancel your changes and return to the
Management Proxy Server page.
Endpoint Discovery
Endpoint Discovery finds all unmanaged endpoints on your network and runs in
the following two modes:
Full Discovery
After you have installed the Management Server and you are ready to deploy
the Agent/Client to the endpoints in your network, you use Endpoint
Discovery and perform a Full Discovery to find all of the unmanaged
endpoints. You can then deploy the Agent/Client using the Management
Console's remote installation feature.
Incremental Discovery
After you have fully deployed and implemented CA Total Defense, new
endpoints may have joined the network. To find any unmanaged endpoints
after a Full Discovery has already been performed, you can run an
Incremental Discovery. You can choose to run an Incrememental Discovery
every day Endpoints that were previously discovered are ignored and only
newly detected endpoints are detected.
Endpoint Discovery remembers and reuses the discovery method that was
successful in contacting each endpoint. This greatly reduces the overhead of
an incremental discovery and avoids a "hit or miss" trial discovery of each
endpoint. However, if the discovery method for a specific endpoint should
change due to changing dynamics of your network, the newer successful
method for that endpoint is remembered and reused in subsequent scans.
For this reason performing an incremental discovery is more efficient than
performing a full discovery.
How Endpoint Discovery Works
Endpoint Discovery determines the following information for each detected

endpoint:
■ Host name
■ IP address
■ Operating system

Endpoint Discovery
Duplicate endpoints are ignored and the final results are stored in the locally
hosted Endpoint Discovery database. They are also written to an xml file named
Discovery-<Timestamp>.xml located in the /CA/Results directory.
After discovering unmanaged endpoints, you can view a list of the endpoints by
selecting the Maintain Endpoints, Unmanaged Endpoints in the Management
Console. From this page you can easily select the endpoints to manage and click
the Install button to perform a remote installation of the CA Total Defense
Agent/Client.
Endpoint Discovery
The following illustration shows the process for finding unmanaged endpoints
using the Management Console:

Endpoint Discovery
Discovery Scanning Methods
By default, Endpoint Discovery uses Windows Networking SMB/CIFS/NetBIOS to

detect unmanaged endpoints. This discovery method is a widely used protocol
and will generally not be considered suspicious activity. It detects endpoints in
domains and workgroups and also detects the endpoint's operating system.
Endpoint Discovery also provides the following additional discovery methods:

■ DNS (enabled by default)
Detects endpoints behind highly secure firewalls that join a domain or

subdomain; however, DNS zone transfers must be enabled
■ ICMP (enabled by default)
Detects endpoints in a flat architecture
■ TCP
Detects endpoints in a flat architecture and behind firewalls using fewer TCP
ports that are generally accessible, even in highly secured DMZs
Note: To provide the greatest detection coverage and accessibility to endpoints

behind a firewall, across a VPN, or in a DMZ, enable all options that are suitable
for your network.
DNS Discovery Method
The following lists describe the benefits and constraints of using this discovery
method:
Benefits
■ Widely used, operating system-independent protocol
■ Detects endpoints in domains and subdomains
■ If DNS zone transfers are enabled, can detect endpoints in a highly secure
network behind a firewall
Constraints
■ Cannot detect endpoints in a local workgroup
■ Cannot detect the endpoint's operating system
■ This protocol may be blocked in a highly secure network behind a firewall
Endpoint Discovery
ICMP Discovery Method
method:
Benefits
■ Commonly used by network scanning and system management software
■ May be allowed to reach some isolated workgroups behind firewalls
■ Operating system-independent
■ Uses fewer packets than a TCP ping scan when network traffic is a concern
Constraints
■ This protocol may be completely blocked by a firewall in a highly secure zone
■ Can detect other infrastructure devices, such as printers or routers, making
operating system detection mandatory to determine if the detected device is
a valid endpoint
TCP Sweep Method
method:
Benefits
■ Specific TCP ports used by CA Total Defense can be specified during
configuration, thereby increasing endpoint detection
■ TCP stack is available on all endpoints
Constraints
■ Can detect other infrastructure devices, such as printers or routers, making
operating system detection mandatory to determine if the detected device is
a valid endpoint
■ Can be apprehended as suspicious activity by an intrusion detection system
resulting in false positives
Note: You can avoid a false positive detection from your intrusion detection
system by adding CA Total Defense to your whitelisted applications.

Endpoint Discovery
Operating System Detection Methods
If the initial scanning methods are unable to determine the endpoint's operating
system, Endpoint Discovery uses one of the following tools or methods to detect
the operating system:
■ Windows Management Instrumentation
■ Windows Remote Management
■ Active fingerprinting
The benefits and constraints of each configurable method are listed in the
following sections.
WMI and WinRM OS Detection Methods
If an endpoint's operating system is unknown after its initial detection, Endpoint

Discovery uses Windows Management Instrumentation and/or Windows Remote
Management to determine the operating system.
The following lists describe the benefits and constraints of using these methods
for determining an endpoint's operating system.
Benefits
■ Commonly used in system management software
■ Works across firewalls as it is HTTP-based
■ Highly reliable method for detecting operating system information on
Windows endpoints
■ Uses system administration credentials required for system management
Constraints
■ A small unmanaged network may not use WMI or WinRM protocols
■ In a highly secure network these protocols may be blocked
Active Fingerprinting OS Detection Method
If a detected endpoint's operating system has not been detected using WMI or
WinRM, Endpoint Discovery uses Active Fingerprinting to determine the
operating system.
The following lists describe the benefits and constraints of using this method for
determining an endpoint's operating system:
Benefits
■ TCP stack is available on all endpoints
■ Specific TCP ports used by CA Total Defense can be specified during
configuration, allowing the retrieval of operating system information
Endpoint Discovery
Constraints
■ Can be apprehended as suspicious activity by an intrusion detection system
resulting in false positives
Note: You can avoid a false positive detection from your intrusion detection
system by adding CA Total Defense to your whitelisted applications.
Endpoint Discovery Network Map
The SMB and DNS discovery methods obtain the hostname and IP address of
detected endpoints. During this process, Endpoint Discovery observes the nature
of IP assignments on the network and formulates an approximate map of your
network. This map is flexible enough to account for certain IP boundaries that
are not yet identified by the current scan.
Because some IP addresses may not be assigned or may not be live during the
discovery scan, a response may not be received from a large number of IP
addresses from within the network map. However, any unresponsive IP
addresses that were detected in a previous discovery, or that are part of the
network map, are removed from the list of unresponsive IPs.
Removing previously detected IP addresses reduces the overhead of the scan.

The remaining list of unresponsive IP addresses are then scanned using the ICMP
scan method. This provides thorough coverage for detecting all live endpoints.
Unknown Host Found
Endpoint Discovery may periodically discover an endpoint that no longer exists

on your network. The output of an Endpoint Discovery scan is a static snapshot
of your network. Any changes that occur on the network, such as adding or
removing endpoints, are captured during the next Full or Incremental Discovery.
Network protocols like DNS and WINS use refresh cycles. We recommend
running Endpoint Discovery soon after DNS and WINS cycles complete so that
Endpoint Discovery does return stale endpoint information.
If DHCP is used, Endpoint Discovery may return some stale entries if an

endpoints lease has expired. These endpoints are removed during subsequent
Endpoint Discovery scans.

Endpoint Discovery
Differences between Full and Incremental Discovery
Incremental Discovery works in same manner as a Full Discovery to find

endpoints except that it collates the result of the scan with data stored in the
database from a previous scan. While collating the results, the following rules are
applied to the results of the Incremental Scan:
■ The inactive count is set to zero if a host is present in both the current and
previous scan.
■ The inactive count is incremented by one if an endpoint exists in the
database but not found in the current scan.
■ If the inactive count reaches the specified maximum inactive count, the
endpoint is deleted from the database and not reported in the Unmanaged
Endpoints list.
Unresponsive Endpoints
If a previously detected endpoint does not respond during a discovery scan, its
Maximum Inactivity Count value is set to 1. Each time it fails to respond to a
scan, this variable is incremented by 1. When the Maximum Inactivity Count
value exceeds the number you specify in your discovery configuration, the
endpoint is removed from the database. If a previously unresponsive endpoint
does respond during a scan, and it has not exceeded the Maximum Inactivity
Count, its value is reset to 0.
IP Address Exclusion List
Endpoint Discovery provides an IP range exclusion option that lets you exclude a
subset of your network from the discovery scan. This option applies to all scan
engines along with other specific configuration options.
IP ranges can be entered using the following formats:
■ Explicit range support, such as 1.2.3.12-1.2.3.252
■ Trailing wild card support, such as: 1.2.3.* or 1.2.*.*
■ Explicit range support with fixed CIDR suffix for the starting and ending
IP address, for example: 1.2.3.12/24-1.2.3.252/24.
■ Explicit range support for full IPv6 addresses (not abbreviated) and use
of CIDR type prefix masking is also supported.
The Endpoint Discovery tool validates the IP address of discovered endpoints and
any IPs that fall in the exclusion range are discarded. For cases where the host
name to IP address resolution does not yield a result, Endpoint Discovery detects
the endpoint, but provides an error code that states IP address resolution could
not be performed and the endpoint may belong to the exclusion range.
Endpoint Discovery
Timeout, Delay and Retry Ranges
The following table shows the default, minimum, and maximum values for
timeout, delays, and retries for the various protocol operations. Use the
information in this table to help you configure the most suitable times for
discovery scans on your network.
Note: If your network is generally reliable and it is not rate limiting or prone to
delays, CA recommends using the default packet rate, retries and timeout
values.
Parameter Default Value Minimum Maximum Remarks

Value Value
ICMP Sweep Scan Timeout 0.1 sec 0.1 sec 5 sec Single digit of fraction
shall be allowed.
ICMP Sweep Scan Number of 2 0 3

Retries
TCP Sweep Scan Timeout 1 sec 1 sec 60 sec
TCP Sweep Scan Number of 1 0 2

Retries
Active Fingerprinting-based 1 sec 1 sec 60 sec

Remote OS Detection Scan
Timeout
Active Fingerprinting-based 1 0 2
Remote OS Detection Scan
Number of Retries
Maximum ICMP/TCP Packet 20 10 1000

Rate
Port Scan Delay 100 ms 10 ms 1000 ms
Maximum Scan Threads 50 10 256
DNS Lookup Timeout 0.5 sec 0.5 sec 60 sec Single digit of fraction
shall be allowed.
Port Scan Maximum Number 100 0 1024

of Ports

Endpoint Discovery
Consider the following recommendations when determining time-out values,

delays, and the number of retries:
■ For enterprise networks that are generally reliable, but whose network traffic
pattern is at its peak during the scheduled discovery, use slightly greater
time-out values and a slightly reduced packet rate. You can also increase the
maximum scan threads, which can provide better results in terms of overall
time of discovery/rediscovery.
■ For enterprise networks that are reliable but rate limiting, use a lower packet
rate based on the network's general rate limit. Use the default retries and
timeout values for the accurate results.
■ For enterprise networks that are not reliable and where delays and drops are
frequent, use an increased number of retries and increased time-out values
to ensure minimum required coverage and accuracy. Increasing the
maximum scan threads can also provide a relatively better result.
■ For entry level server grade systems, use the default value of maximum scan
threads. If the system's specification is better than an entry level server
grade system, you can increase the maximum number of scan threads if the
overall processing requirements of the system are not too high during the
time the discovery/rediscovery process will run.
Optimizing Endpoint Discovery Configuration
What is the best configuration for running Endpoint Discovery to maximize

coverage in minimum time?
Ideally, the best configuration is to run discovery with all the scan engines
enabled and with maximum threads, leaving other settings as default. In some
cases, depending on network settings, the configuration should be altered to
optimize discovery performance. The following are some optimization options:
■ If the ICMP packets are disabled in a network, there is no point running the
ICMP engine. The ICMP engine can be turned off to save time.
■ The known open ports across the network should be specified by enabling
port scanning mode adding the preferred ports.
■ If WINRM is not a preferred IT infrastructure management technology in

your enterprise, turn off the WINRM engine.
■ If WMI is not a preferred IT infrastructure management technology in your
enterprise, turn off the WMI engine.
■ If detailed logging is not required, the log level should be set as “CRITICAL”.
Also, to save disk space, the log policy should be set to “ROTATE”
Revert to Older Signatures
Viewing Endpoint Discovery Scan Engines Performance Statistics
You can find the logs for Endpoint Discovery logs at

“<Discovery_installation_path>/logs”. The logs contain a summary for each
scan engine. This information provides a general idea of the number of endpoints
discovered by each scan engine.
View Service Logs During a Scan
To view Endpoint Discovery logs while a scan in running, go to Configure

Discovery, and then the Specify Discovery Logging page. Set the Log Level to
Debug.

Rolling back signatures lets you return to a previously-known working state as of
a specified signature date. After you have rolled back the signatures and any
conflicts have been resolved, you must resume normal signature updates. Once
you resume the updates, each endpoint collects any pending updates at the
scheduled times.
To roll back signatures
1. Click Configure, Environment.

The Navigation Pane expands to show configuration options for the
Management Server.
2. Click Signature Rollback.
The Signature Rollback page opens.
3. Select Roll back signatures to, and click the calendar icon to select the date
to which to roll back.
4. Click Apply.
Your request is submitted. If you have the proper permissions and there are
no pending actions blocking the rollback, the signature rolls back to the
version to the date you specified.

Directory Services
After all conflicts any resolved, you must resume the signature updates.
To resume signature updates

Management Server.

3. Select Resume signature updates and Apply.

You are prompted to confirm that you want to resume signature updates.
4. Click Yes.
no pending actions blocking this action, the signature updates resume.
Directory Services
If you are using Active Directory to manage your network infrastructure, you can
take advantage of the existing framework and feed it directly into the
Management Server. This can greatly reduce the amount of time you spend
implementing CA Total Defense.
You can use Active Directory to accomplish the following tasks:

■ Subdivide the partition tree into smaller partitions.
You can create new partitions based on your Activity Directory framework.
To do so, go to the Partition Assignment Tree page, select and lock the
partition to subdivide, and then choose the Subdivide Branch. Choose the By
Active Directory Tree option. You are then prompted to select the categories
to use to create the new branch.
Directory Services
■ Subdivide a policy assignment tree to create branches.

You can also create branches in the policy assignment tree based on your
Active Directory framework. In a similar fashion as subdividing partitions,
you go to the Policy Assignment Tree page, select and lock the tree, then
choose Subdivide Branch. Choose the By Active Directory Tree option. You
are then prompted to select the categories to use to create the new branch.
■ Add domain users and groups to the User Roles page.
The Management Server accepts the domains already defined in your Active
Directory framework. You simply go to the Manage Users page and click Add
Users to add the appropriate domain to the list of available users. You can
then assign the necessary management roles to a domain group within CA
Total Defense.
To use your Active Directory framework with CA Total Defense, you must specify
the server name and port number (the default is 389) where Active Directory is
hosted, the Active Directory tree name, and whether you want to connect
anonymously or use a secure connection. You access these options by selecting
Configure Environment, Directory Services.
Conditions for Using Active Directory
The following conditions apply when using Active Directory on Windows 2000:
■ The password policy must specify reversible encryption for the Domain. If
this setting is changed, the user that is being used to connect must also
change his or her password after the password policy has changed for the
setting to take effect.
■ Use the fully qualified Domain name of the Active Directory server. For
example,
Use: adserver.travis.ourcompany.com
Do not use: adserver
■ Use Domain information when specifying the user. For example,
Use: travis\jdoe
Do not use: jdoe
■ Subauthentication must be enabled (the default setting).
■ Do not specify a Domain Administrator.

Server Database Management
The following conditions apply when using Active Directory on Windows 2003
and later:
example,

Use: travis\jdoe
Do not use: jdoe

■ The user name is case sensitive and must match the name in the Active
Directory database. The name of the Domain is not case sensitive.

During the installation of CA Total Defense, the Installation Wizard prompts you
to enter details regarding the following databases:
■ Management Server
■ Event Server
■ Endpoint Discovery
If at any point you need to modify the information you supplied during
installation, you can do so using the Configure Environment, Server Databases
page. The following sections describe the management tasks associated with
each database.
Management Server Database
The Management Server database stores the following information:

■ Details of each managed endpoint
■ Details of each unmanaged endpoint
■ Policies and their settings
■ Policy Assignment Trees

■ Partition Management Trees
■ User role assignments
The database also stores additional, underlying data that is not visible through
the Management Console.
If you move your database from one server machine to another, or make any
other changes that affect the database location, name, or user login credentials,
you must specify those changes in the Management Console. You initially specify
this information when you first install the Management Server or Event Server.
However, you can modify the information at any time after your installation.
Using the Manage Environment page, you can modify the server name that hosts
the database, name of the database instance, port number, and database login
credentials.
Note: If you modify the information for the Management Server, the web service
must be restarted and any users that are currently logged in are automatically
logged off.
The Management Server utilizes many automated clean-up tasks that are built
into the server, requiring no user interaction. It removes duplicate records and
those that are obsolete. It also performs database compaction on a regular
basis. You can also use the Microsoft SQL built-in maintenance features,
including the back and restore commands, to perform basic maintenance tasks.
There are two areas that require database maintenance:

Audit records
You can automatically delete audit records after a specific number of days.
The Management Server saves audit records for every change to a policy,
policy building block, Policy Assignment Tree, and Partition Management
Tree.
Remote Deployment Jobs
You can manually or automatically delete records of remote deployment jobs

of the Endpoint Protection Client by individual record selection or by the age
of the deployment job.

Event Server Database
The Event Management component of CA Total Defense consists of the following

three databases:
Events database
Stores the events that occur on all managed endpoints and CA Total Defense
server components and proxies. It also stores additional, underlying data
that is not visible through the Management Console.
Reports database
Stores all reports templates, reports, and the configuration settings for all
report management activities and Event filters.
Notifications database
Stores configuration settings and management activities for all event

notifications.
A Microsoft SQL Server hosts all three databases in a single instance and uses
the same port number and user access credentials. If you change to any of these
settings, the change affects all three databases. You can modify your initial
settings (made during installation) using the Configure Environment, Server
Databases, Event Server pages. You may find it necessary to periodically
synchronize these settings against your SQL Server.
If you suspect that you have a connection problem, use the Test Connection
button located on the Connection page to test your connections. This feature
displays a message in the Management Console if the connection to all three
databases is successful or if any issues are detected.
You can specify your preferences for the amount of storage that Events database
needs. Most organizations can use the Normal (Light) storage option, which
stores the most common event information and uses less disk space. To store all
events data, choose the Comprehensive (Full) option. Because some events
contain a large amount of data, choosing the Comprehensive (Full) option
requires a much larger amount of available disk space for database storage.
You can choose to delete all database records or only records beyond a specific
date. If the database is quite large it can take a long time to delete the records.
If you do not want to use up CPU cycles on the record deletion task, you can
specify a maximum amount of time that the deletion can run.
As part of regular database maintenance, you should perform archiving when the
database reaches a certain size or at a regularly scheduled interval.
Record Deletion and Archival
Over a period of time the Events database grows in size and can become quite
large. A large database can increase the event filter execution time and slow
down other database operations. However you can perform the following
procedures to maintain and control the size of the database:
Maintenance
Delete old records or delete records that match a custom filter you create to
find the records you want to delete. You can choose to delete older records
from the database manually, using the Run now option, or automatically
using the Scheduler option.
If the database is quite large it may take a long time to delete the records. If
you do not want to engage the database and use up CPU cycles on the record
deletion task, you can specify that the deletion not run longer than a set
period of time. Upon reaching the allotted period of time, the current
deletion operation will stop at its first available opportunity. Note that using
this option may prevent the deletion of some of the older data in the
database.
Additionally you can delete records using an event filter. For example, go to
Monitor, Events, Events Viewer, Filter Events in the Management Console.
Then click New to create a new filter based on a type of event, such as all Low
severity events for the Anti-Malware component. Once the filter is created,
go to the Events Viewer, select the new filter you created and click Delete
Events.
Best Practice Tip! We recommend performing data deletion operations

during off-peak hours when there are fewer operational demands on the
database.
Archiving
Switch to a new, fresh database and keep the previous database as an

archive.
As part of regular database maintenance, you can perform archiving on a
conditional basis, when the database reaches a specific size, or automatically
using regularly scheduled time. Once an archival action occurs, the Events
database switches to an entirely new database placing the previous
database in an archived state on the Microsoft SQL Server. Note that you
may still create and execute filters and reports using the archived data.
Note: If you selected Microsoft SQL Server Express Edition during the
installation of CA Total Defense, archiving is critical using as the database
size is limited to 4 GB. At this point new data cannot be inserted into the
database. You must configure archiving to occur when the database reaches
3.5 GB to avoid operational errors.
Best Practice Tip! We recommend that you schedule maintenance to occur
on a regular basis to improve event filtering performance.

User Role Management
More Information

Schedule Event Server Maintenance (see page 570)
View Archive History (see page 575)
View Archived Databases (see page 576)
Endpoint Discovery Database
The Endpoint Discovery database utilizes many automated clean-up tasks that
are built into the server, requiring no user interaction. It removes duplicate
records and those that are obsolete. It also performs database compaction on a
regular basis. You can also use the Microsoft SQL built-in maintenance features,
including the back and restore commands, to perform basic maintenance tasks.

Task-based user roles CA Total Defense provide a security model that prevents
unauthorized access to the Management Server database. You can assign
specific management functions and tasks to users or groups of users, thus
granting access only to the areas of the Management Console and database that
are needed.
Assigning User Roles

Note: The use of User Roles in CA Total Defense is completely optional. All users
in the Administrators group on the system hosting the Management Server have
full access to the Management Console and the Management Server database
without assigning specific user roles to other individual users or groups.
Role-based access to the Management Server provides the following benefits:

■ Protects the Management Server database from unauthorized inspection and
modification
Only users who are assigned specific roles in CA Total Defense can modify or
view the data in the Management Server.
■ Allows read-only view for certain roles
Certain roles can view information in specific areas of the Management
Console but cannot change the information they see in those restricted
areas.
■ Allows you to delegate specific management functions to other individuals in

your organization
Different users can perform specific tasks, such as partition and policy
management, reporting, and auditing, as required by your organization's
internal practices.
■ Avoids the need to create specific per-object permissions
Permissions are assigned by functional task, which reduces permission

management overhead.
CA Total Defense user roles are simple to use in small organizations with few
endpoints, yet flexible enough to handle the administration of a large, diverse
organization with different users or groups handling different functions from
within the Management Console.
For example, a small organization could have an Administrator with full access to
all areas of the Management Console, and may choose to assign at least one
Audit Archivist role to an individual who is responsible for changes to auditing
settings.
A large organization with geographically dispersed IT departments might choose

to implement all of the user roles available in CA Total Defense. They may have
several Administrators with global responsibilities, and, if the organization has
created multiple branches in the Partition Assignment Tree, they may have
individuals with partition-specific roles, such as policy management or report
generation for their assigned partitions.
User Role Authentication

CA Total Defense lets you assign task-based roles to both individual users and
user groups that are defined in your local domain. When a user logs into the
Management Console, the Management Server authenticates and identifies the
user. Based on a set of user role attributes, the Management Server determines
what the user can see and do within the Management Console. If a user is not
authorized to perform certain functions, that area of the Management Console is
either not accessible or disabled.
While a user is logged into the Management Console, the rights associated with
their user role are valid for the entire session. Any changes made during the
user's session are not effective until the user logs out and logs back in again. This
includes changes that are made to any groups of which the user is a member.

Group Inheritance
The User Roles page shows whether users have inherited permissions through
group membership when you hover your mouse over them.
The Management Server grants the CA Total Defense Administrator user role to
the local system's Administrators group during the installation of the
Management Server. This ensures that at least one user has the Administrative
role in the product. This is true on domain controllers, member servers, and
standalone (non-domain) servers.
Note: If you do not want everyone in the local Administrators group to have an
Administrator role in CA Total Defense, use the Configure User Roles page in the
Management Console to first assign yourself the CA Total Defense Administrator
role, and then remove the role from the Administrator group. You must perform
these steps in that order.
Global and Partition-Specific Roles
If you are using a single partition to manage the endpoints in your organization,
all user roles are global and all actions taken by users in these roles apply
globally, to the entire organization.
If you are using multiple partitions to manage the endpoints in your

organization, you can grant partition-specific permissions for the following user
roles:
■ Partition Policy Managers
Allows the user to manage policies and Policy Assignment Trees in one or
more partitions to which he or she is specifically assigned. Partition Policy
Managers cannot access any partitions to which they are not assigned.
■ Partition Reporters
Allows the user to generate reports in one or more partitions to which he or
she is specifically assigned. Partition Reporters cannot access data from any
partition to which they are not assigned.
Note: The Partition Policy Manager has permission to perform the tasks of
the Partition Policy Reporter. Assigning this role is optional unless you
specifically want to assign a different user the role of reporting.
User Role Descriptions

The following table lists each user role, the associated icon that appears in the Management Console, and
a description of the role's privileges:
Title User Privileges

Icon
Administrator Has full administrative authority and can perform all

tasks throughout the Management Console.
Global Policy Creates, modifies, deletes partitions using the

Manager Partition Assignment Tree.
Creates, modifies, and deletes branches in Policy
Assignment Trees for any partition.
Configures and runs Endpoint Discovery.
Performs remote installations to endpoints.
Performs Signature Rollback as necessary.
Views and deletes events.
Unlocks locked trees using the Locked Trees page.
Can perform Global Reporter tasks.
Partition Policy Read, write, delete permissions as described for the

Manager Global Policy Manager, but only in his assigned
partitions.
Cannot create or modify partitions.
Configures and runs Endpoint Discovery, in his
assigned partitions.
Performs remote installations to endpoints, but only
in his assigned partitions.
Global Reporter Schedules, creates, deletes, and views events and

reports for all partitions.
Read-only view in other areas of the Management
Console, specifically those available to Policy
Managers.
Partition Read/write/delete permissions as described for the

Reporter Global Reporter, but only in his assigned partitions.
Console, specifically those available to Policy
Managers.
User Manager Assigns roles to users, both global and

partition-specific.
Console.
Audit Archivist Sets the retention period for policy-related change

history records.
Views all change history records.

Title User Privileges

Icon
Console related to policy management and
distribution.

Appendix A: Procedures
Management Console (see page 101)

Reports (see page 112)
Events (see page 156)
Endpoints (see page 168)
Partition Assignment Tree (see page 187)
Policy Assignment Tree (see page 201)
Common Tree Procedures (see page 206)
Policies (see page 222)
Licensing (see page 526)
View Endpoint Details (see page 529)
View Product Information (see page 531)
Manage License Requests (see page 535)
Endpoint Discovery (see page 539)
Management Server Proxy (see page 554)
Active Directory (see page 560)
Server Databases (see page 564)
User Roles (see page 577)
Revert to Older Signatures (see page 582)
Management Console
Set General Preferences
The General Preferences let you set the inactivity timeout interval, refresh
interval, and display settings for the Management Console.
To set the General Preferences
1. Click Preferences in the Link menu.

The Console Settings window opens to the General tab.
2. Select one of the following options in the Display Settings section:
■ On displays the Steps to Create Policy pane when you create a policy.
■ Off removes the Steps to Create Policy pane when creating a policy.
3. Enter a refresh interval for the Dashboard in the Dashboard section. The
Dashboard displays will update using the interval you specify.

Management Console
4. Enter the timeout duration in the Security section. If you do not use the
Management Console before this interval expires, the console logs you out
and you must log back in.
5. Click OK to save the settings and close the window.
The changes take effect immediately.
More information:
Open the Management Console (see page 25)
Set Locale Preferences
The Locale Preferences let you set the language and the time and display format
used throughout the Management Console.
To set the Locale Preferences
1. Click Preferences in the Link menu.

The Console Settings window opens to the General tab.
2. Click Locale.
The Locale tab opens.
3. Use the Language drop-down menu to select the language for the
Management Console.
4. Configure the following options in the Time Format section:

Time Separator
Select the character used to separate the display time.
Hour
Specify whether to display the hour as a one or two digit number.
Show AM/PM
Enable this option to have AM or PM appear in the time display.
Show Seconds
Enable this option to have the seconds appear in the time display.
Time Zone
Select your time zone.

Management Console
5. Configure the following options in the Date Format section:

Date Separator
Select the character used to separate the date display.

Year
Specify whether to display the year as a two or four digit number.
Month
Select one of the following to specify how to display the month:
■ m displays the month as a one digit number, unless a second

number is necessary.
■ mm displays the month as a two digit number.

■ MMM displays the name of the month as a three-letter abbreviation.
■ MMMM displays the full name of the month.
Show day
Enable this option to add the day of the week to the date display.
Day of Month
Specify whether to display the day as a one or two digit number.
Day of Week
Specify whether to display either a three letter abbreviation or the full
name of the day of the week.
Date Order
Specify the month, day, and year order in the date display.
6. Click Save to save the settings and close the window.
The changes take effect immediately.
This section contains procedures for using the Dashboard.

Management Console
Refresh Dashboard Content
By default, the Management Console updates the Dashboard panels every ten
minutes. You can refresh the Dashboard contents immediately or you can set an
option to refresh the content more frequently.
To refresh an individual panel

■ Click the Refresh button in the top right corner of the panel, to the left of the
Minimize button.
To refresh all of the panels simultaneously

■ Click the Refresh link located in the Link menu in the upper right corner of
the console.
To change the Dashboard refresh frequency

1. Click Preferences in the Link menu in the upper right corner of the console.
The Preferences dialog appears.
2. Select the General tab and set the Refresh Interval option.
The content of the Dashboard will refresh itself based on the new frequency.
Manage Dashboards
You can add panels, edit, delete, and change the layout of all custom Dashboards
you create.
To add a Dashboard panel
1. Click Dashboard.
2. Expand the Dashboard list and select the Dashboard to which to add a panel.
Note: You cannot add a panel to the default CA Total Defense Dashboard.
3. Right-click the Dashboard and select Add Panels.
The Add Panels page opens.
4. Select the panel or panels to add.
5. Click Add.
The new panel is added to the Dashboard view.
To edit a Dashboard
1. Click Dashboard.
2. Expand the Dashboard list and select the Dashboard to edit.
Note: You cannot edit the default CA Total Defense Dashboard.

Management Console
3. Click Edit.
The Edit Dashboard page opens. This page is the same as the Create
Dashboard page.
4. Edit the Dashboard as needed:

■ To add a panel, select the panel in the right table and click Add.
■ To remove a panel, select the panel in the left table and click Remove.
5. Once you are finished, click Apply to save your changes.
To delete a Dashboard
1. Click Dashboard.
2. Expand the Dashboard list and select the Dashboard to delete.
Note: You cannot delete the default CA Total Defense Dashboard.
3. Click Delete.
A confirmation window opens.
4. Click Yes.
The selected Dashboard is deleted.
To change the layout of a Dashboard

1. Click Dashboard.
2. Expand the Dashboard list and select the Dashboard whose layout to
change.
3. Use the Layout drop-down menu to select how the panels of the Dashboard
are tiled.
You can select one of the following options:
Side by Side Layout

Display the panels as a series of vertical columns.
Tiled Layout
Display the panels as a series of tiled squares.
Manual Layout
Drag and resize the panels manually to fit your needs.
More Information
Dashboard (see page 27)

Management Console
Create Custom Dashboards
You can create a custom Dashboard to display the information that is most
important to you.
To create a custom Dashboard
1. Click Dashboard.
2. Click New.
The Create New Dashboard window opens.
3. Enter a unique name and description for the custom Dashboard.
4. (Optional) Select the Make Default Dashboard option to see this Dashboard
when you log into the Management Console.
5. In the Layout section, specify how the panels of the Dashboard are tiled. You
can select one of the following options:
Side by Side Layout
Display the panels as a series of vertical columns.

Tiled Layout
Display the panels as a series of tiled panels.
Manual Layout
Select this option to be able to manually move and resize the panels to fit
your needs.
6. Click Assign Panels to save the Dashboard and open the Edit Dashboard pane
to assign panels to the Dashboard.
To create the Dashboard without panels, click Create Empty Dashboard. You
can later add panels by dragging then from the navigation pane to the
Dashboard or by selecting a panel using the Add to Dashboards button.
7. (Optional) If you clicked Assign Panels, select a panel in the Available Panels
table and click Add to add the panel to the Dashboard. Alternatively, you can
click and drag a panel from the Available Panels to the Dashboard.
To remove a panel, select the panel in the Selected Panels table and click
Remove.
8. Click Apply to apply your changes.
More information:
Manage Dashboards (see page 104)

Management Console
View the Signatures Panel
The Signatures panel displays the signature status for all endpoints in the
selected partition.
To view the Signature Update Status panel
1. Click Dashboard.
2. Click Panel to expand the panel list.
3. Click Signature Update Status.
The Signatures panel contains a thermometer graph that displays the signature
status of endpoints. The top of the panel shows the version number of the last
signature update and when the update occurred. The graph displays how many
endpoints in the selected partition are using the current signature, how many
have an out of date signature, and how many have not contacted the
Management Server with this information.
View the Endpoints Panel
The Endpoints panel displays statistics for all discovered endpoints. This panel
displays a holistic view of the endpoints in your organization. It is not
partition-specific.
To view the Endpoints panel
1. Click Dashboard.

Management Console
3. Click Endpoints.
The Endpoints panel appears and display the following information:
Last Discovery
Lists the time and date of the last endpoint discovery.
Chart
Displays the number of endpoints in each of the following categories:

■ Managed Endpoints: These endpoints have the Client installed and
have phoned home to the Management Server.
■ Unmanaged, No Installation Attempted: The Management Server

discovered these endpoints, but has either not deployed an
installation package, a remote install has not been performed on
these endpoints, or the endpoints have the Client installed, but have
not phoned home yet.
■ Remote Install Failed: The Management Server could not deploy an
installation package to this endpoint or the installation package
failed to install.
View the Malware Panel
The Malware panel displays the number of endpoints that have reported back to
the Management Server as clean or infected. It also displays the number of
endpoints that have not phoned home to the Management Server. You can view
this information for the last 24 hour period or for the last 7-day period. The
information displayed is based on the currently selected partition.
To view the Malware panel
1. Click Dashboard.
3. Click Malware.
You can view information for the following periods by clicking the appropriate
link:
Last 24 Hours
Displays malware information for the last 24 hours. Information older than
24 hours is omitted.
Last Week
Displays malware information for the 7-day period.

Management Console
The Malware panel displays information on the following Malware categories:

Clean
The number of endpoints that are clean.

Malware Disarmed
The number of endpoints on which malware was found and cleaned.
Clean, Reboot Required

The number of endpoints on which malware was found and cleaned, but that
must be restarted to complete the cleaning.
Infected
The number of endpoints that are currently infected.
Not Reporting
The number of endpoints that have not reported back on malware found.
Note: The numbers displayed represent the number of endpoints in each

category. An endpoint is put into a category that represents the most serious
condition on the endpoint. For example, if an endpoint has active infections and
also has infections that have been cleaned, it is placed in the Infected category.
View the CA Global Advisor Panel
The CA Security Advisor panel displays the latest information from the CA
Security Advisor website. This information provides alerts for the latest malware
information and vulnerability threats, as well as CA Research blogs.
To view the CA Security Advisor panel
1. Click Dashboard.
3. Click CA Global Security Advisor.

Management Console
You can use the drop-down menu to view the following information:
Latest Malware
Displays information on the latest malware news reported from CA. This
information may include specific ways to remove the malware. In addition,
information about signature updates used to detect and clean the latest
malware are provided in this feed.
Latest Vulnerabilities
Displays the latest information on newly discovered software vulnerabilities.
This information may include information about the availability of patches
that eliminate vulnerabilities.
CA Research Blog
Displays blogs created by the CA Research team.
View the Server Monitor Panel
The Server Monitor panel displays statistics for the system hosting the
Management Server.
To view the Server Monitor panel
1. Click Dashboard.
3. Click Server Monitor.
The Server Monitor panel is divided into five tabs. The Server Monitor panel
displays the following information:
General
This tab displays general information about the server.

OS Version
The operating system and version information for the server.

Server Up Since
The length of time the server has been active.
Server IP Address
The IP address used by the server.

Management Console
CPU
This tab displays information about the CPU usage on the server. The graph
displays the CPU usage on the server over the past 5 hour period of time. You
can mouse over a point on the graph to view the time and CPU use
percentage at that moment.
CPU Usage
The percentage of CPU cycles used by the overall CPU activity of the
entire server.
Handles
The total number of handles being used by the server.
Threads
The total number of threads being called by the server.

Processes
The total number of processes being called by the server.
Memory
This tab displays the total memory used and the free memory available on
the server machine in a pie chart.
Disk
This tab displays the total disk space used and the disk space available on
the selected drive of the server machine in a pie chart. You can select
alternate drives using the drop-down menu at the bottom of the display.
Network
This tab displays the network usage information for the server. You can
mouse over a point on the graph to view the time and network use
percentage at that moment.
Packets In
The total number of incoming packets.
Packets Out
The total number of packets sent.
Bytes Received
The total number of bytes received by the server.

Bytes Sent
The total number of bytes sent by the server.
Choose Display Type

Lets you display the chart information as either Packets Per Second or
Data Bytes Per Second.

Reports
Reports
This section contains procedures related to reports.
View Report Filters
Report filters help you quickly locate specific types of reports. You create a report
filter by selecting specific filter criteria. When you select the new filter, the
Management Console displays only the reports that match the filter.
To view report filters
1. Click Monitor, Reports, Generated Reports.
2. Click Report Filters.

The Report Filters page opens. For each filter it displays the filter name,
description, and the name of the user who created it.
Use the buttons on this page to perform the following tasks:

New
Creates a filter.
Edit
Modifies an existing filter.
Duplicate
Creates a copy of the filter and appends a number to the filter name.
Delete
Deletes the filter.
Create Report Filters
Report filters let you filter the report information that is displayed on the View
Reports page. You can create report filters that let you view only those reports
that meet your needs.
To create a report filter
1. Under Monitor, click Reports and expand Generated Reports.

The Report Filters page opens, populated with the available filters.
3. Click New.
The New Output Filter page opens.

Reports
4. Enter a unique name and description for this report filter in the Name and
Description fields.
5. To create the filters, select a filter option, then specify the details for that
option. Select from the following filter options:
Note: You can select multiple filter options.
Time Frame
Filter reports based on a range of time, such as all reports generated
since last week.
Use the drop-down menu to select the time range. You can select any of
the given options, or customize the time range.
To choose a custom range, select the Custom option, configure the time
zone, and enter the start and stop times for the range.
Component
Filter reports based on the component to which the report applies.
For example, select Firewall to view reports that relate only to the
Firewall.
Status
Filter reports based on the status of the report.
For example, to find all failed reports, you can create a filter using the
Failed status option.
Partition
Filter reports based on the partition providing the information for the
report.
Report
Filter reports based on the name of the report.

For example, you can create a filter to display only the specific reports
you need and that apply specifically to you.
Task
Filter reports based on the scheduled task that generated the report.

Reports
Initiated By
Filter reports based on text that you supply.
Enter text in the Enter an Initiator field, and click Add to add that text.
The filter displays only reports containing the entered text string.
Action
Filter reports based on the action taken after the report is generated.
For example, to find all reports that are sent to a recipient by email after
generation, select Email.
6. Click OK.
The filter is saved and now appears on the View Reports filter list.
Manage Report Filters
You can edit, delete, and duplicate report filters from the Report Filters page.
■ Edit a report filter to change or modify the existing settings.
■ Duplicate a report filter to create an identical copy of the filter. The copied
filter has the same name as the original, with a number appended to the
name.
■ Delete a report filter to remove it from the list.
To edit, duplicate, or delete a report filter
1. Under Monitor, click Reports and expand Generated Reports.

The Report Filters page opens, populated with the available filters.
3. Select the report filter you want to edit, duplicate, or delete.

4. Click the appropriate button:
■ Click Edit to open the Edit Report Filter page. Modify the report filter as
needed and click OK.
■ Click Duplicate to create a copy of the filter.
■ Click Delete to remove the report filter and click Yes to confirm that you
want to delete the filter.

Reports
View Reports
You can use the View Reports page to view generated reports, refresh the
information they contain, send reports to other users, and delete reports.
Note: The web browser you use to view reports must have the pop-up blocker
disabled for the Total Defense Management Console URL. If pop-ups are not
disabled, any reports that you attempt to view from the View Reports page in the
Management Console will be blocked or result in a new page overriding the
console's current page.
The View Reports page lists the following information about each report:
Name
Lists the name of the report.
Component
Lists the components of the CA Total Defense system that the report
concerns.
Format
Lists the format used by the report.
Note: The CSV report output uses UTF-8 encoding and should be used for
importing data to other applications and not for report viewing.
Initiated By
Lists the user who created the report.
Status
Lists the status of the report.
Maintenance
Displays a check box indicating if the report is purged during Report
Maintenance. A check mark indicates the report is purged. To prevent a
report from being purged, uncheck this box.
Start Time
Lists the time the report period started.
End Time
Lists the time the report period ended.
You can view all reports, a filtered list of reports, or the contents of a specific
report.

Reports
To view, regenerate, send, or delete reports

1. Click Monitor, Reports, Generated Reports.
2. Click View Reports.

The View Reports page opens.
3. Select a filter from the filter drop-down menu to filter the displayed reports.
The View Reports page updates to display only those reports that match the
filter criteria.
4. Select a report and perform one of the following actions:
■ Click View Content to view the report.

■ Click Regenerate to generate an existing report.
■ Click Send to email the report.

■ Click Delete to delete the report from the Report Server.
Note: You must generate a new report to view the information in the
report again.
More information:
View Run History (see page 152)

Maintain Report Storage (see page 154)
Report Configuration
The following procedures describe how to configure reports for CA Total Defense.
For instructions on how to configure reports for CA Total Defense for Unified
Network Control, see the CA CA Total Defense for Unified Network Control
Administrator Guide or the online help.

Reports
Generate, Duplicate, and Delete Reports
From the Report page, you can generate reports, duplicate an existing report, or
delete reports. You can generate a report immediately. You may want to
generate an immediate report if you need up to date information or if you want
to run the report only once. Duplicating an existing report creates a copy of the
report that you can edit. You can create a duplicate if you want to make a new
report with only minor changes from the original report. You may also delete
reports to remove those reports you no longer need.
To generate reports
1. Under Monitor, click Reports and expand Configure Reports.

2. Expand a report category and click the report subcategory containing the
reports you want to generate.
The report page opens, displaying a list of available reports for that
subcategory.
3. Select the report you want to generate.
You may select multiple reports.
4. Click Generate.
The Generate Report page opens.
5. Select the file format for the report. You may select from the following:
PDF
Select this option to produce the report in Portable Document Format
(PDF). If you do not have Acrobat Reader installed on the server, you
may not be able to print this report.
HTML
Select this option to produce the report as a Hypertext Markup Language

(HTML) file.
Word Document
Select this option to produce the report as a Word document (.doc). If

you do not have MS Word 2003 or higher installed on the server, you
may not be able to print this report.
CSV
Select this option to produce the report as a comma-separated values

(CSV) file.
6. Click the Region tab and specify the time zone and culture for the report.

Reports
7. (Optional) On the Action tab, specify any actions for the report. You may
specify the following actions:
Email
Use this action to email the report to others. You must specify the
recipients. You may also edit the subject and message body of the email.
You may also specify if the report is included in the email as an
attachment or a compressed attachment.
Print
Use this action to print the report. You must specify the printer, the
number of copies, and the account used for printing the report. To print
PDF and Word document reports, the appropriate application must be
installed on the server.
Run
Use this action to run the report through another application. You must
specify the application's full path. The generated reports drop folder is
passed to this application as a parameter. You must also specify the
account used for this action.
Save
Use this action to save the report to the local disk or a network drive. You
must specify the save location. You must also specify the account used
for this action.
RSS
Select this action to generate an RSS message feed for this report. You
must specify the title, category, and description for the feed. Use the
drop-down arrows next to each field to add variables to the field.
8. Click OK.
The report is generated. You may view generated reports on the View
Generated Reports page.
To duplicate or delete a report

2. Expand a report category and click the report category containing the report
you want to generate.

Reports
3. Select the report you want to duplicate or delete.

4. Perform one of the following:
■ Click Duplicate to create a copy of the selected report.

The report is duplicated and appears in the reports list under the name of
the original report with a digit appended to its name.
■ Click Delete to remove the selected report. You are prompted to confirm
the deletion. Click Yes to complete the deletion.
The report is deleted from the reports list.
More information:

View Scheduled Tasks (see page 150)
Set Reporter Permissions (see page 154)
Configure Anti-Malware Endpoint Reports
The options on the Endpoint page help you to configure Anti-Malware Endpoint
reports. You can create and edit Anti-Malware reports, to specify the settings and
the filters to use in the reports, using the options available on the Endpoint page.
In addition, you can generate, duplicate, or delete reports for the Anti-Malware
Endpoint component from this page.
You can select from the following available filter options for Anti-Malware
component reports:
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Layout Type
Specify the type of layout (pie chart, bar chart, or table) for your report.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
Policy State
Filter output based on the policy status. You can filter policies with On or Off
configurations.

Reports
IP
Filter output based on a single IP address, IP address range, or subnet you
specify to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Account
Filter output based on user accounts you specify to include or exclude.
Domain
Filter output based on domains you specify to include or exclude.
Malware Name
Filter output based on a malware name you specify to include or exclude.
Malware Type and Category

Filter output based on the malware type and category for viruses and
spyware you specify.
Malware Risk
Filter output based on the level of malware risk you specify.
Malware Status
Filter output based on the malware status you specify.
Malware Detection
Filter output based on the malware detection type you specify.
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
To create an Anti-Malware Endpoint report
2. Expand Anti-Malware, and click Endpoint.

The Endpoint page appears populated with the Anti-Malware Endpoint
reports.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.

Reports
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
To edit an Anti-Malware Endpoint report

2. Expand Anti-Malware, and click Endpoint.
The Endpoint page appears populated with the Anti-Malware Endpoint

reports.
3. Select the report you want to configure and click Edit.
The Edit Report page appears.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
5. Click OK to return to the reports list.
More information:

Generate, Duplicate, and Delete Reports (see page 117)
Configure Anti-Malware Groupware Reports
The options on the Groupware page help you to configure Anti-Malware

Groupware reports. You can create and edit Groupware reports, to specify the
settings and the filters to use in the reports, using the options available on the
Groupware page. In addition, you can generate, duplicate, or delete reports for
the Anti-Malware Groupware component from this page.

Reports
You can select from the following available filter options for Anti-Malware
Groupware component reports:
Time Frame
Layout Type
Specify the type of layout (pie chart, bar chart, or table) for your report.
IP
Endpoint
Sender
Filter output based on sender accounts you specify to include or exclude.
Service
Filter output based on the type of Groupware service. You can specify
Exchange, Lotus Notes, NetApp, or SharePoint.
Recipient
Filter output based on recipient accounts you specify to include or exclude.
Domain
Malware Name
Malware Type and Category

Filter output based on the malware type and category for viruses and
spyware you specify.
Malware Risk
Filter output based on the level of malware risk you specify.

Reports
Malware Status
Filter output based on the malware status you specify.
Malware Detection
Filter output based on the malware detection type you specify.
To create an Anti-Malware Groupware report

2. Expand Anti-Malware, and click Groupware.
The Groupware page appears populated with the Anti-Malware Groupware
reports.
3. Click New.
your report.
7. Click Finish.
To edit an Anti-Malware Groupware report

2. Expand Anti-Malware, and click Groupware.
The Groupware page appears populated with the Anti-Malware Groupware

reports.

Reports
the report:
creation.
More information:

Configure Firewall Reports
The options on the Firewall page help you to configure Firewall reports. You can
create and edit Firewall reports, to specify the settings and the filters to use in
the reports, using the options available on the Firewall page. In addition, you can
generate, duplicate, or delete reports for the Firewall component from this page.
You can select from the following available filter options for Firewall component
reports:
Events Severity
Time Frame
Output Count
Direction
Filter output based on the direction, inbound or outbound, of the network

traffic.

Reports
Action
Filter output based on the action applied by the firewall. You can filter by
monitored events, or by events prevented by the firewall.
IP
Remote IP
Filter output based on a single remote IP address, remote IP address range,
or remote subnet you specify to include or exclude.
Local Port
Filter output based on a single port, or port range you specify to include or
exclude.
Remote Port
Filter output based on a single remote port, or remote port range you specify
to include or exclude.
Endpoint
App Name
Filter output based on the name of an application you specify to include or
exclude.
App Path
Filter output based on the path of an application you specify to include or
exclude.
App Status
Filter output based on the status of the application. You can filter by Known
or Unknown status.
Policy State
configurations.
Domain

Reports
To create a Firewall report

2. Expand Proactive Protection, and click Firewall.

The Firewall page appears populated with the Firewall reports.
3. Click New.
your report.
7. Click Finish.
To edit a Firewall report

2. Expand Proactive Protection, and click Firewall.
The Firewall page appears populated with the Firewall reports.

the report:
creation.

Reports
More information:

Configure Application Control Reports
The options on the Application Control page help you to configure Application
Control reports. You can create and edit Application Control reports, to specify
the settings and the filters to use in the reports, using the options available on
the Application Control page. In addition, you can generate, duplicate, or delete
reports for the Application Control component from this page.
You can select from the following available filter options for Application Control
component reports:
Events Severity
Time Frame
Output Count
IP
Endpoint
Domain
App Name
exclude.
App Path

exclude.

Reports
App Spawning
Filter output based on the type of application spawning. You can filter
applications that were spawned, applications that run a child application
under their own identity, or applications that run a child application under
their own level of integrity.
Application Start Status

Filter output based on the application launch type. You can filter by known
applications that were started or unknown applications that were started.
Application Discovery Type
Filter output based on the application discovery type. You can filter by
applications that were found and enrolled, applications that were found but
not enrolled due to a no enrolling rule, or applications that were not found.
To create an Application Control report

2. Expand Proactive Protection, and click Application Control.
The Application Control page appears populated with the Application Control
reports.
3. Click New.
your report.
7. Click Finish.

Reports
To edit an Application Control report

2. Expand Proactive Protection, and click Application Control.

The Application Control page appears populated with the Application Control
reports.

the report:
creation.
More information:

Configure OS Security Reports
The options on the OS Security page help you to configure OS Security reports.
You can create and edit OS Security reports, to specify the settings and the filters
to use in the reports, using the options available on the OS Security page. In
addition, you can generate, duplicate, or delete reports for the OS Security
component from this page.

Reports
You can select from the following available filter options for OS Security
component reports:
Events Severity
Time Frame
Output Count
IP
Endpoint
Domain
Action
App Name
exclude.
App Path
exclude.

Reports
Policy State
configurations.
Object Access
Filter output based on the type of object access. Use the drop-down menu
and checkboxes to filter by the following objects:
■ File
■ Registry
■ DLL
■ Device
■ Service
■ Com Object
■ System Privileges
To create an OS Security report

2. Expand Proactive Protection, and click OS Security.
3. The OS Security page appears populated with the OS Security reports.
4. Click New.
your report.
8. Click Finish.

Reports
To edit an OS Security report

2. Expand Proactive Protection, and click OS Security.

3. The OS Security page appears populated with the OS Security reports.
the report:
creation.
More information:

Configure Intrusion Protection Reports
The options on the Intrusion Protection page help you to configure Intrusion
Protection reports. You can create and edit Intrusion Protection reports, to
specify the settings and the filters to use in the reports, using the options
available on the Intrusion Protection page. In addition, you can generate,
duplicate, or delete reports for the Intrusion Protection component from this
page.

Reports
You can select from the following available filter options for Intrusion Protection
component reports:
Events Severity
Time Frame
Output Count
Action
IP
Remote IP
Filter output based on a single remote IP address, remote IP address range,
or remote subnet you specify to include or exclude.
Local Port
Filter output based on a single port, or port range you specify to include or
exclude.
Remote Port
Filter output based on a single remote port, or remote port range you specify
to include or exclude.
Endpoint
Domain

Intrusion Name
Filter the output based on an intrusion name. You can choose to include or
exclude specified intrusion names.

Reports
To create an Intrusion Protection report

2. Expand Proactive Protection, and click Intrusion Protection.

The Intrusion Protection page appears populated with the Intrusion
Protection reports.
3. Click New.
your report.
7. Click Finish.
To edit an Intrusion Protection report
2. Expand Proactive Protection, and click Intrusion Protection.
The Intrusion Protection page appears populated with the Intrusion

Protection reports.

Reports
the report:
creation.
More information:

Configure Vulnerability Assessment Reports
The options on the Vulnerability Assessment page help you to configure reports
for the Vulnerability Assessment component. You can create and edit
Vulnerability Assessment reports, to specify the settings and the filters to use in
the reports, using the options available on the Vulnerability Assessment page. In
addition, you can generate, duplicate, or delete reports for the Vulnerability
Assessment component from this page.
You can select from the following available filter options for Vulnerability
Assessment component reports:
Events Severity
Last In Time
Filter output based on a time frame. Enter the number of days in the field
provided.
Share Settings
Filter the output based on the settings of shared resources. You can filter by
open connections, unlimited connections, or writable connections.
IP

Reports
Output Count
Time Frame
Account
Endpoint
Domain
Intrusion Name
Filter the output based on an intrusion name. You can choose to include or
exclude specified intrusion names.
Account State
Filter the output based on the state of the account. You can choose to include
or exclude specified account states.
Password State
Filter the output based on the state of the password. You can choose to
include or exclude specified password states.
Account Lockout
Filter the output based on the lockout status of the account. You can choose
to include or exclude specified lockout states.
Password Property
Filter the output based on the password properties. You can choose to
include or exclude specified password properties.
To create a Vulnerability Assessment report

2. Expand Proactive Protection, and click Vulnerability Assessment.

The Vulnerability Assessment page appears populated with the Vulnerability
Assessment reports.

Reports
3. Click New.
your report.
7. Click Finish.
To edit a Vulnerability Assessment report

2. Expand Proactive Protection, and click Vulnerability Assessment.

The Vulnerability Assessment page appears populated with the Vulnerability
Assessment reports.

the report:
creation.

Reports
More information:

Configure SMTP Scanner Reports
The options on the SMTP page help you to configure reports for the Gateway
Security SMTP component. You can create and edit SMTP reports, to specify the
SMTP page. In addition, you can generate, duplicate, or delete reports for the
Gateway Security SMTP component from this page.
You can select from the following available filter options for Gateway Security
SMTP component reports:
Events Severity
Output Count
Time Frame
Source IP
Filter output based on a single source IP address, source IP address range, or
source subnet you specify to include or exclude.
Target IP
Filter output based on a single target IP address, target IP address range, or
target subnet you specify to include or exclude.
Offending Source IP
Filter output based on offending source IPs you specify to include or exclude.
Endpoint
Offending Source Name
Filter output based on offending source names you specify to include or

exclude.

Reports
Source Domain
Filter output based on source domains you specify to include or exclude.
Target Domain
Filter output based on target domains you specify to include or exclude.
Policy Rule
Filter output based on the policy rules you specify.
Policy Filter
Filter output based on the policy filters you specify.
Policy Category
Filter output based on the policy categories you specify.
Policy Action
Filter output based on the policy actions you specify.
Policy Direction
Filter output based on a policy direction. You can filter policies in incoming or
outgoing directions.
Sender
Filter output based on sender accounts you specify to include or exclude.
Recipient
Filter output based on recipient accounts you specify to include or exclude.
Malware Name
URL Categories
Filter output based on URL categories. Use the checkboxes to specify the URL
categories to filter.
To create an SMTP report

2. Expand Gateway Security, and click SMTP.
The SMTP page appears populated with the SMTP reports.
3. Click New.

Reports
your report.
7. Click Finish.
To edit an SMTP report
2. Expand Gateway Security, and click SMTP.

The SMTP page appears populated with the SMTP reports.

the report:
creation.
More information:


Reports
Configure HTTP Scanner Reports
The options on the HTTP page help you to configure reports for the Gateway
Security HTTP component. You can create and edit HTTP reports, to specify the
HTTP page. In addition, you can generate, duplicate, or delete reports for the
Gateway Security HTTP component from this page.
You can select from the following available filter options for Gateway Security
HTTP component reports:
Events Severity
Output Count
Time Frame
Source IP
Filter output based on a single source IP address, source IP address range, or
source subnet you specify to include or exclude.
Target IP
Filter output based on a single target IP address, target IP address range, or
target subnet you specify to include or exclude.
Endpoint
Account
Source Domain
Filter output based on source domains you specify to include or exclude.
Target Domain
Filter output based on target domains you specify to include or exclude.
Policy Rule
Filter output based on the policy rules you specify.

Reports
Policy Filter
Filter output based on the policy filters you specify.
Policy Category
Filter output based on the policy categories you specify.
Policy Action
Filter output based on the policy actions you specify.
Policy Direction
Filter output based on a policy direction. You can filter policies in incoming or
outgoing directions.
URL Categories
Filter output based on URL categories. Use the checkboxes to specify the URL
categories to filter.
Malware Name
To create an HTTP report

2. Expand Gateway Security, and click HTTP.
The HTTP page appears populated with the HTTP reports.
3. Click New.
your report.
7. Click Finish.

Reports
To edit an HTTP report

2. Expand Gateway Security, and click HTTP.

The HTTP page appears populated with the HTTP reports.

the report:
creation.
More information:

Configure Unified Network Control Reports
The options on the Unified Network Control page help you to configure Unified
Network Control reports. You can create and edit Unified Network Control
reports, to specify the settings to use in the reports, using the options available
on the Unified Network Control page. In addition, you can generate, duplicate, or
delete reports for the Unified Network Control component from this page.
To create a Unified Network Control report

2. Expand Unified Network Control, and click Unified Network Control.
The Unified Network Control page appears populated with the Unified

Reports
3. Click New.
5. Specify whether to use the Time Frame filter option, to filter the report
output based on a specific time period.
Use the drop-down menu to select a time range, or select the Custom option,
and configure the time zone and the start and stop times for the range to
customize the range
6. Click Finish.
To edit a Unified Network Control report

2. Expand Unified Network Control, and click Unified Network Control.
The Unified Network Control page appears populated with the Unified
the report:
creation.
More information:


Reports
Configure Scorecard Reports
The options on the Scorecard page help you to configure reports for the Product
Scorecard. The Product Scorecard contains summary information of the product
activities. You can create and edit reports, to specify the settings to use in the
reports, using the options available on the Scorecard page. In addition, you can
generate, duplicate, or delete reports for the Product Scorecard from this page.
To create a Product Scorecard report
2. Expand Management, and click Scorecard.

The Scorecard page appears populated with the Product Scorecard reports.
3. Click New.
6. Specify whether to use the Score Card filter option to filter the report output
based on the source of the Scorecard.
You can choose either Endpoint or Server Scorecard.
7. Click Finish.
To edit a Product Scorecard report
2. Expand Management, and click Scorecard.

The Scorecard page appears populated with the Product Scorecard reports.

Reports
the report:
creation.
More information:

Configure Endpoints Reports
The options on the Endpoint page help you to configure Endpoint reports. You
can create and edit Endpoint reports, to specify the settings and the filters to use
in the reports, using the options available on the Endpoint page. In addition, you
can generate, duplicate, or delete reports for Endpoints from this page.
You can select from the following available filter options for Endpoint component
reports:
IP

Endpoint
Platform
Filter the output based on the operating system platform.

Reports
Product
Filter the output based on the product. Use the checkboxes to specify the
products to filter.
Version
Filter the output based on the product and signature versions you specify.
To create an Endpoint report

2. Expand Management, and click Endpoint.
The Endpoints page appears populated with the Endpoint reports.
3. Click New.
your report.
7. Click Finish.
To edit an Endpoint report

2. Expand Management, and click Endpoint.
The Endpoints page appears populated with the Endpoint reports.

Reports
the report:
creation.
More information:

Configure Policies Reports
The options on the Policies page help you to configure Policy reports. You can
create and edit Policy reports, and specify the settings and the filters to use in
the reports, using the options available on the Policies page. In addition, you can
generate, duplicate, or delete reports for Policies from this page.
To create a Policy report

2. Expand Management, and click Policies.
The Policies page appears populated with the Policy reports.
3. Click New.

Reports
6. Specify whether to use the Policy Information filter option to filter the report
output based on the policy information.
Use the checkboxes to select the partition name and the policy textual
description.
7. Click Finish.
To edit a Policy report

2. Expand Management, and click Policies.
The Policies page appears populated with the Policy reports.

the report:
creation.
More information:


Reports
View Scheduled Tasks
Use the Scheduled Tasks page to view, edit, or delete an existing task. You can
also create a new task or select an existing task and duplicate it.
This page also lets you submit a Scheduled Task for generation.
The Scheduled Tasks page displays the following information for each scheduled
task:
Name
The name of the scheduled task.

Modified By
The user who created or last modified the scheduled task.
Format
The format used by the scheduled task.
Scheduler
The occurrence of the scheduled task. The task can be scheduled one time
only, daily, weekly, or monthly.
Description
The description given when the scheduled task was created.
You can view existing Scheduled Tasks, create a new Scheduled Task, and then
run the task immediately if necessary.
To view the scheduled tasks
1. Under Monitor, click Reports and expand Scheduled Tasks.
2. Click Scheduled Tasks.

The Scheduled Tasks page opens, displaying a list of your scheduled tasks.
3. Use the buttons on this page to create a new scheduled task, run a scheduled
task immediately, create a duplicate copy of a selected task, or edit or delete
a scheduled task.

Reports
Create Scheduled Tasks
Scheduled Tasks let you schedule when reports are generated. You can create
recurring tasks to schedule when reports are generated on a regular basis or that
occurs only once.
You can execute any task when you need later using the Go button on the View
Scheduled Tasks page.
To create a scheduled task

The Scheduled Tasks page opens.
3. Click New.
The Create Scheduled Task page opens.
4. Enter a unique name and description for this scheduled task in the Name and
Description fields.
5. Select the reports you want this scheduled task to generate and click Next.
The Select File Format page opens.
6. Select the file format generated by the reports and click Next.
7. Specify the output method and provide details for that output as necessary
and click Next.
8. Specify how frequently this task should occur and the time for the scheduled
task to run.
9. Click Finish
The Scheduled Task is created and added to the Schedule Task list.
Manage Scheduled Tasks
From the Scheduled Tasks page, you can manage the tasks you have scheduled.
You can edit a scheduled task to modify the settings, duplicate a task to copy it,
run a scheduled task immediately, or delete the task to remove it from the
schedule.
To run, edit, duplicate, or delete a scheduled task


The Scheduled Tasks page opens.

Reports
3. Select the appropriate scheduled task and click one of the following:
■ To run the task immediately, click Go.
The Management console runs the scheduled task and the resulting
reports are available on the View Reports page as soon as the task
finishes.
■ To edit the task settings, click Edit.

The Edit Schedule Task page opens. Modify the task settings and click
OK to save your changes.
■ To copy the task, click Duplicate.

The Management Console duplicates the scheduled task and saves the
duplicate under the original task name with a number appended to it.
■ To remove the task from the schedule, click Delete.
You are prompted to confirm the deletion. Click Yes to complete the
deletion.
The Management Console deletes the scheduled task.
View Run History
The Run History page lets you view all the past run scheduled tasks that have not
been deleted.
To view the Run History page

2. Click Run History.
The Run History page opens.
The Run History page displays the following information for each scheduled task:
Name
The name of the scheduled task.

Initiated By
The user who ran the scheduled task.
Format
The format used by the scheduled task.
Type
The type of the scheduled task.
Status
The status of the scheduled task.

Reports
Start Time
The time the scheduled task began.
End Time
The time the scheduled task finished.
From this page, you can delete the Run History records if necessary.
To delete run history records
2. Click Run History.

The Run History page opens.
3. Select the records you want to delete and click Delete

You are prompted to confirm the deletion.
4. Click Yes.
The records are deleted.
More information:

View Events (see page 156)
Customize Report Scheme
Customizing the report scheme lets you determine the look and feel of generated
reports. You can create a custom header, footer, and include a logo graphic on
your report.
To customize the report scheme

1. Under Monitor, click Reports and expand Settings.
2. Click Scheme Customization.

The Scheme Customization page opens.
3. To add a logo, click Browse, and locate the logo to add.
The logo must be a valid image file type, with the following width and height
requirements:
■ Image width: up to 145 pixels
■ Image height: up to 45 pixels

■ Image background color: RDH 0x2D3133, decimal values: Red = 45,
Green = 49, Blue = 51

Reports
4. To add a header or footer, select the Font Name, Font size, and enter the text
in the Header or Footer text fields.
5. (Optional) Click Preview and specify an output format to see a preview of the
scheme.
The preview opens in a pop-up window. You must enable pop-ups to see the
preview. Close the pop-up window to exit the preview.
Maintain Report Storage
Reports are stored on the hard drive of the Event Server. If you do not
periodically maintain report storage space, you may encounter size limitations.
Report Maintenance lets you limit the length of time that reports are stored.
To maintain your report storage
2. Click Maintenance.
The Report Management Settings page opens.
3. Enter the maximum number of days for which reports are stored.
Any report older than this limit is deleted.

Set Reporter Permissions
Certain actions that reporters perform may require specific permissions to run
successfully. The Reporter Permissions page lets you add active users with the
permissions necessary to run report-specific actions. The most common access
rights include:
■ Access to the printer to perform the print action
■ Access to a specific application to perform the run action
■ Write access to the upload folder to perform the upload action

Reports
You may want to create a specific user account with these privileges and a
non-expiring password.
To view the Reporter Permissions page

2. Click Reporter Permissions.
The Reporter Permissions page opens and displays all known reporter
permissions.
This page lists the user's domain name and the description entered when
creating reporter permissions.
To add reporter permissions

The Reporter Permissions page opens.
3. Click Add.
The User Credentials window opens.
4. Enter the Domain, User name, and Password for the reporter.
5. Enter a description for this reporter.
6. (Optional) Click Validate to ensure the information entered is valid. Once you
click this button, the Management Console attempts to access the domain
using the reporter credentials provided. Any errors are reported.
7. Click OK to save your changes and return to the Reporter Permissions page.
To edit reporter permissions

3. Select a reporter from the list and click Edit.

The User Credentials window opens and displays the reporter details.
4. Edit the Domain, User name, and Password for the reporter.
5. Edit the description for this reporter.
6. (Optional) Click Validate to ensure the information entered is valid. Once you
click this button, the Management Console attempts to access the domain
using the reporter credentials provided. Any errors are reported.
7. Click OK to save your changes and return to the Reporter Permissions page.

Events
To delete a reporter permission


3. Select a reporter from the list.

4. Click Delete.
The reporter permission is deleted.
Events
This section contains procedures related to events.
View Events
The View Events page lets you review all the events that occur on your network.
When viewing events, you must first select a filter.
To view events
1. Select Events, and select View Events.
The View Events page opens, displaying either a blank tab or the last filter
results you selected.
2. Select a filter from the drop-down menu.

3. Click Go.
The View Events page creates a new tab, displaying events that match the
filter criteria.
From this page you can view more details about an event or delete an event.
To view more details about an event
1. Select Events, and select View Events.

The View Events page opens, displaying either a blank tab or the last filter
3. Click Go.
filter criteria.

Events
4. Select an event.
5. Click View Event.
The event information is displayed in a new pane on the right side of the
page. Click Hide Event to close this pane.
Delete Events
You may find it necessary to delete events after viewing.
To delete an event
1. Select Events, and on the Events Viewer page, select View Events.
The View Events page opens, displaying either a blank tab, or the last filter
3. Click Go.
filter criteria.
4. Select an event and click Delete.

5. Click Yes.
The event is deleted.
View Event Filters
Event Filters let you limit the events displayed to only those that match your
filter criteria. Using the Event Filters lets you focus on your tasks at hand instead
of sorting through all the events manually.
To view the available Event Filters

1. Click Events.
2. Click Filter Events.
The Filter Events page opens, displaying a list of Event Filters available.

Events
From the Filter Events page you can create, edit, duplicate, and delete Event
Filters. Additionally you can delete all filtered events from this page.
To edit an Event Filter

1. Click Events.
3. Select the Event Filter you want to edit.
4. Click Edit.
The Event Filter Properties page for that filter opens.
5. Make any necessary changes.
6. Click OK.
The changes are saved and you are returned to the Filter Events page.
To delete an Event Filter

1. Click Events.
3. Select the Event Filter you want to delete.
4. Click Delete.
A pop-up warning appears.

5. Click Yes.
The filter is deleted and you are returned to the Filter Events page.
To duplicate an Event Filter

1. Click Events.

3. Select the Event Filter you want to duplicate.
4. Click Duplicate.
A duplicate of the filter is created, with a number appended to the end of the
name.

Events
To delete all filtered events

1. Click Events.

3. Click Delete Events.

A pop-up warning appears.
4. Click Yes.
The events are deleted and you are returned to the Filter Events page.
Create Event Filters
Creating an Event Filter lets you specify the filtering criteria that apply with that
filter.
To create an Event Filter

1. Select Events, and select Filter Events.
The Filter Events page opens, displaying a list of available Event Filters.
2. Click New.
The New Event Filter page opens.
3. Enter a name and description for the filter.
4. Specify the components to which the filter applies, and click Next.
You must select at least one component
5. Specify the Database to which the filter applies and click Next. You may
specify the current Database. You may skip this page if you have no
backed-up databases.
6. Specify the partitions to which the filter applies, or specify that the partitions
are resolved when the filter is executed, and click Next.
7. Select and specify any additional custom filter information and click Next.
8. Specify the columns to be displayed with the filter results.
9. Click Finish
The filter is created, and you are returned to the Filter Events page.

Events
View Statistics
The Statistics page displays information on the size of the Event Database, and
lists the number of events by severity.
To view the Statistics page
1. Under Monitor, select Events, and expand Events Viewer.

2. Click Statistics.
The Statistics page opens.
The Statistics page is divided into two panes, Database Sizing and Events by
severity. The Database Sizing pane displays the following information:
Database file size
The maximum size allocated for the Event Database.

Database file size used
The current size of the Event Database.
The Event by severity pane displays the following information:
High Severity Events
The total number of High severity events found in the Event Database.
Medium Severity Events
The total number of Medium severity events found in the Event Database.
Low Severity Events
The total number of Low severity events found in the Event Database.
Event Notification Configuration
Configure Event Notification General Options
The General configurations for event notification let you specify the SMTP and
RSS provider information used when sending out notifications.
To configure SMTP or RSS provider information
1. Under Monitor, click Events, and expand Notifications.

2. Expand Configuration.
3. Click General.
The General page opens.

Events
4. Select the type of provider. You can specify SMTP Provider or RSS Provider.
The settings for your SMTP Provider or RSS Provider appear.
5. Specify information for your SMTP or RSS Provider.

■ If you selected SMTP Provider, enter the following information:
– SMTP Server Address: The IP address for the SMTP server.

– Port: The port number used to contact the SMTP server.
– Sender Account: The email address used to send all notification
emails.
■ If you selected RSS Provider, enter the following information:

– Storage Limit: The maximum storage size allocated for the RSS
feed.
– Title Name: The title name used for this RSS feed.
– Title Description: The title description used for this RSS feed.
6. If you selected SMTP Provider and your SMTP Server uses authentication,
select Enable SMTP Server Authentication and provide the user name and
password used to access the SMTP Server.
7. Click Apply to save your settings.
Alternatively, click Discard to delete any changes you made.
Configure Event Notification Settings
You can send event notifications through email, RSS feed, or as Windows NT
Events. The event notification settings control how often a notification attempt is
made, and what actions are taken if the notification fails. The settings are the
same for all types of notifications, but you can specify different values for each
type of notification. For example, you could have email notification attempted
every 10 minutes and RSS feeds attempted every 5 minutes. When configuring
notification settings, you first specify the notification format, then the settings
for that format.
To specify the notification settings
1. Under Monitor, click Events and expand Notifications.

2. Expand Configuration.
3. Click Settings.
The Settings page opens.
4. Select the Notification Format whose settings you want to configure.

You can select Email, Windows NT Event, or RSS.

Events
5. Specify the following information:

Notification is failed after X attempts to send
Enter the number of attempts allowed before the Event Server declares
that the notification failed to send.
Time interval between attempts
Specify the number of minutes the Management Console waits between

each notification attempt.
6. (Optional) If you want the Event Server to attempt to resend failed

notifications after you have changed the settings, enable Retry after
notification properties have been changed.
7. (Optional) In the storage pane, you may enable the following settings:
Keep sent notifications

Stores sent notifications on the Event Server.
Keep failed notifications
Copies failed notification attempts stored on the Event Server.

8. Click Apply to save your settings. Click Discard to delete any changes you
made. If you wish the same settings to be applied across all notification
formats, click Apply to All.
View Email Event Notifications
You can view Email Event Notifications that have been generated by CA Total
Defense from the Email page. In addition, you can send certain notifications, or
delete a notification from the list.
Note: The Management Console prevents you from sending notifications with a
status of Sent or Data Error.
To view, send, or delete Email Event Notifications
2. Expand Monitor, and select Email.

If Email Event Notifications are enabled, a list of Email Event Notifications
appears displaying the following parameters:
To
The recipient's email address
Subject
The subject of the Email Event Notification
Date
The date the Email Event Notification was generated

Events
Attempt
The number of attempts made to send the notification
Status
Whether the notification has been successfully sent
3. Select the appropriate Email Event Notification and perform one of the
following:
■ To view the properties for that notification, click Properties.
■ To send that notification, click Send Now.
■ To delete that notification, click Delete.

Depending on your selection, the Properties are displayed or the selected
Email Event Notification is resent or deleted.
For more information about Email Event Notification Properties, see Set
Email Event Notification Properties.
Set Email Event Notification Properties
You can set Email Event Notification Properties to customize the recipients of the
notification emails.
The Email Event Notification Properties displays the following information for
each notification listed:
Created
The date the Email Event Notification was created

Modified
The date the Email Event Notification was last modified
Last Attempt
The date of the last attempt to send the Email Event Notification
Priority
The priority of the Email Event Notification
Attempts
The number of attempts made to send the Email Event Notification
Status
Whether the Email Event Notification has been successfully sent

Events
Using the Email Event Notification Properties list, you can add, edit, or remove
recipients from the notification.
To add, edit, or remove recipients

2. Expand Monitor, and select Email.
If Email Event Notifications are enabled, a list of Email Event Notifications

appears.
3. Select an Email Event Notification, and click the Properties button.
The Email Event Notification properties appear displaying the recipients,

subject, message, and attachments that are used in the email.
4. Perform one of the following to add, edit, or remove a recipient:
■ Select a recipient and click Edit to edit that recipient. Make any
necessary changes, and then press Enter to save those changes.
■ Enter an email address and click Add to add a new email recipient for this
notification.
■ Select a recipient and click Remove to remove an email recipient from
this notification.
5. Click OK.
Your changes are saved.
To exit the page without saving your changes, click Discard.
View RSS Event Notifications
You can view RSS Event Notifications that have been generated by CA Total
Defense from the RSS page. In addition, you can send certain notifications, or
delete a notification from the list.
To view, send, or delete RSS Event Notifications

2. Expand Monitor, and select RSS.

If RSS Event Notifications are enabled, a list of RSS Event Notifications
appears displaying the following parameters:
Subject
The subject of the RSS Event Notification

Date
The date the RSS Event Notification was generated

Events
Attempt
Status
3. Select the appropriate RSS Event Notification and perform one of the
following:

RSS Event Notification is resent or deleted.
The RSS Event Notification properties are displayed. For more information
about RSS Event Notification Properties, see RSS Event Notification
Properties.
RSS Event Notification Properties
You can view RSS Event Notification properties to review detailed information
about RSS Event Notifications.
The RSS Event Notification list displays the following information for each
notification:
RSS Info
The type of RSS Event Notification

Message
The message displayed in the RSS Event Notification
Link
If a hyperlink is included in the RSS Event Notification, it is displayed here
Source
The source of the RSS Event Notification
Category
The category of the RSS Event Notification

Events
The information section displays the following information for the RSS Event
Notification:
Created
The date the RSS Event Notification was created
Modified
The date the RSS Event Notification was last modified
Last Attempt
The date of the last attempt to send the RSS Event Notification
Priority
The priority of the RSS Event Notification
Attempts
The number of attempts to send the RSS Event Notification
Status
Indicates if the RSS Event Notification has been successfully sent
View Windows NT Event Notifications
You can view Windows NT Event Notifications that have been generated by CA
Total Defense product from the Windows NT Events page. In addition, you can
send certain notifications, or delete a notification from the list.
To view, send, or delete Windows NT Event Notifications

2. Expand Monitor, and select Windows NT Events.
If Windows NT Event Notifications are enabled, a list of Windows NT Event
Notifications appears displaying the following parameters:
Source
The source of the Windows NT Event Notification
Type
The type of event. This can be an Error Event, an Information Event, or
a Warning Event
Date
The date the Windows NT Event Notification was generated

Events
Attempt
Status
3. Select the appropriate Windows NT Event Notification and perform one of the
following:

Windows NT Event Notification is resent or deleted.
For more information about Windows NT Event Notification Properties, see

Windows NT Event Notification Properties.
Windows NT Event Notification Properties
You can view Windows NT message properties to review detailed information

about Windows NT Event Notifications.
The Windows NT Event Notification list displays the following information for
each notification:
Subject
The subject of the Windows NT Event Notification.

Message
The message displayed in the Windows NT Event Notification.
Source
The source of the Windows NT Event Notification.
Type
The category of the Windows NT Event Notification.

Computer
The IP address of the computer that sent the Windows NT Event Notification.

Endpoints
The information section displays the following information for each Windows NT
Event Notification:
Created
The date the Windows NT Event Notification was created
Modified
The date the Windows NT Event Notification was last modified
Last Attempt
The date of the last attempt to send the Windows NT Event Notification
Priority
The priority of the Windows NT Event Notification
Attempts
The number of attempts made to send the Windows NT Event Notification
Status
Indicates whether the Windows NT Event Notification has been successfully

sent
Endpoints
The following sections provide procedures related to managing endpoints.
View Endpoints
The View Endpoints page lets you see either the managed or unmanaged
endpoints. If an endpoint appears on the managed list, it has successfully
phoned home. If an endpoint appears on the unmanaged list, the endpoint has
been discovered but has not successfully phoned home.
To view the endpoints
1. In the Navigation pane, click Endpoints.

The Endpoints Navigation pane expands.
2. Click View Endpoints.

The View Endpoints page opens, displaying the managed endpoints.
3. Use the endpoint drop-down menu to switch the view and display the
unmanaged endpoints.

Endpoints
You can navigate through the list of endpoints using either the page drop-down
menu, or the navigation arrows located in the lower right section of the page.
You can also filter the endpoint lists.
The information displayed on the View Endpoints page varies depending on

which list you viewing. The View Endpoints page displays the following
information:
Endpoint Name
The name of the endpoint.
IP Address
The IP addresses of the endpoint.
Platform
The operating system in use by the endpoint.

Note: In some cases, the Endpoint Discovery process may not be able to
precisely identify the specific operating system version running on an
endpoint. Because of this the Platform shown for these endpoints in the
Unmanaged Endpoints display is shown as a list of the possible OS versions,
such as Windows 2003/Windows XP, rather than a specific version.
Partition
The partition to which the endpoint has been assigned. This information is
only shown for managed endpoints.
Products
The CA Total Defense products that are installed on the endpoint. This
information is only shown for managed endpoints.
First Discovered
The date the endpoint was first detected during a discovery process. This
information is only shown for unmanaged endpoints.
Click the appropriate button to perform any of the following tasks:
Filter
Open the Filter pane to filter the list of endpoints displayed.
Install
Install one or more CA Total Defense products on the selected endpoints.

Endpoints
Delete
Delete the selected endpoint from the list. This button does not appear if you
are viewing unmanaged endpoints. Unmanaged endpoints are removed from
the list by the Discovery process once they are no longer found.
Details
View detailed information about a specific endpoint. Select the endpoint and
click Details to view the information.
More information:
Filter the Endpoint View (see page 170)
Filter the Endpoint View
When you first access the View Endpoints page, the Management Console
retrieves the full endpoint list from the database. Filtering lets you narrow down
the endpoints the Management Console displays. When filtering the Endpoint
View page, you can select one of the following Filter options:
Filter This List

Use this option to filter the current list of endpoints stored in the
Management Console's memory and displayed by the Management Console.
When filtering, the Management Console does not access the endpoint list on
the database, only the list stored in its memory. If another user or process
changes the endpoint list stored in the database, this filter does not show
these changes.
Once you enter filter criteria, each page displays only the endpoints
matching the filter criteria. The number of pages is not changed. If a page
contains no endpoints that match the criteria, the page is blank but not
removed from the list. For example, if you have 7 pages of endpoints listed
before filtering, you will have 7 pages after filtering.
If you enter filtering criteria, then click Clear, the Management Console
returns to displaying the entire list of endpoints stored in its memory.

Endpoints
Retrieve New List

Use this option to retrieve a new list of endpoints from the database, based
on the criteria you entered. The Management Console displays this filtered
list and stores the list in its memory. You must click Submit to retrieve the
filtered list.
If you select some filter criteria and choose the Retrieve New List option, the
Management Console stores only the filtered subset of the endpoints in its
memory. To see endpoints that are not in this subset, you must filter again
using the Retrieve New List again option with a different filter or no filter.
If another user or process changes the endpoint list stored in the database
after you open this page but before you click Submit, this filter option
displays those changes in the filtered results. If changes are made after you
click Submit, you can update the display by clicking the Refresh button or
filtering again with the same criteria.
You can filter both the managed endpoint list and the unmanaged list. The
criteria you can use depend on which list you select to filter.
Note: All filtering criteria are optional. We recommend that you only use the
options you need.
To filter the current list of endpoints stored in the Management

Console's memory
1. Open the View Endpoints page, and select the endpoint list to filter.
2. Click the double arrows next to Filter to expand the filter options.
3. Select Filter This Page.

4. Select and enter your filter criteria.
As you enter the information, the list actively narrows displaying only those
endpoints that match your selection. You can use the following criteria:
Endpoint Name
Enter an endpoint name to locate that endpoint. Enter a partial name or
a string of characters to see only endpoints matching that string or
partial name. This filter criterion is available for both the managed
endpoint list and the unmanaged endpoint list.
IP Address
Enter an IP address to the endpoint with that address. You can enter a
partial address or a string of characters to find all endpoints matching
that string or partial address. This filter criterion is available for both the
managed endpoint list and the unmanaged endpoint list.

Endpoints
Platform
Select a platform from the drop-down menu to filter endpoints based on
the operating system installed on the endpoint. This filter criterion is
available for both the managed endpoint list and the unmanaged
endpoint list.
Note: In some cases, the Discovery process may not be able to precisely
identify the specific operating system version running on an endpoint.
Because of this the Platform shown for these endpoints in the
Unmanaged Endpoints display is shown as a list of the possible OS
versions, such as Windows 2003/Windows XP, rather than a specific
version. The Platform drop-down menu includes both the specific OS
version choices and all pairs of possible ambiguous choices. The filter
matches the exact choice from the drop-down. That is, selecting one of
the ambiguous OS items from the drop-down causes the filter to show
endpoints with that specific combination of OS possibilities. Selecting
one of the unambiguous OS items causes the filter to show only those
endpoints that exactly match that OS.
Partition
Select a partition from the drop-down menu to filter endpoints based on

the partition to which the endpoint is assigned. This filter criterion is only
available for the managed endpoint list.
Product
Select a product from the drop-down menu to filter endpoints based on
the products installed on the endpoint. This filter criterion is only
available for the managed endpoint list.
Date First Discovered

Select dates in the From and To fields to filter the endpoints based on the
date discovered. Select a date in the From field to display All endpoints
discovered on or after this date. Select a date in the To field to display all
endpoints discovered before or on this date. Select dates for both the
From and To field to display all endpoints discovered during this date
range.
This filter criterion is only available for the unmanaged endpoint list.
To clear the list, click Clear. The page displays the unfiltered endpoint list.
Alternatively, you may want to retrieve and filter the endpoints listed in the
database. When filtering endpoints in this manner, you must click Submit to view
the filtered list.
To retrieve a new list of endpoints from the database, based on the

criteria you entered
1. Open the View Endpoints page, and select the endpoint list to filter.

Endpoints
3. Select Retrieve New List.

The Management Console displays a message reminding you that Retrieve
New List checks the current database details only after you click Submit.
4. Select and enter your filter criteria. You may use the following filter criteria:
Endpoint Name
Filter endpoints based on their names.

Enter an endpoint name to locate that endpoint. You may use wildcards
to display a list of endpoints matching your search criteria.
This filter criterion is available for both the managed endpoint list and
the unmanaged endpoint list.
IP Address
Filter endpoints based on IP address.

Enter an IP address to locate the endpoint with that address. You may
use wildcards to display a list of endpoints matching your search criteria.
For example, filtering on 255.255.255.* would display endpoints in the
255.255.255.000 to 255.255.255.255 range.
Platform
Filter endpoints based on the operating system installed on the endpoint.
Partition
Filter endpoints based on the partition to which the endpoint is assigned.
This filter criterion is only available for the managed endpoint list.

Endpoints
Product
Filter endpoints based on the products installed on the endpoint. This
filter criterion is only available for the managed endpoint list.
Date First Discovered

Filters endpoints based on the date the endpoint was discovered.
Select a date in the From field to locate All endpoints discovered on or

after this date. Select a date in the To field to locate all endpoints
discovered before or on this date. Select dates for both the From and To
field to locate all endpoints discovered during this date range.
This filter criterion is only available for the unmanaged endpoint list.
5. Click Submit.
The endpoint list shows only those endpoints that match your filtering
criteria.
To clear any options you've entered and see the unfiltered list, click Clear, then
Submit.
View Managed Endpoint Details
The Endpoint Details page provides additional information for each managed
endpoint. You can only view details for managed endpoints.
To view the managed endpoint details

The View Endpoints page opens, displaying the Managed Endpoints.
3. Select an endpoint and click Details.
The Endpoint Details page opens to the General tab.

4. To close the Endpoint Details page, click Close.

Endpoints
Click the tabs of the Endpoint Details page to navigate through the information
on the page. The tabs provide the following information:
General
The General tab provides general information for the endpoint, including the
partition to which the endpoint is assigned, the last time the endpoint
phoned home to the Server for policy updates, the operating system, version
and service pack used on the endpoint, whether the endpoint uses a 32-bit
or 64-bit architecture, and the time zone and locale of the endpoint.
In addition, it provides a table with information about the network interfaces
found on the endpoint, including the name, type, and description for the
interface, the MAC address and IP address, and the status of the interface on
the endpoint.
Note: The Last Phone Home Time field displays the last time the endpoint
phoned home and exchanged information with the Management Server.
Because of the Phone Home feature's automatic optimizations, not all phone
home attempts result in an information exchange. If there is no information
exchange, the Last Phone Home Time does not change. An information
exchange is unnecessary when there are no changes on the Management
Server or endpoint.
If a long interval has passed since the last phone home time listed for the
endpoint, and the Policy tab shows that the policies are not up to date on the
endpoint, you should verify that the endpoint can phone home.
Products
The Products tab lists the name and version of the CA Total Defense products
installed on the endpoint. In addition, this page provides a table with
information about the components installed on the endpoint which make up
each product, including the name and installed version of the component,
the latest version of the component available for distribution, and indicates
whether the component is up to date or requires updating.
If a component requires updating, you can click the Update button on this
tab to run a full update job, to update all components specified in the
Content Update configuration on the endpoint.

Endpoints
Policies
The Policies tab lists policy information for the endpoint, including the policy
types assigned to the endpoint, the name of the specific policy assigned for
that policy type, and the branch to which the endpoint is assigned.
In addition, the Policies tab indicates the last time the policy was updated on
the Server, the last time the policy was updated on the endpoint, and
whether the policy is up to date on the endpoint.
Custom Variables
Branches can be divided based on a CA-provided variable or a custom
variable that you define. The Custom Variables field lists any custom
variables assigned to the endpoint:
Custom Variable Name
The name of the custom variable. The Custom Variable Name is

case-insensitive, and must be a-z, 0-9, '-', '_', or '.' .
Custom Variable Value
The value assigned to the custom variable. The Custom Variable Value
can be any character except '!', '=', or ','.
Manage Centralized Deployments
Use the Total Defense r12 Centralized Deployment page to assign installation
packages to endpoints. Installation packages contain CA Total Defense products
you want to install and their corresponding policies. When you create a package,
you can specify the applicable policies to include in the package and then assign
packages to both unmanaged and managed endpoints.
From this page, you can deploy installation packages to endpoints.
1. Select the endpoints, either managed or unmanaged, and view the Manage
Centralized Deployments page for those endpoints.
2. Create or edit the installation packages (see page 179).
3. Deploy installation packages to the selected endpoints (see page 181).
The Total Defense r12 Centralized Deployment page displays the installation
packages available and lets you specify the details, such as the installation
directory or locale, to use when setting up an installation package for an
endpoint. From this page, you can also access the Configuration for New Package
page, to create new deployment packages.
Important! If you click Close or navigate away from this page using the
Navigation pane, the changes you make are not saved.

Endpoints
To view the Total Defense r12 Centralized Deployment page


Note: Use the endpoint drop-down menu to switch the view to the
unmanaged endpoints, if necessary.
3. Select the endpoint or endpoints whose deployment page you want to view
and click Install.
The Total Defense r12 Centralized Deployment page opens, displaying the
following information:
Endpoint Name
The name of the endpoint.
Package
The installation package to be deployed to this endpoint. This field is

blank until you assign a package.
Target Directory
The target directory for the installation package. When you deploy a
package and you do not specify a Target Directory, the default directory
is used.
NA appears in this field on the managed endpoints list because the
directory has already been specified for managed endpoints.
Locale
The language to be used by the installation package on the endpoint.
NA appears in this field on the managed endpoints list because the locale
has already been specified for managed endpoints.
Reboot
Indicates whether you have specified a reboot after the CA Total Defense
products are installed.
Yes indicates that the endpoint will reboot.
Comp. Uninstall
Indicates whether the installation package will attempt to uninstall other
anti-malware products before installing CA Total Defense products.
NA appears in this field on the managed endpoints list because other

anti-malware products must be uninstalled before you can install CA
Total Defense products.

Endpoints
Login
The login credentials provided for this installation package.
For unmanaged endpoints, you specify this information before deploying

the installation package.
NA appears in this field on the managed endpoints list because managed

endpoints do not require login credentials for new installation packages.
Status
The status of the deployment job. If Ready for Deployment does not
appear in this field, you must specify additional details or add an
installation package before starting the deployment.
4. Use the buttons on this page to perform the following tasks:
Setup
Use the Setup drop-down menu to specify additional details when
installing a package to an unmanaged endpoint.
See the Deploy Installation Packages to Endpoints (see page 181) help
page for more information.
Add
Click Add, enter the name of a new endpoint, and click OK to add a new
endpoint to the list. Endpoints must be added by name.
If you click Close or navigate away from this page using the Navigation
pane, the changes you make are not saved. The Add button allows you
to add additional endpoints without navigating away from the page.
Remove
Select an endpoint and click Remove to remove the endpoint from the
list.
Assign Package
Click Assign Package to assign a package to the endpoint.
Unassign Package
Click Unassign Package to remove the package from the endpoint.
Details
Select an endpoint from the list and click Details to view the Endpoint
Details page for the selected endpoint.

Endpoints
New
Click New to create new install packages.
Edit
Select an installation package from the list and click Edit to edit the
selected package.
Delete
Select an installation package from the list and click Delete to delete the
selected package.
More information:
Deploy Installation Packages to Endpoints (see page 181)

Create New Installation Packages (see page 179)
Create New Installation Packages
You must use an installation package to install the CA Total Defense products to
the endpoints in your system using the remote install feature. When you create
an installation package, you can select the components to install and the policies
you want to associate with those specific components.
An installation package includes a policy for each policy type required by the
components selected for that package. The package is initialized with the default
policy of each policy type, but you can change the policy selection when creating
the package.
To create a installation package

3. Select the endpoint or endpoints whose deployment page you want view and
click Install.
The Total Defense r12 Centralized Deployment page opens.
4. Click New.
The Configuration for New Package page opens.
5. Enter a name and a unique description for this package in the Package Name
and Package Description fields.

Endpoints
6. Use the Select Products drop-down menu to select the products installed by
this package.
The package contains a policy for each of the policy types associated with all
of the products in the package.
7. (Optional) You can specify the policies to associate with this package.
To do so, click an option in the Policy Types in Selected Products, select a

policy from the Available Policies for Selected Policy Type list, and click
Select Policy.
Note: If you do not select a policy, the product is installed with the default
policy for that type.
The Available Policies for Select Policy Type displays information about the
policies available.
■ A checkmark indicates the policy currently assigned to the package

■ The policy name in bold is the default policy.
■ The table displays the name of the policy and indicates whether the
policy is specific to a partition by displaying the name of that partition or
a global policy.
8. Save the installation package, using one of the following options:
■ Click Save to save the installation package. You can then assign the
package to endpoints for remote installation.
■ Click Save to Disk to open the Save Package to Disk window and save the
package to a specific location on the server. You can then copy the
package to a CD or DVD for direct installation onto an endpoint.
The deployment package is created and appears in the Package list or is
saved to the specified location.
Save an Installation Package to Disk
The Save Package to Disk window lets you specify the path and folder name used
when creating an installation package. The path can be anyplace on the
Management Console. The Management Console uses the name to create a
folder that contains the files for this specific package under the path you
specified. For example, if you specify C:\packages\03_10_2010 as the path, and
"this_one" as the name, then the files for this package are located in
C:\packages\03_10_2010\this_one. The name must be a valid Windows folder
name. If the target location already exists, the Management Console asks if you
want to replace this folder.

Endpoints
To save an installation package to disk

1. From the Save Package to Disk window, enter the following information:
Full Directory Path

Specify a location on the Management Console. You must specify a valid
Windows full path, such as C:\packages\03_10_2010.
Name
Specify the name of the folder. The Management Console uses the name
to create a folder that contains the files for this specific package under
the path you specified. The name must be a valid Windows folder name.
2. Click OK.
The installation packaged is saved to the folder created in the path you
specified.
Deploy Installation Packages to Endpoints
To install CA Total Defense products on endpoints, you must either deploy an

installation package or use an installation package that you saved to a disk. From
the Management Console, you can deploy an installation package to unmanaged
or managed endpoints.
Important! If you click Close or navigate away from this page using the
Navigation pane, the changes you make are not saved. You must then restart the
deployment procedure.
To deploy installation packages on the endpoints


Use the endpoint drop-down menu to switch the view to display unmanaged
endpoints.
3. Select the endpoints to which to deploy the package.
Click a single endpoint to select it. To select multiple endpoints, hold down
the Ctrl key and click each endpoint. To select a range of endpoints, select
the first endpoint in the range, hold down the Shift key and select the last
endpoint in the range.
4. Click Install.
The Total Defense r12 Centralized Deployment page opens and displays the
View Endpoints table, populated with the selected endpoints.

Endpoints
5. Select the endpoints to which to assign the installation package.
6. Select the installation package to deploy to the selected endpoints from the
Package List and select Assign from the Assign drop-down menu.
Alternatively, drag the packages from the Package List to each endpoint.
The installation packages are assigned to the endpoints.
7. If you install the package to an unmanaged endpoint, you must specify

additional details before deploying. Use the Set Up drop-down menu to
specify the following options:
Specify Login Credentials

Enter the Administrative account user name and password if necessary.
You must only specify login credentials if you are assigning a package to
an unmanaged endpoint.
Specify Target Directory
Specify the target directory for the install.
Specify Locale
Specify the language used by the CA Total Defense product installed on
the endpoint.
Set Reboot Options

Specify the reboot options once the package is installed. You must
reboot the endpoint for it to be properly protected.
When issuing a reboot command, ensure that end users have enough
time to save any tasks before rebooting or allow them to delay the
reboot to a more convenient time.
Run Competitive Uninstaller
Configure the deployment package to attempt to remove other

anti-malware products before installing the Client.
Due to the nature of most anti-malware products, you must uninstall

other products before installing a new one. If you do not, the other
anti-malware products may conflict with the new installation, or view the
installation as a malware attack and prevent the installation.
8. Click Deploy.
The package is deployed to the selected endpoints.

Click Refresh to view the updated details on this deployment job. When the
package arrives at the endpoint, the components and policies the package
contains are installed.

Endpoints
Delete Endpoints
You can remove managed endpoints from your list by deleting the endpoint. You
cannot delete unmanaged endpoints. Unmanaged endpoints are removed from
the list by the Discovery process once they are no longer found.
To delete an endpoint


Note: Do not switch the view to the unmanaged endpoints, as you cannot
delete unmanaged endpoints.
3. Select the endpoint to delete.
4. Click Delete.

5. Click Yes.
The selected endpoint is deleted from the endpoint list.
Review Deployment Jobs
You can review your deployment jobs using the Review Deployment Jobs page.
You can also view details for each deployment job record.
To view the deployment jobs

2. Click Review Deployment Jobs.
The Review Deployment Jobs page opens and displays the following
information:
Target Endpoint
The target of each job.

Package
The package assigned to the endpoint.

Endpoints
Time Started
The time when the deployment was started.
Status
The status of the deployment job.
Last Status Update
The date the deployment job's status was last updated.

3. (Optional) Use the Purge drop-down menu on the Review Deployment Jobs
page to purge records from the list.
To view the details for the deployment job record
Select a record and click Details to view the following detailed information
about the selected record:
Target Endpoint
The target of this job.
Assigned Package
The package assigned to the endpoint.
Target Directory
The target directory for the deployment job.
Locale
The locale specified for the deployment job.
Force Reboot
Whether the deployment job forces a reboot of the endpoint after
deployment.
Reboot Delay
Whether a forced reboot can be delayed by the endpoint user.
If a forced reboot is not specified, NA appears in this field.
Allow Reboot Cancel

Whether a forced reboot can be canceled by the endpoint user.
If a forced reboot is not specified, NA appears in this field.
Run Competitive Uninstall

Whether the deployment job attempts to uninstall competitor products
before deploying to the endpoint.
Login ID
The Login ID used by the deployment job.

Endpoints
Time Job Started

The time the job was started.
Time of Last Status Update

The time the last status update from the deployment was sent.
Status
The current status of the deployment job.
More information:
Filter Deployment Job Records (see page 185)

Purge Deployment Job Records (see page 186)
Filter Deployment Job Records
As you view your deployment job records, you can use the filter options to
narrow down the list. Narrowing down the list lets you see only those jobs that
match your filter criteria. When filtering the deployment job records, you can
select one of the following Filter options:
Filter This List

This option filters the current list of deployment job records. Once you enter
the filter criteria and click Submit, the each page displays only the
deployment job records matching the filter criteria. The list is filtered per
page, meaning if you have 7 pages of deployment job records listed, before
filtering, you will have 7 pages after filtering, though some pages may be
blank as they contained no matching deployment job records. The
Management Console does not access the deployment job records list on the
database when you use this option.
Retrieve New List

This option filters the deployment job records list in the database. Once you
enter the filter criteria and click Submit, the Management Console access the
database and returns only those deployment job records that match your
filter criteria. The list displayed is updated; the number of pages displayed
reduces to the minimum needed to display all results.
Note: All filtering criteria are optional. It is recommended that you only use the
options you need.
To filter the current deployment job records list


Endpoints
4. Select the Filter This Page.
5. Select and enter your filter criteria.

As you enter the information, the list actively narrows displaying only those
endpoints that match your selection.
To clear the list, click Clear.
Alternatively, you may only want to filter all endpoints in the database. When
filtering all endpoints in this manner, you must click Submit to view the filtered
list.
To filter all deployment job records

4. Select Retrieve New List.

The Management Console displays a message reminding you that Retrieve
New List checks the current database details only after you click Submit.
Select and enter your filter criteria.
5. Click Submit.
The list shows only those deployment job records that match your filtering
criteria.
To reset the list, click Clear, then the Submit button again to refresh the list.
Purge Deployment Job Records
You can purge deployment job records to make maintaining your records an
easier task. You have two options when purging records, you can perform an
active purge of either selected records or all records prior to a specified date, or
you can setup an automatic purge.
To purge deployment job records


The Review Deployment Jobs page opens.

3. Select one of the following options:

Purge Selected Records
Select a record or set of records, then choose this option to purge only
the selected records.
Purge Records Prior to
Select this option then specify a date to purge all records prior to that
date.
4. Click OK.
The purge completes, deleting the necessary records.
To set up an automatic purge of deployment job records

The Review Deployment Jobs page opens.
3. Select Set Automatic Purge from the Purge drop-down menu.
4. Enter a day limit.
When any record becomes older than this limit, it is automatically purged
5. Click OK.
Records that exceed the limit are purged.

This section contains procedures related to the Partition Assignment Tree.
View the Partition Assignment Tree
The Partition Assignment Tree page lets you create new branches, subdivide
existing branches, and view detailed information for each branch. You perform
these actions when you want to modify the default Partition Assignment Tree.
Note: Before you modify the Partition Assignment Tree, read About the Partition
Assignment Tree section in the CA Total Defense Administration Guide.
To view the Partition Assignment Tree page, click Maintain, Policies, Policies and
Partitions.
The Partition Assignment Tree opens displaying a list of defined partitions.

The Partition Assignment Tree page displays the following information about
each partition:
Partition Name
Lists the name assigned to the partition.
Description
Lists the description given to the partition.

# Endpoints
Lists the total number of endpoints found in the particular partition.
The Partition Assignment Tree page contains the following buttons:
Note: The procedures for these buttons are covered on subsequent help pages.
Lock/Unlock
Locks and unlocks the tree. Locking the Partition Assignment Tree prevents
another user from changing partitions while you work on them. You must
lock the tree before you can edit, delete, subdivide partition branches.
New
Creates new partitions or subdivides an existing branch. If you do not select
a partition and click new, you can create a new partition. If you select a
partition or branch and click new, you can subdivide that partition or branch.
Edit
Edits the selected partition or branch.
Delete
Deletes the selected partition or branch.
Details
Provides detailed information for the selected partition or branch.
Manage Policies
Displays the Policy Assignment Tree for the selected policy type.
Additionally, you can use the buttons found under Policy Categories to change
the list of available Policy Types. To change the list, simply click a Policy
Category.

You can find and select a particular partition using the Find tool.
To find a partition
1. Click Maintain, Policies, Policies and Partitions.

The Partition Assignment Tree opens.
2. Click the Double arrow next to Find.

The Find pane opens.
3. Select an option from the drop-down menu to specify a field to search. To

search all fields, leave the option as All Fields. You can search the Partition
Name field and the Description field, but cannot use the # Endpoints field in
your search.
4. Enter the text for which to search.
You can enter full words, or only a few characters.

5. Click Next to move to the next row matching your criteria. Click Prev to move
to the previous row that matches your criteria.
View Partition Branch Details
The Partition Details page provides additional information about a partition. This
information includes which users are assigned the Partition Policy Manager and
Partition Reporter roles for the partition, as well as the policies in place on the
selected partition.
To view the details for a partition

2. Select a partition or branch of a partition and click Details.

The Details page opens for that partition. To close this page, click Close.
In the Branch Information pane, the Partition Details page displays the following
information about each partition or branch:
Branch Name
Lists the name of the branch or partition.

Description
Lists the description given to the branch or partition.
Parent Branch
Lists the parent partition or branch of the selected branch. This field only
appears if you select a branch.

Parent Subdivision Type

Lists what type of subdivision was used to create this branch. This field only
appears if you select a branch.
Definition of Branch
Lists the value used to divide this branch. This field only appears if you select
a branch.
The remaining tables on the page display information about the users and
policies assigned to this partition. These tables display the following information:
Policy Managers
This table displays information about the policy managers assigned to this
partition. The table displays the following information:
User Name
Lists the user name for this specific user.
Global
Lists if the manager is a Global Policy Manager.
Partition
Lists if the manager is a Partition Policy Manager.
Locked Policy Tree?

Lists if the policy manager can lock the tree.
Reporters
This table displays information about the Reporters assigned to this

partition. The table displays the following information:
User Name
List the user name for this specific user.

Global
Lists if the Reporter is a global reporter.
Partition
Lists if the Reporter is assigned to only the partition level.
Locked Policy Trees?

Lists if the reporter can lock the policy trees or not.

Policies
This table displays information about the policies assigned to this partition.
The table displays the following information:
Policy Type
Lists the name type of policy. Expand the lists to show the individual
policies beneath.
Usage Count
Lists the total number of times the policy is used.
# Endpoints
Lists the total number of endpoints that this policy is assigned to on this
partition.
Lock the Partition Assignment Tree
When you work on the Partition Assignment Tree, you must lock the tree before
you can create new partitions, subdivide branches, edit existing partitions and
branches, or delete existing partitions or branches. Only one user can lock the
Partition Assignment Tree at a time. This locking prevents other users from
making changes to the Partition Assignment Tree that would conflict with your
changes.
To lock the Partition Assignment Tree


2. Click Lock.
The Partition Assignment Tree is locked until you click Unlock or apply
changes.
Once you have locked the Partition Assignment Tree, only you can make changes
until you unlock the tree or a user with the appropriate privileges unlocks the
tree from the Locked Tree Assignment page.
More information:

Lock the Policy Assignment Tree (see page 201)

Create or Edit a Partition Branch
Partition branches let you divide the Managed Endpoints root of the Partition
Assignment Tree into smaller groups. You can subdivide branches using the
following methods:
By IP Address
You can specify IP address individually or by a range on the Branch

Properties page.
By Endpoint Name
You can specify the exact name of the endpoint, or enter a range of
endpoints using a wildcard.
By Platform
You can divide the branch based on the operating system found on the
endpoint.
By Active Directory Tree
You can use your Active Directory Tree to create branches.
By Custom Variable
You must specify the name, operator, and value used for the custom
variable. Branches can be divided based on a CA-provided variable or a
custom variable that you define. For example, using regedit you might
create a variable whose value is set to Oracle=1. You would then create a
custom variable with a name Oracle, an Operator of -=, and a value of 1. All
endpoints with this variable and value will be placed into this partition.
You can use either = or != as the Operator.
Custom Variable Name
The Custom Variable Name is case-insensitive, and must be a-z, 0-9, '-',
'_', or '.' .
Custom Variable Value
The Custom Variable Value can be any character except '!', '=', or ','.

To create smaller groups of branches for each partition branch. You can only
create new partition branches by subdividing the Managed Endpoints root
branch. If you select a child branch and click New, you will instead subdivide that
child branch.
To create a partition branch
1. Click Maintain, Policies, Polices and Partitions.

2. Click Lock.
Note: You must lock the Partition Assignment Tree to create a partition
branch.
3. Select the Managed Endpoints root branch and click New.
The Branch Properties page opens.
4. Enter a name and description for this new partition branch.
5. Choose one of the branch subdivision options and provide the subdivision
details.
6. Click Save.
The Branch Properties page closes, returning you to the Partition Assignment
Tree.
7. Review the changes, identified in italic, and make any adjustments or

continue creating branches.
8. Once you created and adjusted all the branches, click Apply.
The new branches are created. Your lock is removed and the changes are
saved.
Editing a partition branch lets you rename the branch, change the description of
the branch, or change the subdivision details. You cannot switch how a branch is
subdivided.
To edit a partition branch

2. Click Lock.
Note: You must lock the Partition Assignment Tree to be able to edit a
branch.
3. Select the branch to edit and click Edit.

The Branch Properties page of that branch opens.
4. Edit the details as necessary. You cannot switch how a branch is subdivided.

5. Click Save.
Tree.
6. Click Apply.
Your changes are saved and your lock is removed.
Subdivide Partition Branches
After creating a partition branch, you may want to subdivide that branch into
smaller branches. Branches can be subdivided based on IP Address, endpoint's
name, the endpoint's operating system platform, your active directory tree, or
by a custom variable you assign. Once you have subdivided a branch based on a
selected criterion, all further subdivisions of that branch must use the same
criterion.
For example, you could create three new branches for a partition branch all
based on endpoint names. However, you could not subdivide a partition branch
into two branches based on platform and one branch based on endpoint name.
The advantage of this is that once you have subdivided a branch, creating further
branches is simplified.
When subdividing a new partition branch, you always create two new branches,
one branch based on the criterion you entered, the other covering all endpoints
that do not match the criterion you entered. After creating this initial split, you
can edit either branch as necessary or subdivide the branch further, creating new
branches.
To subdivide a new partition branch
1. Click Policies in the Maintain pane.
The Policy menu expands.

2. Click Policies and Partitions.
3. Click Lock.
Note: You must lock the Partition Assignment Tree to be able to subdivide a
partition branch.
4. Select the partition branch to subdivide and click New.

The Branch Subdivision page opens.
Note: The New button performs various functions, with the function
performed dependant on the branch you select. The only way to subdivide a
partition branch is by first selecting that partition branch, then clicking New.

5. Select the method used to subdivide the branch.

The method you select impacts what values you enter on the next page.
6. Click Next.
7. Enter a name and description for this new subdivision and enter the
subdivision criteria.
The values you enter depend on the method of subdivision you selected.
8. Click Next.
The Branch Properties page changes, letting you now enter the details for
the second subdivision.
9. (Optional) Enter the name and description for the second subdivision.
Alternatively, you can leave this information as is and edit this information
later.
10. Click Save.
Tree.
11. Click Apply.
The new branch partition is created. Your lock is lost and must be reapplied
to make additional changes.
To subdivide an existing partition branch

3. Click Lock.
Note: You must lock the Partition Assignment Tree to be able to subdivide a
partition branch.
4. Select the partition branch to subdivide and click New.

Note: The New button performs various functions, with the function
performed dependant on the branch you select. The only way to subdivide a
partition branch is by first selecting that partition branch, then clicking New.
5. Enter a name and description for this new subdivision and enter the
subdivision criteria.
6. The values you enter depend on the method of subdivision you selected for
the first subdivision you created for this partition branch.

7. Click Save.
Tree.
8. Click Apply.
The new branch partition is created. Your lock is lost and must be reapplied
to make additional changes.
Using the Branch Subdivision Page
The Branch Subdivision page lets you specify how a branch from either the
Partition Assignment Tree or Policy Assignment tree is divided. You can access
this page when either dividing one of those branches or editing one of those
branches. This page displays the branch name and description of the branch that
is subdivided.
You can subdivide branches using the following methods:
IP Address
Example Explanation

permitted.

and a netmask


334

Endpoint Name
Platform
operating system.
Active Directory
Environment.
Custom Variable
branch.

component:




More information:

Using Active Directory Servers (see page 560)
Using the Branch Properties Page
The Branch Properties page lets you enter the name, description, and details of
how a branch is subdivided. You access this page after selecting how the branch
is subdivided when creating or editing branches from either the Partition
Assignment Tree or Policy Assignment Tree.
Depending on how you subdivide branches, you must enter the following:
IP Address

Example Explanation

permitted.

and a netmask

Example Explanation


334
Endpoint Name
Platform
operating system.
Active Directory
Environment.
Custom Variable
branch.


component:


More information:

Using Active Directory Servers (see page 560)
Manage Partition Branches
In addition to creating and editing partition branches, you can delete branches.
To delete a partition branch

2. Click Lock.
Note: You must lock the Partition Assignment Tree to be able to delete a
branch.

3. Select the branch to delete and click Delete.

A confirmation window opens.
4. Click OK and click Apply.

Your changes are saved. Your lock is lost and must be reapplied to make
additional changes.
More information:
Using the Branch Subdivision Page (see page 196)

Using the Branch Properties Page (see page 198)

This section contains procedures related to managing the Policy Assignment
Trees.
Lock the Policy Assignment Tree
When you work on a Policy Assignment Tree, you must first lock the tree before
you can create new branches, edit or delete existing branches, or assign policies.
Only one user can lock the Policy Assignment Tree at a time. This lock prevents
other users from making changes to the tree that would conflict with your
changes. Once you have locked the Policy Assignment Tree, only you can make
changes until you unlock the tree or a user with the appropriate privileges
unlocks the tree from the Locked Tree Assignment page.
To lock the Policy Assignment Tree
1. Click Maintain, Policies, and then Policies and Partitions.

2. Select a Partition branch.

Note: You must select a partition, even if it is the Managed Endpoints root
branch.
3. Select the Policy Category of the tree to view.
4. Select the policy you whose assignment tree you want to view.

5. Click Manage Policies.

The Policy Assignment Tree window opens for that specific policy type of that
partition or branch.
6. Click Lock.
The Policy Assignment Tree is locked until you click Unlock or Apply to save
your changes.
More information:
Lock the Partition Assignment Tree (see page 191)

Assign Policies
You assign polices to branches in the Policy Assignment Tree to protect

endpoints that match that particular branch.
To assign a policy
1. Click Maintain, Policies, Policies and Partition.

The Partition Assignment Tree opens and displays a list of currently defined
partitions.
2. Select the partition containing the Policy Assignment Trees to view or
modify.
You must explicitly select a partition, even if it is the Managed Endpoints root
partition.
3. Select the Policy Category followed by the policy to assign, and then click
Manage Policies.
The Policy Assignment Tree window opens for that specific policy type for
that partition.
4. Click Lock.
The Policy Assignment Tree is locked until you click Unlock or Apply.
Note: You must lock the Policy Assignment Tree before you can assign
policies. Locking the tree prevents other users from making changes to the
tree that would conflict with your changes.
5. Select the branch to which you want the policy assigned, select the policy to
assign, and click Assign.
Alternatively, you can drag a policy from the Policy List and drop it onto the
target branch.

6. Click Apply
You are prompted to confirm the operation.
7. Click Apply Changes.

The Management Server saves the policy assignment to the database.
The next time an endpoint that is assigned to the modified branch phones
home, it receives the newly assigned policy.
Manage Policy Assignment Branches
Policy Assignment Tree branches let you assign separate policies to different
groups of endpoints. You can create new branches, edit existing branches, and
delete branches as necessary.
To create a Policy Assignment Tree branch
The Partition Assignment Tree opens, displaying a list of defined partitions.

2. Select the Partition to manage.
You must select a partition, even if it is the Managed Endpoints root partition.
3. Specify the Policy Category, select the policy to manage, and click Manage
Policies.
4. Click Lock.
The Policy Assignment Tree is locked. The lock remains in place until you
click Unlock or apply your changes.
5. Click Branch and select New Branch from the drop-down menu.
The Branch Subdivision page opens.
6. Select the method used to subdivide the branch, and click Next.
Note: The method you select impacts the values you enter on the next page.
7. Enter a name and description for the new branch, and enter the subdivision
criteria.
The values you enter depend on the method of subdivision you selected.

8. Click Save.
The Branch Properties page closes, returning you to the Policy Assignment
Tree.
9. Click Apply.
You are prompted to confirm your changes.

The new branch is created, and the lock is removed.
To edit a Policy Assignment Tree branch


Policies.
4. Click Lock.
5. Select the Branch to edit.
Note: You can only edit the name and description of the last branch which
holds the endpoints that are not in any other specified category.
6. Click Branch to open a drop-down menu, and click Edit Branch.
The Branch Subdivision page opens for the specified branch.
7. Edit the data as necessary and click Save.

The Branch Properties page closes, returning you to the Policy Assignment
Tree.
8. Click Apply.
You are prompted to confirm your changes.

The changes you made are saved and stored, and the lock is removed.

To delete a Policy Assignment Tree branch


Policies.
4. Click Lock.
5. Select the branch to delete.

Note: You cannot delete the Other Endpoints branch. (You may have
changed the name of the Other Endpoints branch to something more
descriptive that fits your organization.) The only way to delete the Other
Endpoints branch is to delete all other branches, leaving only the root
branch. Once you delete the last branch, the Other Endpoints branch is also
deleted.
6. Click Delete and click Apply.

The changes you made are saved and the lock is removed.
More information:
Using the Branch Subdivision Page (see page 196)

Using the Branch Properties Page (see page 198)
Manage Partition Branches (see page 200)

Common Tree Procedures
Manage Server Change History
The Management Server records any changes to the Partition Assignment Tree,
Policy Assignment Trees, policies, and Advanced Policy Components. These
records are referred to as the Change History, which you can view at any time. If
you see incorrect behavior on one of your endpoints, such the incorrect
treatment of a detected infection, you can review all policy changes. You can also
review the Change History to ensure other users are not making unnecessary or
unplanned changes. If you are the Administrator or Audit Archivist role, you can
specify how long the Change History is kept.
You can view Change History for the following areas:

Displays changes made to partitions including when a partition is created or
subdivided.
Displays changes to the Policy Assignment Trees, including when a new tree
is created or locked.
Policies
Displays changes made to the policies such as when an existing policy is
modified or when a new policy is created.
Advanced Policy Components
Displays changes made to the Advanced Policy Components which are used
to build all of the Proactive Protection policies.

Set Change History Parameters
The Change History has one parameter, which controls how long the change
history records are retained. Any record that is older than the specified value is
deleted. Keeping a large set of change history records by setting a high value for
this parameter ensures a greater record of changes but increases the storage
requirements for these records. By default, change history records are kept for
30 days. The lowest value you can set is 8 days, meaning at a minimum records
are retained for 8 days.
To set the number of days change history records are retained

2. Click Change History.

The Change History Configuration page opens.
3. Enter the number of days to retain change history records in the Number of
Days to Retain Change History Records field.
4. Click Apply.
The setting is saved.
To discard changes you made before clicking Apply, click Discard. Discard
restores the settings currently saved in the database.
If you make changes, click Apply, then make additional changes, the Discard
function only removes the additional changes, not those you already applied.
View Partition Assignment Tree Change History
The Partition Assignment Tree Change History page lets you see all the past
saved changes for the various partitions.
To view the Partition Assignment Tree Change History page

2. Expand Change History by clicking the arrow next to the link.
The Change History link expands, displaying links to each specific change
history page.
3. Click Partition Assignment Tree.
The Partition Assignment Tree Change History page opens, displaying the
latest changes first.

The Change History table for Partition Assignment Trees displays the following
information:
Time
Lists the time when this change history record was created.
User
Lists the user who made the change resulting in the change history record.
Partition
Lists the partition affected by this change.
Action
Lists the type of change that was made.
Additionally, from this page you can view further details concerning some of the
changes, filter the change history view to limit the information displayed to suit
your needs, and navigate through the pages of change history for this area.
To view change history details
Note: You may only view details on changes with an action of Update.
1. Expand any row in the change history table that has an Action of Update.
2. Select an item.
3. Click Details.
The details window opens displaying what change was made to the item.
To filter the change history view
1. Click Filter to open the Filter pane.
2. Specify the filtering criteria. You can select from the following options:
Partition
Select this option and specify the partition to display only those change
history records for that partition.
Date
Select this option and specify a date range to display only those change
history records from within that date range. Enter only a To date to
display all records created before that date. Enter only a From date to
display all records created after that date. Use the following procedure to
clear a date field:
a. Click the field to be cleared to bring up the calendar.

b. Hold down the Ctrl key and click the currently selected date on the
calendar to clear the date field.

User
Select this option and specify a user name to list only those changes
made by that user.
Action
Select this option, then specify one of the following actions to only find
change records matching that action:
■ Create: Lists all change records where a partition was created.
■ Update: Lists all change records where a partition was updated.
■ Delete: Lists all change records where a partition was deleted.

■ Lock: Lists all change records where a partition was locked.
■ Unlock: Lists all change records where a partition was unlocked.
3. Click Submit.
The change history table only displays those records that match the filter
criteria.
To navigate through the change history
You can navigate through the listing of change history records using the
arrows at the bottom of the page.
View Policy Assignment Tree Change History
The Policy Assignment Tree Change History page lets you see all the past saved
changes for the various policy assignment trees.
To view the Policy Assignment Tree Change History page

history page.
3. Click Policy Assignment Tree.
The Policy Assignment Tree Change History page opens, displaying the latest
changes first.

The Change History table for Policy Assignment Trees displays the following
information:
Time
User
Partition
Policy Type
Lists the policy affected by this change.
Branch
Lists the branch that holds the particular policy.
Action
2. Select an item.
3. Click Details.


2. Specify the filter criteria by selecting Filter next to a filter category and
specifying the filter criteria. You can select from the following filter
categories:
Partition
Enable Filter for this category and select the partition from the
drop-down menu to view only those change history records for that
partition.
Policy Type
Enable Filter for this category and select the policy type from the
policy type.
Date
clear a date field:

b. Hold down the Ctrl key and click the currently selected date in the
Branch
Enable Filter for this category and enter the name of the branch to view
all change history records for that branch. You may use wildcards to find
all change history records for branches whose name contains the string
you entered. Capitalization does not matter.

User
Enable Filter for this category and enter the user name to view all change
history records for that policy. You must enter the full username; you
cannot use wildcards. Capitalization does not matter.
Action
Enable Filter for this category, then use the drop-down menu to select
one of the following actions to find change history records matching that
action:
■ Create: Lists all change records where a tree or branch was created.
■ Update: Lists all change records where a tree or branch was

updated.
■ Delete: Lists all change records where a tree or branch was deleted.
■ Lock: Lists all change records where a tree or branch was locked.
■ Unlock: Lists all change records where a tree or branch was
unlocked.
3. Click Submit.
criteria. When specifying the filter criteria, you can use as many of the filter
categories as you need. The Management Console displays the results that
match all the filter criteria you enter. So if you specify both a date range and
an action, the Management Console displays only those change history
records for that action, which occur during the date range.
To stop filtering based on a category, set that category to All and click Submit.
You can navigate through the listing of change history records using the arrows
at the bottom of the page.

View Policies Change History
The Policies Change History page lets you see all the past saved changes for the
policies.
To view the Policy Change History page

history page.
3. Click Policies.
The Policies Change History page opens, displaying the latest changes first.
The Change History table for Policies displays the following information:
Time
User
Partition
Policy Type
Lists the policy affected by this change.
Policy
Lists the name of the specific policy that was changed.

Action

2. Select an item.
3. Click Details.

categories:
Partition
partition.
Policy Type
Enable Filter for this category and select the policy type from the
policy type.
Date
clear a date field:
Policy
Enable Filter for this category and enter the name of the policy to view all
change history records for that policy. You may use wildcards to find all
change history records for policies whose name contains the string you
entered. Capitalization does not matter.

User
Action
action:
■ Create: Lists all change records where a policy was created.
■ Update: Lists all change records where a policy was updated.

■ Delete: Lists all change records where a policy was deleted.
■ Promote: Lists all change records where a policy was promoted from
partition specific to global.
■ Lock: Lists all change records where a policy was locked.
■ Unlock: Lists all change records where a policy was unlocked.
3. Click Submit.

View Advanced Policy Components Change History
The Advanced Policy Component Change History page lets you see all the past
saved changes for the various policy components used to build proactive
protection policies.
To view the Advanced Policy Component Change History page


history page.
3. Click Advanced Policy Components.

The Advanced Policy Components Change History page opens, displaying the
latest changes first.
The Change History table for the policy components displays the following
information:
Time
User
Partition
Component Type
Lists the type of the component that was changed.

Component
Lists the name of the specific component that was changed.
Action

2. Select an item.
3. Click Details.

categories:
Partition
partition.
Component Type
Enable Filter for this category and select the component type from the
component type.
Date
clear a date field:
Component
Enable Filter for this category and enter the name of the component to
view all change history records for that component. You may use
wildcards to find all change history records for components whose name
contains the string you entered. Capitalization does not matter.

User
Action
action:
■ Create: Lists all change records where a component was created.
■ Update: Lists all change records where a component was updated.

■ Delete: Lists all change records where a component was deleted.
■ Promote: Lists all change records where a component was promoted
from partition specific to global.
■ Lock: Lists all change records where a component was locked.
■ Unlock: Lists all change records where a component was unlocked.
3. Click Submit.
Manage Locked Trees
You must lock the Partition Assignment Tree or Policy Assignment Tree to ensure
that your changes do not conflict with changes made by another user. However,
a situation may occur in which a user has already locked a tree that is needed by
another user, and the current holder of the lock cannot return to unlock that tree
in a reasonable time frame. The Locked Trees page lets you review all the
currently locked trees and, if you have the necessary permission, unlock these
trees to make them available for work by another user.
Note: Only users assigned the Administrator or Group Policy Managers can
unlock trees using this page.

To view all currently locked trees

1. Click Maintain, Policies.

2. Click Locked Trees.
The Locked Trees page opens displaying all currently locked trees.
Click Refresh if you think someone locked a tree after you opened this page,
and you want to see the updated list of locked trees.
The Partition Assignment Tree table shows the lock status of the Partition
Assignment Tree. This table displays the following information:
User Name
Lists the user who has locked the tree.

Locked At
Lists the time when the tree was locked.
Last Updated
Lists the time when the tree was last updated or changed.
The Policy Assignment Tree table lists the currently locked policy trees. You can
view this table by user name or partition. To change this view, simply select
either User Name or Partition in the View By field. Additionally, you can change
the sort order for the table based on User, Partition, and Policy Type.
This Policy Assignment Tree table displays the following information:
User Name/Partition/Policy
Lists the user who has locked this policy tree, follow by the partition where
the policy is located, then lastly the specific Policy Assignment Tree. If you
switch the sorting order, this list changes to display the partition first,
followed by the user name.
Locked At
Lists the time when the tree was locked.

Last Updated
Lists the time when the tree was last updated or changed.

Sorting the Policy Assignment Tree table lets you set the sort order for the trees
displayed. For example, you could sort locked trees based on user name in
alphabetical order, and Policy Types in reverse alphabetical order so you could
easily find who has the Vulnerability Assessment Policy Assignment Tree locked.
To sort the Policy Assignment Tree table
1. Click the drop-down arrow in the first column.

2. Select an option to change the sorting order for that option. A down arrow
indicates alphabetical order; an up arrow indicates reverse alphabetical
order.
The table updates to the new sorting order.
You can use the Locked Trees page to unlock trees if you are an Administrator or
Global Policy Manager.
To unlock a locked tree
1. Select the tree to unlock.
2. Click Unlock.
The tree is unlocked if you have the necessary permissions.
You can also use the Locked Trees page to navigate to the locked assignment
trees.
To go to a locked tree
1. Select the tree to go to.

2. Click Go To Tree.
The Management Console displays the appropriate Policy or Partition
Assignment Tree page.
More information:
Lock the Partition Assignment Tree (see page 191)

Lock the Policy Assignment Tree (see page 201)

View Change History Details
If a Change History record contains an actual value change, you can view the
details of this change. The details list what value was change, the old value and
the new value. The details
To view Change History details


history page.
3. Click a Change History link.

The Change History page for the selected link opens, displaying the latest
changes first of the link you selected.
4. Expand a Change History record.

The record expands, showing the various changes that were made. You can
only expand Change History records which record a value change.
5. Select one of the changes, then click Details.
The Change History details page for that change opens, displaying the
changed value.
In addition to all the information provided in the Change History table for the
record, the Change History Details page displays the following:
Item
Lists the name of the item which changed.
Old Value
Lists original value of the item prior to the change.
New Value
Lists new value of the item.
More information:
View Partition Assignment Tree Change History (see page 207)

View Policy Assignment Tree Change History (see page 209)
View Policies Change History (see page 213)
View Advanced Policy Components Change History (see page 216)

Policies
Policies
This section contains procedures related to global and partition-specific policies.
Manage Policies
When you select any Global Policy Definitions page, a list of pre-configured
policies created for that policy type appears. The following information is
displayed:
Policy Name
Lists the name given to the policy.
Description
Lists the description given to the policy.
Last Update Time
Lists the date and time when the policy was last updated, expressed in the
local time of the machine running the Management Server.
# of Assignments
Lists the number of Policy Assignment Tree branches to which the policy has
been assigned.
You can create a new policy, edit an existing policy, copy and paste a policy,
delete a policy from the Global Policy Definitions page, or find a policy. The
procedure for creating a new policy is unique to each policy and described in the
help for that policy page.
To edit an existing policy

2. Click the policy category containing the policy you want to create.
The policy category opens, containing the list of policies.
3. Click the policy you want to create.
The Global Policy Definition window for that specific policy opens, displaying
a list of available policies.
4. Select an existing policy by clicking on the policy and click Edit.

The policy editor page for that policy opens, displaying the General Settings
options.

Policies
To copy and paste an existing policy



4. Select an existing policy by clicking on the policy, and click Copy.

A copy of the policy is stored on the clipboard.
5. (Optional) Browse to the location where you want to copy the new policy.
This step only applies if you are copying the policy from the Configuration
page for that policy and branch.
6. Click Paste.
A copy of the policy is added to the list of existing policies. The name of the
policy is appended with a number to indicate the copy.
To delete a policy

4. Select an existing policy by clicking on the policy, and click Delete.

5. Click Yes.
The policy is deleted.
To find a policy


Policies

4. Select an existing policy by clicking on the policy, and click the Double arrow
next to Find
The Find pane opens.
5. Using the drop-down menu to specify the field you want to use for the
search. If you wish to search all fields, leave the option as All Fields.
6. Enter the text you want to find.

You can enter full words, or only a few characters.
7. Click Next to move to the next row matching your criteria. Click Prev to move
to the previous row that matches your criteria.
Create General Policies
General Policies let you control how and when the Client contacts the
Management Console for updates, manage event notification, and set
Client-specific options. The General Policies include the following:
Phone Home Policies

Phone Home policies control when the Client contacts the Management
Console for policy and component updates.
Content Update Policies

Content Update policies control when the Client checks for content updates,
and where the Client looks for such updates. When the Client checks for
content updates, it looks to see whether updates are available for any of the
components it uses, such as the engines.
Event Management Policies

Event Management policies control how the Client communicate events to
the event server. You can specify the severity of events you want reported,
the transmission intervals, and a range of other options.
Client Options Policies
Client Options policies control the parameters that are logged on the Client,
the Client's license synchronization, and the level of access and control end
users have for the Client.

Policies
More information:
Manage Policies (see page 222)

View the Partition Assignment Tree (see page 187)
Create Phone Home Policies
The Phone Home Policy controls when the Client contacts the Management
Server for policy and component updates.
To create a Phone Home policy

1. Configure the Name and General Settings. (see page 225)
These settings include naming and describing the policy, locking the policy
settings, and indicating whether this is the default policy.
2. Configure the Phone Home Settings. (see page 227)
These settings let you specify the Management Server or Management

Server Proxy the Client attempts to contact and when the Client attempts to
phone home.
More information:

Configure Phone Home Policy Name and General Settings
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
To configure the Name and General Settings
1. Click Maintain, Policies, Global Policy Definitions.

The policy category opens and displays the list of policies.

Policies

The Global Policy Definition window for that specific policy opens and
displays a list of available policies.
4. Click New.
The Name and General Settings page for the policy opens.
5. In the Policy Description pane, enter the following information:

Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.

Policies
8. (Optional) If this is a partition specific policy, the Policy Scope pane is

present. Select one of the following options:
This Policy is private to this Partition

Select this option to limit the policy to only this partition. The policy will
not appear in the list of available policies in other partitions.
Share this Policy with all Partitions

Select this option to make the policy available across all partitions.
9. Click Next to move to the next page in the policy creation process.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:

Configure Phone Home Settings
The Phone Home Settings let you specify which Management Server or
Management Server Proxy the endpoint contacts when phoning home and the
time and frequency the endpoints phone home.
To configure the Phone Home Settings
1. Open the Phone Home Settings page by either clicking Next on the Name and
General Settings page of the Phone Home Policy, or by clicking the Phone
Home Settings link in the Steps to Create Policy pane.
2. Select the primary server using the drop-down menu in the Primary server
field. The primary server is the initial server contacted when the endpoint
phones home.
Note: The servers displayed in the drop-down menu are drawn from the list
containing the known Master Management Server plus all Management
Proxy Servers.
3. Select any secondary server using the drop-down menu in the Secondary
server field.
Secondary servers are backup servers that endpoints attempt to contact if

the endpoint cannot reach the primary server. Once selected, the servers are
added to the Secondary server list.
You can reorder the list of servers, from highest to lowest priority, by
selecting a server and using the up and down arrows to move the server up
and down the list. The endpoint contacts the secondary servers starting from
the top server in the list and continues down the list until it successfully
phones home.

Policies
4. Specify the duration between phone home attempts in the Phone home
every field.
You can change the units for this field using the drop-down menu next to the
field. For example, to have the Clients phone home every day, enter 24 and
select Hours for the units.
You must specify the time in minutes or hours.
5. (Optional) Enable at least one of the following options to specify when the
Client phones home:
At system start-up
Enable this option to have the Client attempt to phone home each time
the Client starts after the phone home interval has expired.
When system wakes up
Enable this option to have the Client attempt to phone home each time
the client wakes from standby mode after the phone home interval has
expired.
By default, both options are enabled.

6. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
Note: In a Standalone Installation, there is only one Management Server so the

choice of primary server is fixed and cannot be changed. There are no available
secondary servers in a Standalone Installation.
More information:


Policies
Create Content Update Policies
The Content Update Policy controls when and where the endpoints in your
organization check for content updates.
To create a Content Update Policy

settings, and determining whether the policy is the default for this policy
type.
2. Configure the Update Schedule. (see page 232)
These settings determine when endpoints check for content updates.
3. Configure the Server List. (see page 233)

These settings let you configure which servers or network locations
endpoints use when gathering content updates.
4. Configure the Proxy Server. (see page 234)
These settings let you configure the proxy server's settings if the endpoints
need to use a proxy to access the Internet.
5. Configure the Components for Updating. (see page 236)
These settings let you specify the components to check for any available
updates.
6. Configure the Redistribution Settings. (see page 238)
These settings only apply to systems that have a Redistribution Server

installed on it.
More information:


Policies
Configure Content Update Policy Name and General Settings
type.


4. Click New.
Name
Description
length.
policy.

Policies
package.



Definitions page.
More information:


Policies
TM--Maintain Policies--Configure Content Update Policy Update Schedule
The Update Schedule options for the Content Update policy lets you schedule
when the endpoints in your organization check for updates and how long past
signatures are kept in case a signature rollback is required.
To configure Update Schedule options
1. Open the Update Schedule page by either clicking Next on the General Policy
Settings page of the Content Update Policy, or by clicking the Update
Schedule link in the Steps to Create Policy pane.
The Update Schedule page appears.

2. Enable the following options:
Perform update on startup
The endpoint checks for and downloads updates each time it starts.
Perform update according to schedule below
The endpoint checks for and downloads updates according to a schedule
you specify. You can specify to run the update once, or to have the
update repeated regularly. If the client is not running at the scheduled
time for an update, the client performs the update the next time it starts.
3. Specify the number of days signatures are saved in the Number of Days to
Save Signatures for Rollback field.
Signatures older than this limit are deleted to save space and you cannot
revert to them.
4. Click Next.
The Server List page appears.
Definitions page.
More information:


Policies
Configure Content Update Policy Server Lists
The Server List of the Content Update policy lets you specify the resources that
endpoints use to gather content updates and the order in which they are
contacted. These resources include:
■ CA Content Update Server at etrustdownloads.ca.com. (the default
resource)
■ An internal Redistribution Server using HTTP
■ An internal network share using UNC format, such as
\\ComputerName\SharedFolder\ContentUpdate. The system IP address can
be used instead of the host name.
The order of the specified resources is very important. When checking for
updates, the endpoints check the first resource on the list. If it is unavailable, the
endpoints continue trying to contact each resource on the list in turn, until a
successful download occurs. Each attempt is noted in the ccupdate log file on the
endpoint. If none of the resources can be reached, the endpoint attempts the
download process again at the next scheduled interval, or when the user
manually starts the update using the Download Now button in the Client user
interface.
To set the Server List
1. Open the Server List page by either clicking Next on the Update Schedule
page of the Content Update Policy, or by clicking the Server List link in the
Steps to Create Policy pane.
The Server List page appears. By default, the CA Content Update Server
appears.
2. To add other resources, click Add and select either the HTTP or UNC protocol.
■ If you selected HTTP, specify the Redistribution Server name and port,
and click Save.
■ If you selected UNC (Uniform Naming Convention), specify the

Download Location, and click Save.
The UNC can use either the IP address or host name of the of your
network share. For example:
\\ComputerName\SharedFolder\ContentUpdate or
\\IPaddress\SharedFolder\ContentUpdate
■ To modify a server, select the server and click Modify. Edit the server
settings as necessary and click Save.
■ To delete a server, select the server and click Delete.

Policies
3. Select a resource and use the arrows to reposition the resource in the list.
4. Click Next.
The Proxy Server page appears.

Definitions page.
More information:

Configure Content Update Policy Proxy Servers
If your network requires that endpoints access a proxy server to reach the
Internet, you must specify that server in the Proxy Server options for your
Content Update policy to download and install updates.
Proxy servers stand between endpoints and the Internet to provide an additional
layer of privacy and security for your system. You can configure your policy to
automatically detect your proxy settings or to connect through a specific proxy
server to obtain updates. In addition, if your proxy server requires
authentication, you can configure the policy to automatically supply your
credentials to allow you to connect to the Internet.
Alternatively, you can specify that a proxy server should not be used to connect
to the Internet.

Policies
Using a proxy server is optional, and if your network does not use a proxy server,
you do not have to enter information here.
To configure proxy server options

1. Open the Proxy Server page by either clicking Next on the Server List page of
the Content Update Policy, or by clicking the Proxy Server link in the Steps to
Create Policy pane.
The Proxy Server page appears.
2. Select one of the following options:
Do not use a proxy server

Enable this if your network does not use a proxy server. This option is
selected by default.
Automatically detect proxy server settings

Enable this option to let endpoints automatically detect the proxy server
settings.
Use these proxy server settings

Enable this option and specify the name and port to use to access a
specific proxy server.
3. Select the Proxy server requires authentication option if your proxy server
requires you to enter credentials, and specify the name and password to use
in the appropriate fields.
4. Click Next.
The Components for Updating page appears.

Definitions page.
More information:


Policies
Configure Content Update Policy Components for Updating
The Components for Updating page of a Content Update policy lets you specify
which components to download when checking for newer component versions.
To configure the Components for Updating
1. Open the Components for Updating page by either clicking Next on the Proxy
Server page of the Content Update Policy, or by clicking the Components for
Updating link in the Steps to Create Policy pane.
The Components for Updating page appears.
2. In the Components list, select the components you want to have updated in
this policy.
All components are initially selected in the CA-recommended Content

Update Policy. The components you can select are listed after the procedure.
3. Click Next.
The Redistribution Settings page appears.
Definitions page.
You can select from Description
the following
components:
Component Name
Anti-Malware Engine Select this component to allow updates to the

anti-malware engine.
Anti-Malware Realtime Select this component to allow updates to the

anti-malware Realtime protection feature.
Anti-Malware Select this component to allow updates to the

Signatures anti-malware signatures the engine uses when
searching for malware.
Note: The anti-malware signatures are dependant
on the anti-malware engine. To update the
anti-malware signatures, you must also select to
update the anti-malware engine.
Client Agent Select this component to allow updates to Client

software.
Client User Interface Select this component to allow updates to the GUI
for the Client.
Content Update Select this component to allow updates to the

Redistribution Server Redistribution Server feature.
Endpoint Discovery Select this component to allow updates to the

Endpoint Discovery feature.

Policies
Event/Reporting Select this component to allow updates to the

Servers Event and Reporting servers.
Gateway Security Select this component to allow updates to the CA

Gateway Security product.
Host Intrusion Select this component to allow updates to the

Prevention System engine that runs the intrusion protection feature.
Intrusion Protection Select this component to allow updates to the

Signatures signatures used by the intrusion protection engine
when detecting unwanted intrusions to your
network.
Known Applications Select this component to allow updates to the lists

used to identify known applications.
Management Server Select this component to allow updates to the

Core Management Server.
Management Server Select this component to allow updates to the

User Interface Management Console.
Options for Lotus Select this component to allow updates to the

Domino Lotus Domino groupware scanner and options.
Options for Microsoft Select this component to allow updates to the

Exchange Microsoft Exchange groupware scanner and
options.
Options for NetApp Select this component to allow updates to the

NetApp groupware scanner and options.
Options for SharePoint Select this component to allow updates to the

Microsoft SharePoint groupware scanner and
options.
Proactive Protection Select this component to allow updates to the

Built-in Policy built-in building blocks used to create Proactive
Components Protection policies.
Threat Management Select this component to allow updates to the

Framework software connecting the Host Intrusion Prevent
System to the Client.
Vulnerability Select this component to allow updates to

Assessment Vulnerability Assessment feature.
More information:


Policies
Configure Content Update Policy Redistribution Settings
The Content Update policy Redistribution Settings only apply to systems that
have a Redistribution Server installed. If an endpoint that receives this policy
does not have a Redistribution Server installed, these settings are ignored.
To configure the Redistribution Settings
1. Open the Redistribution Settings page by either clicking Next on the

Components for Updating page of the Content Update Policy, or by clicking
the Redistribution Settings link in the Steps to Create Policy pane.
The Redistribution Settings page appears.

2. Specify the port endpoints should use to contact this Redistribution Server
for content updates in the HTTP Port field.
3. Specify the length of time in minutes between the time the updates are
downloaded and when they are made available to other endpoints or other
Redistribution Servers if you are using a tiered implementation.
4. Select the components you want to make available to other endpoints in the
Redistribution Components table.
The Redistribution Components lists the following information:

■ Component identifies the components available to endpoints.
■ Architecture lists the architecture available to endpoints.

■ Platform identifies the operating system available to endpoints.
By default, all components are selected.
5. Click Save to save your settings, close the wizard, and return to the Global
Policy Definitions page.
Alternatively, you can click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the policy.
More information:


Policies
Create Event Management Policies
The Event Management Policy controls how the Client communicates events to
the event server. You can use these settings to identify the event servers,
configure the type and severity of events you want reported, specify the
transmission intervals, and set a range of other options.
To create an Event Management Policy

2. Configure the Event Server Settings. (see page 241)
These settings let you specify the primary and any secondary event servers
and the protocol used to communicate with these servers.
3. Configure the Event Management Filter Options. (see page 243)

These filter options let you control what kind of events are reported and
recorded on the event server.
4. Configure the Event Management Transmission Options. (see page 245)

These options control how often each Client reports events to the event
server.
More information:


Policies
Configure Event Management Policy Name and General Settings
type.


4. Click New.
Name
Description
length.
policy.

Policies
package.



Definitions page.
More information:

Configure Event Server Settings
The Event Server Settings of an Event Management policy specify the servers to
which Clients forward information about events. You can identify a primary
server, a secondary server, and additional back-up servers, if necessary. In
addition, you can specify the protocol used for communication between the
endpoints and the Event Server.
A primary server is the first Event Server endpoints contact when forwarding an
event. If the endpoint cannot reach the primary server, it tries to contact the
secondary server. If the endpoint cannot reach the secondary server, it tries to
contact the other listed back-up servers.

Policies
To configure Event Server Settings

1. Open the Event Server Settings page by either clicking Next on the General
Policy Settings page of the Event Management Policy, or by clicking the
Event Server Setting options link in the Steps to Create Policy pane.
The Event Server Settings page appears.
2. Select the primary Event Server for this policy using the drop-down menu in
the Primary Server field.
The primary Event Server is the first server the Client contacts when
forwarding events.
Note: If you cannot find the primary server in the list, select Other, enter the
name of the server, and click Save.
3. Select a secondary Event Server for this policy using the drop-down menu in
the Secondary Server field.
The secondary Event Server is a back-up server that the Client contacts if it
is unable to contact the primary server.
Note: If you cannot find the server in the list, select Other, enter the name
of the server, and click Save.
To remove a server from the list, click the trash can icon next to the server's
name.
4. Select one of the following protocols and specify the associated port to
identify the protocol to use for communication between endpoints and Event
Servers:
HTTP
Use Hypertext Transfer Protocol (HTTP) for the transmission protocol
when the Client sends events to the Event Server.
HTTPS
Use Hypertext Transfer Protocol Secure (HTTPS) for the transmission
protocol. HTTPS is a combination of the Hypertext Transfer Protocol and
a cryptographic protocol. This option better ensures the security of your
network, but can slow down traffic.
5. Specify whether to use Microsoft Message Queuing as an alternate

communication protocol using the Use MSMQ as alternative protocol option
in the Default Policy pane.
Microsoft Message Queuing (MSMQ) is a messaging protocol for Windows

that allows applications running on different servers to communicate in a
failsafe manner.
6. Click Next.
The Event Management Filter Options page appears.
Definitions page.

Policies
More information:

Configure Event Management Filter Options
The Event Management Filter options of an Event Management policy control

which events are reported by the Client. You can filter events by severity or by
source.
To configure the Event Management Filter options

1. Open the Event Management Filter Options page by either clicking Next on
the Event Server Settings page of the Event Management Policy, or by
clicking the Event Management Filter options link in the Steps to Create
Policy pane.
The Event Management Filter Options page appears.
2. In the Filter by Severity pane, select the level of event severity you want
reported.
You can specify to have events that have been flagged of High, Medium, or
Low severity reported by the Client to the Event Server.
3. In the Filter by Source pane, select the components you want to be able to
report events to the event server:
Anti-Malware Client
Reports events related to malware found on the endpoint.

Application Control
Reports events related to access and use of controlled applications on

the endpoint.
Firewall
Reports events related to firewall access attempts.
Operating System Security

Reports all Operation System Security events, such as logging changes
to the registry and other operating system files.
Intrusion Protection
Enable this option to have the Intrusion Protection events reported.
Vulnerability Assessment
Reports all Vulnerability Assessment events.

Policies
Groupware
Reports Groupware events, including events generated from the
Groupware scanner when scanning email servers.
Total Defense Management Server

Reports any event from the Management Console.
Total Defense Agent

Reports events from each Total Defense Client.
CA Gateway Security
Reports all events generated by the gateway security module.

4. Click Next.
The Event Management Transmission Options page appears.

Definitions page.
More information:


Policies
Configure Event Management Transmission Options
The Event Management Transmission options of an Event Management policy

control when events are transmitted from the Client to the event server and how
many retry attempts are allowed.
To configure the Event Management Transmission options
1. Open the Event Management Transmission Options page by either clicking

Next on the Event Management Filter options page of the Event Management
Policy, or by clicking the Event Management Transmission options link in the
The Event Management Transmission Options page appears.
2. Set the following options in the Trigger for Stored Events pane:
Maximum delay between transmissions of events to event server

Enter the maximum amount of time events are held before they are
transmitted to the event server. Once this delay has expired, the Client
transmits the cached events to the event server.
Maximum number of events to store locally before transmitting

Enter the maximum number of events to hold locally before they are
transmitted to the event server. Once this number is reached, the Client
transmits the cached events to the event server.
Maximum space for local event storage
Enter the maximum storage size for events on the Client machine.
3. In the Retry Options pane, set the following option:

Time interval between retries
Specify the length of the interval between the Client's attempts to

contact the event server.
Maximum time to store unsent events
Specify the maximum duration that unsent events are stored. Once this
time expires, the events are transmitted.
page.
Alternatively, you can click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the policy.
More information:


Policies
Create Client Options Policies
The Client Options Policy controls logging parameters on the Client, the Client
license synchronization, and the level of access and control end users have on
the Client.
To create an Client Options Policy

2. Configure the Settings. (see page 248)
These settings let you specify log parameters for the Client, schedule the
synchronization of the Client with the license server, and specify the control
end users have on the Client.
More information:

Configure Client Options Policy Name and General Settings
type.

Policies
4. Click New.

Name
Description
length.
policy.
package.

Definitions page.

Policies
More information:

Configure Client Options Policy Settings
Client Options policy settings let you specify log options and access options on
endpoints, and schedule when the Client synchronizes with the license server.
■ Log options allow you to specify whether to allow end users to delete logs on
the endpoints. Disabling this option preserves log files and ensures that
users are not able to delete important information. Enabling this option
allows users to control the size and growth of logs on the endpoints.
If you enable this option, the Local Log Retention Period and Local Log Size
Limit fields become active. Use these fields to set the following options:
– Identify how long the Client retains log files on the endpoint
– Specify how large logs can become before being overwritten. This option
can help to conserve space on the Client and to ensure that logs do not
become very large.
You can use the Client's LogView function to view logs.

■ Access options identify the level of access and control end users have to the
Client and its services. You can specify the following:
– Allow end users to stop or start Total Defense services on the Client.
Enable this option if you think end users might run services that could
conflict with Total Defense services.
– Allow the Client to appear in the Add or Remove Programs dialog from
the Control Panel. You can use this feature to allow or block end users
from removing the Client from endpoints. While this option allows users
to remove the Client if it conflicts with other programs, it can leave
systems vulnerable to infection if end users remove the Client without
installing other malware protection.
– Let endpoint users access the Client UI. While this option allows end
users to run malware scans on demand for greater protection, you
should ensure that end users are not able to change critical or necessary
options. Enabling this option is best if you have a good grasp on your
policies or feel that your end users can benefit from accessing the Client
UI.

Policies
To configure Client Options settings

1. Open the Settings page by either clicking Next on the Name and General
Settings page of the Content Update Policy, or by clicking the Settings link in
the Steps to Create Policy pane.
The Settings page appears.
2. Specify whether to delete client logs using the Never delete logs option.
If you specify to delete logs, the Local Log Retention Period and Local Log
Size Limit fields are enabled.
If you select the Never delete logs option, these fields do not apply and are
not enabled.
3. Specify how long you want the Client to retain logs, if applicable, in the Local
Log Retention Period field.
Any log older than this date is purged.
4. Specify the maximum size limit of the Client logs, if applicable, in the Local
Log Size Limit field.
When a log exceeds this size, the oldest items in the logs are overwritten.
5. Specify the length of time between licensing synchronizations in the License

Synchronization Interval field.
The Client synchronizes with the license server when this interval expires.
6. Enable the Allow stopping and starting of Total Defense services option to let
end users start and stop the services related to the Total Defense system.
This option allows end users to start and stop Total Defense services on the
Client if they conflict with other services running on the endpoint.
7. Specify whether to allow the Client to appear in the Add or Remove Programs
dialog using the Show Total Defense Client in Add or Remove Programs
option.
This option allows users to remove the Client if they detect conflict with other
programs running on the endpoint.
Note: Use this option with caution. If end users remove the Client without
installing other malware protection, they can leave their systems vulnerable
to infection.

Policies
8. Enable the Allow endpoint user to access client UI option to allow end users
to use endpoints to run malware scans on demand and perform other
operations using the Client UI.
You should ensure that end users are not able to change critical or necessary
options.
page.
Alternatively, click Back to return to the previous page, click Discard to clear
any changes you made, or click Close to close the policy without saving your
changes.
More information:

Create Anti-Malware Policies
Anti-Malware Policies let you control the anti-malware configuration options on

the Client. You can control how the Client's Real-time scanner operates, schedule
scan jobs, and set contact information for malware submissions to CA.
Anti-Malware Policies include the following:
Real-time Policies
Real-time policies control the options and settings for the Client's real-time
anti-malware scanner. These options include the action the Client takes
when it finds an infection, how the Client treats archived files, and any
allowed exclusions to the scan.
Schedule Scan Options Policies

Scheduled Scan Options policies control the options related to scheduled
scans. When the Client runs a scheduled scan, it uses the options specified in
this policy. For example, if you set a policy to remove all macros when an
infected macro is found, then, if a scheduled scan encounters a macro virus,
all related macros are deleted on that machine.
Scheduled Job Policies

Scheduled Jobs policies let you schedule when the Client runs scans. End
users can still perform manual scanning in addition to the scheduled scan
policy.
Malware Submission Policies

Malware Submission policies let you control the email template used to
contact CA when new malware is found.

Policies
More information:

Create Real-time Policies
The Anti-Malware Real-time policy controls the options and settings for the
Client's real-time anti-malware scanner. These options include the actions the
Client takes when it finds infections, determines how the Client treats archived
files, and identifies any allowed exclusions to the scan.
To create an Anti-Malware Real-time Policy
2. Configure the Options and Actions. (see page 253)

These options let you control the cleaning options of the real-time scanner.
3. Configure the Advanced Real-time Settings. (see page 256)
These settings let you control the scanner and scanning methods of the
real-time anti-malware scanner.
4. Configure the Real-time Targets. (see page 257)
These settings let you control the targets the real-time scanner checks. You
can specify whether the scanner checks incoming email, or floppy drives,
and whether to exempt any file extensions from scanning.
5. Configure the Archive Settings. (see page 259)

These settings let you control how the real-time scanner handles archive
files. For example, you can specify that the scanner checks .zip or .rar files
for infections, but not .tar archives.
6. Configure the Real-time Exclusions. (see page 260)
These settings let you exclude specific objects from scans. The real-time
scanner ignores the specified objects when scanning the endpoint.
More information:


Policies
Configure Real-time Policy Name and General Settings
type.


4. Click New.
Name
Description
length.
policy.

Policies
package.



Definitions page.
More information:

Configure Real-time Policy Options and Actions
The Options and Actions settings of a Real-time policy let you enable the
real-time protection for the Client. You can then set the options and cleaning
actions taken by the Real-time scanner on the Client. For example, you can
specify whether the Client should delete infected items or attempt to clean them.
To configure the Options and Actions settings
1. Open the Options and Actions page by either clicking Next on the General
Policy Settings page of the Real-time Policy, or by clicking the Options and
Actions link in the Steps to Create Policy pane.
The Options and Actions page appears.
2. Select Enable Real-time Protection.
The real-time protection options are enabled.

Note: You must enable this option to set any of the real-time protection
options.

Policies
3. Use the Perform a Scan on drop-down menu In the Options pane to specify
the endpoint user actions to be scanned. You can specify the following
options
■ All File Access: The scanner checks when any file is accessed in any
manner.
■ Read or Execute: The scanner checks only when a file is read or run by
the endpoint user. Writing to a file or performing another action does not
activate the scanner.
4. Specify the scan mode to be used by the endpoint in the Scan Mode field. You
can specify either Normal or Deep mode.
■ Normal mode is the default mode.

■ Deep mode detects malware that is inactive or has been deliberately
modified, such as in a testing laboratory. Use this mode if you suspect
you have an infection that is not detected by the Normal mode. Deep
mode runs significantly slower than Normal mode.
Note: Under certain unique circumstances, Deep mode can generate a

false alarm. If you are scanning using Deep mode, we recommend that
you set your Infection Treatment to Leave file.
5. Specify the action you want the Client to take when an infection is detected
in the Infection Treatment field. You can select the following options:
■ Clean file: The Client attempts to clean the infected file.

■ Delete file: The Client attempts to delete the infected file.
■ Leave file: The Client leaves the infected file as is. The file remains
infected and can still cause problems.
■ Rename file: The Client attempts to rename the infected file by changing
the file extension to try to prevent the infected file from being opened.
6. Specify whether you want the Client to clean detected boot sector infections
or to report the detected boot sector infection without attempting to remove
it.
7. Enter a maximum time limit for scans to run in the Scan Timeout field.
If the real-time scanner reaches the time limit, it reports a failure due to
timeout.
8. Use the options in the Scan fail timeout action field and the Scan fail error
action field to specify whether to Allow or Prevent access to files if a scan
failed because it timed out or failed due to error.
If a scan fails, either because of error or because it reached the maximum
time limit, these options determine whether end users can access the file on
which the scan failed.

Policies
9. In the Auto clean Actions pane, specify the action to take if the Real-time
scanner cannot clean an infected file. You can specify the following actions:
■ Delete: The Client deletes infected files it cannot clean.

■ Leave: The Client leaves infected files it cannot clean intact. Infected
files remain infected and can still cause problems.
■ Rename: The Client renames infected files it cannot clean, changing the
file extension to try to prevent the infected file from being opened.
10. Enable the Copy to quarantine before cleaning option to have any infected
files copied to the Quarantine folder before the Client attempts to clean the
original file.
This allows you to retrieve the original, uncleaned file from the Quarantine if
necessary.
11. Select the Enable System Repair option to have the Client attempt system
cures when an infection is found.
Running a system cure ensures that the system is protected, but can limit
the availability of the computer while the scan is running.
Note: You can only set the Auto Clean Actions if you set the Infection
treatment to Clean. Otherwise, there options are blocked.
12. In the Macro Virus Treatment pane, specify the actions that the real-time
scanner takes when it detects, but cannot clean, macro viruses.
You can configure the policy to remove only infected macros when a macro
virus is detected but cannot be cleaned, or you can remove all macros.
■ Removing only the infected macros saves users' custom macros, but can
make the endpoints vulnerable to infection.
■ Removing all macros eliminates the threat, but removes all custom
macros from endpoints.
13. Click Next.

The Advanced Real-time Settings page appears.
Definitions page.
More information:


Policies
Configure Real-time Policy Advanced Real-time Settings
The Advanced Real-time Settings of a Real-time policy let you set the advanced
options, such as whether to use heuristic scanning or whether to scan removable
media when the endpoint powers down.
To configure the Advanced Real-time Settings
1. Open the Advanced Real-time Settings page by either clicking Next on the
Options and Actions page of the Real-time Policy, or by clicking the Advanced
Real-time Settings link in the Steps to Create Policy pane.
The Advanced Real-time Settings page appears.

2. Use the Enable pop-up messages and Limit number of pop-ups options in the
Advanced Protection pane to configure the policy to notify you by pop-up
message when the Real-time scanner detects an infection and to set the
maximum number of pop-up messages to allow at one time.
3. Select the Use advance heuristic scanning option to enable the advanced
Heuristic Scanning.
Heuristic scanning examines suspected malware, looking for a sequence or

sequences of instructions that differentiate the malware from normal
programs. Heuristic Scanning provides better protection for your endpoints,
but requires more system resources and can sometimes generate
false-positive results.
4. Select the Scan alternate data streams (NTFS) option to allow the Client to
scan the Alternate Data Steams found in files in an NTFS based system.
5. Enable the Scan removable media on shutdown option to scan any

removable media, such as a USB thumb drive, when the endpoint shuts
down.
6. Use the Do not scan during backup option to prevent the Client from
scanning files when they are accessed for saving to a backup, allowing the
backup operation to proceed faster.
7. Use the Use already-scanned cache option to allow the scanner to record
files that it scans, to avoid scanning those files if it can detect that no
changes have been made.
8. Specify the Maximum cache size, if you enabled the Use already-scanned
cache option, to specify the maximum size of the cache.
If adding a file name to the cache causes the cache to exceed the size limit,
the earliest entry is replaced.
9. Click Next.
The Real-time Targets page appears.

Definitions page.

Policies
More information:

Configure Real-time Policy Real-time Targets
The Real-time Targets settings of a Real-time policy let you specify the items
protected by real-time scanning. You can specify hardware, including floppy
drives or storage devices such as USB devices, to protect, and you can extend
the real-time protection to incoming email attachments. In addition, you can
identify specific types of files to exclude from real-time scanning.
Note: You must enable a Protected Area to have the Client scan files found on
that area when accessed. For example if you enable USB, the Client scans the file
on the USB device for malware every time the endpoint accesses that file.
To configure the Real-time Targets settings
1. Open the Real-time Targets page by either clicking Next on the Advanced
Real-time Settings page of the Real-time Policy, or by clicking the Real-time
Targets link in the Steps to Create Policy pane.
The Real-time Targets page appears.

2. Enable the E-mail protection option in the Real-time Scan pane to configure
the scanner to scan attachments to incoming emails.
The email protection options are activated.

Note: You must enable the E-mail protection option before you can further
customize your email protection.
3. If you enabled email protection, enter the POP3 port number used to connect
with your email server, and the SMTP Port number used by your email
server, and, in the E-mail Action field, specify the action for the Client to take
when it detects an infection.
You can configure the Client to either remove the infected attachment or
attempt to clean it. If you enable the Clean option and the cleaning operation
is successful, you can access the attachment.
4. Specify the files to include or exclude from scanning using the File extensions
to scan option.
You can configure the scanner to scan all extensions, or specific file
extensions only, using the following options:
All extensions
The Client scans all files, regardless of the extension.

Policies
Specified extensions only

The Client scans only files with the extensions you specify. Use this
option to have the Client scan only a small list of file extensions.
To have the Client scan a large selection of extensions, we recommend

you use the All except specified extensions option.
All except specified extensions

The Client scans all files except those with the extensions you specify.
Use this option if you only want the Client to ignore only a small number
of file extensions, rather than listing all the extensions to include.
5. Specify the extensions to include or exclude from scanning

■ To add an extension to the extension list, enter the file extension and
click Add.
■ To remove an extension from the list, select the file extension and click
Remove.
6. In the Protected Areas pane, specify any additional areas to be protected by

real-time scanning.
You can protect floppy and network drives, Bluetooth devices, Firewire and
USB storage devices, and CD or DVD drives.
If you protect your CD and DVD drives, the scanner checks inserted disks for
malware. If malware is found, access to the file is denied. You cannot clean
CDs or DVDs of malware.
7. Click Next.
The Archive Settings page appears.

Definitions page.
More information:


Policies
Configure Real-time Policy Archive Settings
The Archive Settings of a Real-time policy let you specify how the Real-time
scanner treats Archive files.
To configure the Archive Settings
1. Open the Archive Settings page by either clicking Next on the Real-time
Targets page of the Real-time Policy, or by clicking the Archive Settings link
in the Steps to Create Policy pane.
2. Enable Scan Archives.
Note: You must enable the Scan Archives option to set the parameters for
the Archive Settings.
3. Enter a value in the Maximum Nested Level field in the Settings pane to
identify the maximum number of nested levels the Client scans.
Any file in the archive nested above the level you set is ignored and viewed
as clean. All files nested below the level you set are scanned.
A nested archive is an archive file stored within another archive file. For
example, if you added an archive file called example zip to an existing
archive, example zip would be nested at level one. If you stored another
archive file in example.zip, that file would be nested at level two. If you set
the Maximum nested level to zero, the Client would not scan the example zip
file or its contents.
4. Enter a value in the Maximum Compression Ratio field to indicate the highest
compression ratio a file can have and still be scanned.
The compression ratio is the ratio of initial size of the file compared to the
final compressed size of the file. Scanning files with a high compression ratio
slows down the scanning process, but provides better protection. However,
malware sometimes hides in files with a large compression ratio, and trying
to extract such a file for scanning can slow down or freeze your computer.
5. Enter a value in the Maximum Uncompressed File Size field to specify a

maximum uncompressed file size limit for files the Client scans.
The Client does not scan any file in an archive that, when extracted, is larger
than this limit.
Setting a high value prevents the Client from scanning archived files that
might expand too much and slow down or freeze your computer. However,
these large archives could still contain malware and lead to vulnerability.

Policies
6. Enable the Stop scanning on first infection option to have the Client stop
scanning an archive file if an infection is found.
This option stops the Client from spending time scanning archives that are
known to be infected, but the Client cannot detect any additional infections
present in an archive file.
If you choose not to enable this option, the Client continues to scan archives
after finding an infected item.
You should enable this option if you automatically delete infected files. If you
clean infected files, scan the entire archive to find all possible infections.
7. In the Archive Type pane, enable the archive types you want the Client to
scan.
For example, if you want the Client to scan zip files, you would enable the ZIP
archive row.
8. Click Next.
The Real-time Exclusions page appears.
Definitions page.
More information:

Configure Real-time Policy Real-time Exclusions
The Real-time Exclusions of a Real-time policy let you specify the objects you
want to exclude from real-time scans. Exclusion lists let you exclude applications
you use or specific files or folders that you know to be malware-free from
real-time scanning.
Because applications such as remote control applications, browser plug-ins, and

network traffic analysis tools can be potentially harmful to network and system
security, scans can detect these items as spyware. If you use such applications,
you can add them to your exclusion list to exempt them from scans and prevent
them from being detected as threats.
Objects on your exclusion list are ignored by real-time scanning.

Policies
You create this exclusion by first selecting the type of object to exclude using the
Filter pane, then specifying the object in the Exclude pane.
To configure the Real-time Exclusions

1. Open the Real-time Exclusions page by either clicking Next on the Archive
Settings page of the Real-time Policy, or by clicking the Real-time Exclusions
link in the Steps to Create Policy pane.
The Real-time Exclusions page appears.
2. In the Filter pane, select a filter. You can select any of the following filter
options:
Exclude Files from Scan
The Client excludes the files you specify from scanning.
Exclude Folders from Scan

The Client excludes the folders you specify, and all of their files,
sub-folders, and the contents of those sub-folders, from scans.
Exclude Processes from Scan

The Client excludes the processes you specify. If a process is excluded,
any file accessed by that process is not scanned.
Exclude Malware from Scan by ID

The Client excludes the malware you specify by ID. You can obtain the
Malware ID from previous scan results or you can browse for the ID on
the CA Spyware Encyclopedia website. To access the Spyware
Encyclopedia go to the Security Advisor website at
http://www.ca.com/us/global-technology-security.aspx, and click the
Spyware Information Center link. From the Spyware Information Center,
look for the link to the Spyware Encyclopedia.
Exclude Malware from Scan by Category

The Client excludes malware specified by category, such as Trojans or
key loggers. Some useful applications, such as key loggers, are often
identified as malware, so excluding the category lets you use these
applications. However, when you exclude a category you risk being
infected by other malware from that same category.
Note: You can include exclusions from any combination or even all of these
filters in your Real-time policy.

Policies
3. Modify the exclusion list as necessary.

■ To add an object to an exclusion list, enter the object name and click
Add.
■ To remove an object from the list, select the object and click Remove.
■ For the Exclude Malware from Scan by Category list, unselect any
category to configure the real-time scanner not to search for those
categories of malware.
page.
Alternatively, click Back to return to the previous page, click Discard to

remove any changes you made, or click Close to close the policy without
saving your changes.
More information:

Create Scheduled Scan Options Policies
The Scheduled Scan Options policy controls the options for scheduled scans.
When the Client runs a scheduled scan, it uses the options provided by this
policy. If, for example, you have this policy set to remove all macros when an
infected macro is found, then if a scheduled scan encounters a macro virus, all
related macros are deleted on that machine.
To create a Scheduled Scan Options Policy
2. Configure the Scan Options. (see page 265)
These options let you configure the scan mode used, any file extensions the
scan ignores, and whether the scanner only detects infections on the boot
sector, or attempts to clean such infections.
3. Configure the Scan Actions. (see page 266)

These options let you control the cleaning action the scanner takes, whether
the scanner takes a secondary action if the initial cleaning attempt fails, how
the scanner treats macro viruses, and whether the scanner attempts system
repairs or not.

Policies
4. Configure the Archive Settings. (see page 268)

These options control how the scheduled scan treats archived files.
5. Configure the Advanced Protection. (see page 270)

These options control the advanced protection of the scheduled scan, such
as whether the scanner checks all user accounts on the endpoint, or only the
user who is currently logged on.
More information:

Configure Scheduled Scan Options Policy Name and General Settings
type.
4. Click New.

Policies

Name
Description
length.
policy.
package.



Definitions page.

Policies
Configure Scheduled Scan Options Policy Scan Options
The Scan Options settings of a Schedule Scan Options policy let you specify the
options for scheduled scans. These options include setting the scan mode, what
files are exempt from scanning, and whether the boot sector is scanned or not.
To configure the Scan Options settings
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the Schedule Scan Options Policy, or by clicking the Scan
Options link in the Steps to Create Policy pane.
2. In the Options pane, select the scan mode used by the endpoint. You can
select one of the following options:
Normal
Select this option to run the scanner in the normal, default mode.
Deep
Select this option to detect malware that is inactive or has been
deliberately modified, such as in a testing laboratory. Use this mode if
you suspect you have an infection that was not detected by the Normal
mode. Deep mode runs significantly slower than Normal mode.
3. For the File extensions to scan option, select one of the following:
All extensions
Select this option to have the Client scan all files, regardless of the
extension.
Specified extensions only

Select this option to have the Client scan only those files you specify. Use
this option to have the Client scan only a small list of file extensions.
To have the Client scan a large selection of extensions, it is easier to use

the All except specified extensions option.
All except specified extensions
Select this option to have the Client scan all files except the ones you
specify. Use this option when you only want the Client to ignore only a
small number of file extensions, to avoid having to list all the extensions
you want included.
4. If you selected Specified extensions only or All except specified extensions,

you must specify the extensions. Select the extensions to exclude or exempt
from exclusion.
■ To add a file to the extension list, enter the file extension then click Add.
■ To remove a file from the list, select the file extension and click Remove.

Policies
5. For the Boot Sector field, set whether you want the Client to report boot
sector infections or to attempt to clean the boot sector infection. You can
choose from the following options:
Report only
Select this option to report boot sector infections. The Client does not
attempt to remove the infection.
Clean Boot Sector

Select this option to have the Client attempt to clean the boot sector if it
detects any infections there.
6. Click Next to continue creating the Scheduled Scan Option policy.

The Scan Actions page opens.
Definitions page.
More information:

Configure Scheduled Scan Options Policy Scan Actions
The Scan Actions settings of a Schedule Scan Options policy let you specify the
actions taken by scheduled scans. These actions include whether the scan
attempts to clean infections and how the scan treats macro viruses.
To configure the Scan Actions settings
1. Open the Scan Actions page by either clicking Next on the Scan Options page
of the Schedule Scan Options Policy, or by clicking the Scan Actions link in
2. In the Infection Treatment pane, select what action you want the Client to
take when an infection is detected. You can select the following options:
Clean file
Select this option to have the Client attempt to clean the infected file.
Delete file
Select this option to have the Client attempt to delete the infected file.

Policies
Leave file
Select this option to have the Client leave the infected file as is. The file
remains infected and can still cause problems.
Rename file
Select this option to have the Client attempt to rename the infected file.
When renaming, the Client attempts to change the file extension to try
to prevent the infected file from being opened.
3. In the Clean field, you can specify the following options:
Copy to quarantine before cleaning

Enable this option to have any infected files copied to the Quarantine
folder before the Client attempts to clean the original file. You can later
retrieve the original, uncleaned file from the Quarantine if necessary.
If auto clean fails

Specify what action the scanner takes if it cannot clean an infected file.
You can select one of the following options:
■ Delete: Select this option to have the Client delete an infected file if
it cannot clean the file.
■ Leave: Select this option to have the Client leave the infected file
intact if a cleaning attempt fails. The file will remain infected and
could still cause potential problems.
■ Rename: Select this option to have the Client rename the infected
file if it could not clean the file. When renaming, the Client attempts
to change the file extension to try to prevent the infected file from
being opened.
4. In the Macro Virus Treatment pane, specify how you want the scanner to
treat macro viruses. You can select one of the following options:
Remove Infected Macros only

Select this option to have the Client delete only infected macros when a
macro virus is found, but cannot be cleaned. This saves users' custom
macros, but could result in continuing vulnerability for the endpoint.
Remove All Macros
Select this option to have the Client remove all macros if a macro virus is
found and cannot be cleaned. This removal eliminates the threat, but
your end users lose their custom macros.

Policies
5. In the System Repair pane, set the Enable System Repair option.
Enable this option to have the Client attempt system cures when an infection
is found. Running a system cure ensures the system is protected but could
limit the availability of the computer while the scan is running.
6. Click Next to continue creating the Scheduled Scan Option policy.
The Archive Settings page opens.

Definitions page.
More information:

Configure Scheduled Scan Options Policy Archive Settings
The Archive Settings of a Schedule Scan Options let you specify how the
scheduled scans treat Archive files.
To configure the Archive Settings

1. Open the Archive Settings page by either clicking Next on the Scan Actions
page of the Schedule Scan Options Policy, or by clicking the Archive Settings
2. Enable the Scan Archives option.

Note: You must enable Scan Archives in order to set the parameters for the
Archive Settings.
3. In the Settings pane, enter the following values:

Maximum Nested Level
Enter the maximum number of nested levels the Client scans. A nested
archive is an archive file stored within another archive file. For example,
if you added example zip to an existing archive, that example zip would
be nested at level one. If you set the Maximum nested level to zero, it
would not scan the example zip file or its contents. Any file in the archive
nested larger than the value you set, is ignored and viewed as clean. All
files nested less than the level you set are scanned.

Policies
Maximum Compression Ratio

Enter the maximum compression ratio of the file the Client scans. The
compression ratio is the ratio of initial size of the file compared to the
final compressed size of the file. Scanning files with a high compression
ratio slows down the scanning process, but provides better protection.
However, some malware hides as files with large compression ratios,
and trying to extract such files for scanning can slow down or freeze your
computer.
Maximum Uncompressed File Size
Enter the maximum uncompressed size of a file. The Client does not scan
any file in an archive that, when extracted, is larger than this limit.
Setting a high value prevents the Client from scanning some archived
files that could expand too much and slow down or freeze your
computer. However, these large archives could still contain malware and
lead to vulnerability.
4. (Optional) select whether to enabling the following:

Stop scanning archive if infected file found
Enable this option to have the Client stop scanning an archive file if an
infection is found. If you do not enable this, the Client continues to scan
the archive after finding an infected item. Enabling this option stops the
Client from spending time scanning a known infection, but the Client will
not find any additional infections in the file if they are present.
You should enable this option if you automatically delete infected files. If
you clean infected files, you may want to scan the entire archive to find
all possible infections.
scan. For example, to have the Client scan .zip files, enable the ZIP archive
row.
6. Click Next to continue creating the Schedule Scan Options policy.

The Advanced Protection page opens.
Definitions page.
More information:


Policies
Configure Scheduled Scan Options Policy Advanced Protection
The Advanced Protection options of a Scheduled Scan Options policy let you set
the advanced options, such as if heuristic scanning is used or all accounts on the
endpoint are scanned.
To configure the Real-time Exclusions
1. Open the Advanced Protection page by either clicking Next on the Archive
Settings page of the Scheduled Scan Options Policy, or by clicking the
Advanced Protection link in the Steps to Create Policy pane.
2. In the Advanced Protection pane, you can set the following options:
Scan all user accounts
Select this option to have the scheduled scan check all user accounts on
the endpoint, not just the user currently logged on to the endpoint.
Note: This option only scheduled Quick Scans.
Do not scan files migrated to external storage
Select this option to prevent the scanner from checking any file
transferred to an external storage device. If you scan information moved
to external devices, the scan could take longer to complete.
Use advance heuristic scanning

Select this option to enable the advanced Heuristic Scanning. Enabling
Heuristic Scanning better protects your endpoints, but requires more
system resources and sometimes generates false-positive results.
Heuristic scanning is based on a piece-by-piece examination of a
suspected malware, that looks for sequences of instructions that
differentiate the malware from normal programs.
Scan alternate data streams (NTFS)
Select this option to allow the Client to scan the Alternate Data Steams
found in files in an NTFS based system.
Use already-scanned cache
Enable this option to allow the scanner to record files that it scans,
allowing it to avoid scanning those files if it can detect that no changes
have been made.
Maximum cache size

If you are using the already-scanned cache, specify the maximum size of
the cache. If the addition of a file name to the cache would cause the
cache to exceed the size limit, the earliest entry is replaced.
page.

Policies
More information:

Create Scheduled Scan Jobs Policies
The Scheduled Jobs policy lets you schedule when the Client runs a scan. The
end user can still perform manual scanning outside of the Scheduled Jobs policy.
To create a Scheduled Jobs Policy

2. Configure the Scan Job Definition. (see page 273)
These settings let you add scheduled scan jobs, specifying when each scan is
to take place.
More information:

Configure Scan Jobs Policy Name and General Settings
type.

Policies

4. Click New.

Name
Description
length.
policy.
package.

Policies



Definitions page.
More information:

Configure Scan Jobs Policy Scan Job Schedule
The Scan Job Schedule settings of a Scan Jobs policy let you specify scheduled
scan jobs that will occur on the endpoints which receive the policy. Setting a
schedule scan job ensures that your endpoints are scanned for malware on a
regular basis.
A Scan Job Policy can consist of any number of individual jobs. Each job has its
own schedule, target or targets, and other parameters. This allows you to have
different areas of the machine scanned at different times or with different
settings.
To configure the Scan Job Schedule settings
1. Open the Scan Job Schedule settings page by either clicking Next on the
Name and General Settings page of the Scan Job Policy, or by clicking the
Scan Job Schedule link in the Steps to Create Policy pane.
The Scan Job Definition page opens. If you are editing a policy, a listing of
the existing scheduled jobs is displayed.
2. Click Add Job

The Scan Job Definition page changes, displaying the parameters you can
set for this job.

Policies
3. In the Schedule Scan pane, set the following options:

Job Name
Enter a name for this scheduled scan.

Job Description
Enter a description for this scheduled scan.
Scan type
Select a type of scan for this scheduled scan. You can select one of the
following options:
■ Full: Select this option to run a full system scan.

■ Quick: Select this option to run a quick scan of your system. A quick
scan only checks commonly infected areas.
■ Custom: Select this option to customize the locations scanned.

Note: If you select Custom, you must specify the locations you want
scanned by the Client.
4. (Optional) If you selected Custom for the Scan type, you must specify the
directories you want scanned.
■ To add a directory, enter the path and click Add. The directory is added
to the List of folders.
■ To remove a directory, select the directory from the list and click
Remove.
■ To edit a directory, select the directory, click edit, make any necessary
changes, and click Update.
5. In the Schedule Scan pane, set the time when you want the scan to start.
You must set the date and the time when you want the scan to start.
6. (Optional) To repeat this scan on a regular basis, set the Repeat Every
interval. Enter the number of hours and minutes between each run of the
scan job.
7. Use the CPU Priority drop-down menu to set the amount of CPU cycles the
scanner uses when running the scheduled scan. You can select from one of
the following options:
■ High: Runs the scan with the highest priority, taking CPU cycles
away from other uses.
■ Medium: Runs the scan with the same priority as other running
programs.
■ Low: Runs the scan with a lower priority, letting other processes use
more of the CPU cycles.
■ Idle: Runs the scan only when the CPU is not in use.

Policies
8. In the Timeout pane, set the following options:

Scan Time Limit
To limit the duration of the scan, enable this option and set the number
of minutes the scan is allowed to run.
Finish Scan By
To have the scan end by a scheduled time, enable this option and set the
time when you want the scan to finish by.
9. Click Save Job.
The Scan Jobs Definition pane displays the list of jobs included with this
policy. The scan is added to the list.
Alternatively, you can perform the following;
■ To delete a scan job, select the job and click Delete Job.
■ To edit an existing job, select a job and click Edit Job.
Note: Click Discard to cancel the changes and not add the new job.
page.
More information:

Create Malware Submission Policies
When the Client finds a new virus or potential threat, it can submit such malware
to CA. CA has a research team that gathers malware and attempts to quickly find
ways to cure it and prevent it spreading. The Malware Submission policy lets you
control the email template used to contact CA when new malware is found.
To create a Malware Submission Policy
2. Configure the Submission Settings. (see page 278)

These settings let you customize the email sent to CA when new malware is
found.

Policies
More information:

Configure Malware Submission Policy Name and General Settings
type.
4. Click New.

Name
Description
length.

Policies
policy.
package.



Definitions page.
More information:


Policies
Configure Malware Submission Policy Submission Settings
The Submission Settings of a Malware Submission policy let you specify the reply
email address and customer site ID used when submitting malware information
to CA.
To configure the Submission Settings
1. Open the Submission Settings page by either clicking Next on the Name and
General Settings page of the Malware Submission Policy, or by clicking the
Submission Setting link in the Steps to Create Policy pane.
2. In the Malware Submission Settings pane, enter the following information:

Reply Email Address
Enter your email address or the email address where you want to receive
all replies concerning the new malware found.
Customer Site ID
Enter the CA Customer Site ID for your work site.
page.
More information:


Policies
Create Proactive Protection Policies
The Proactive Protection policies help ensure the protection of your network.
These policies control network and application access, protect the system files of
the endpoints, and help you locate vulnerabilities in your network. Proactive
Protection policies are built using rules, Rule Sets, and definitions you specify in
the Advanced Configuration options. You can also use the default Advanced
Configuration objects.
The Proactive Protection policies include the following:
Firewall Policies
The Firewall Policies control the Firewall portion of the Management Console.
You can specify which applications have Internet access, and the websites
such applications can access.
Application Control Policies

The Application Control Policies control how application permissions are
applied on the endpoint. You can configure the Client to limit access only to
applications on the white list, or permit access to all applications except
those that you have black-listed. You can also limit access to unknown
applications.
OS System Security Policies
The OS System Security policies control which applications have access to an

endpoint's system files and settings. Using OS System Security polices lets
you protect COM ports, devices, hidden files and directories, and other
system critical components.
Intrusion Protection Policies
The Intrusion Protection policies let you protect your network and endpoints
from any unwanted intrusion.
Vulnerability Assessments Policies

The Vulnerability Assessment policies let you check for any network
vulnerabilities. You can specify controls such as how many login attempts
are allowed before a user is locked out, the minimum password length, local
shared directory restrictions, and other features that let you protect your
network.
More information:

Create Application Control Policies (see page 286)
Manage Proactive Protection Advanced Configuration (see page 309)
Configure All Advanced Policy Components (see page 394)

Policies
Create Firewall Policies
The firewall rules let you specify whether an application is allowed to access ports
and protocols over certain IP address communication. It also lets you specify the
network zones in which each network interface is placed.
To create a Firewall Policy

2. Configure the Rule Sets. (see page 282)
These options let you select the Firewall rule sets that apply to this policy.
3. Configure the User-Specific Add-on Rule Sets. (see page 283)

These options let you select Firewall Rule sets and have those Rule Sets
apply to only specified users.
4. Configure the Policy Options. (see page 284)
These options let you control the firewall itself, including options such as how
the firewall reacts to port use.
5. Review the Rule Order. (see page 285)
You can review the rule applied by each Rule Set and see the order in which
the rules are applied.
More information:
Configure Firewall Policy Name and General Settings
Use the General Policy Settings to specify the name and description for the
policy. You can also lock the policy to prevent end users from making local
modifications to the policy, and specify whether it is the default policy for all
other firewall policies and automatically included in future installation packages.

3. Click the policy to create.


Policies
4. Click New.
The Name and General Policy Settings page for the policy opens.

Name
Provide a unique name for the policy. Names are limited to 128
characters in length.
Description
Provide a unique description for the policy. Descriptions should help
explain the nature or use of the policy. Descriptions are limited to 128
6. In the Policy Mode pane, select one of the following options:
Protection Mode
Select this option to enforce all aspects of the policy. When selected, if
you create rules that prevent certain actions, these rules are enforced.
Monitor Mode
Select this option to apply the policy with all rules enforced as defined
except those which prevent access. If a rule prevents access, the rule is
treated as allowing access, but events are still generated to allow
monitoring of the access.
Enable this option if you do not want end users of the Client to be able to
change the settings of this policy. Enable this option to ensure the policy is
not changed by your end users.
Note: If an end user has a valid reason for needing to change these settings,
you must redeploy the policy to create any changes.
8. In the Default Policy pane, specify whether to enable or disable the Would
you like to make this policy the default for this policy type option.
Enable this option to use the policy you are creating or editing as the default
policy for this policy type. The default policies are automatically applied
when a new Client is installed on an endpoint.
9. Click Next to continue creating the policy.
Definitions page.

Policies
Configure Firewall Policy Rule Sets
When creating any Proactive Protection policy, you must select the Rule Sets
that contain the rules applied by that policy. You can use predefined Rule Sets or
create your own rules and Rule Sets using the Advanced Configuration option.
The Firewall Policies control which applications have Internet access and the
websites applications can visit.
To configure the Rule Sets used by this Firewall policy
1. Open the Rule Sets page by either clicking Next on the General Policy
Settings page of the Firewall Policy, or by clicking the Rule Sets link in the
2. In the Select Baseline Rule Sets pane, select the baseline Rule Set used for
this Firewall policy.
You must select Rule Sets for the following categories:

Baseline Firewall Rule Set
Specify the Rule Set that forms the baseline for this Firewall policy. The
baseline rule forms the foundation of your Firewall policy.
Firewall Zone Rule Set
Select Firewall Zone Rule Set. These rules let you specify how a network
interface is identified and placed in which zone.
3. In the Select Add-On Firewall Rule Sets pane, specify any additional Rule
Sets you want applied with this policy.
Use the double arrows to move Add-on Rule Sets between the available Rule
Set list and the selected Rule Set list.
4. Click Next to continue creating the Firewall policy.
The User-Specific Add-on Rule Sets page opens.
Definitions page.

Policies
Configure Firewall Policy User-Specific Add-on Rule Sets
When creating a Firewall policy, you can add Rule Sets that only apply to a
specific set of users as you create the policy. Rules specified on the Firewall
Policy Rule Sets page are applied to all users, but the rules specified on the
User-Specific Add-on Rule Sets page are applied to only the users in the selected
user list.
To configure the user-specific add-on Rule Sets
1. Open the User-Specific Add-on Rule Sets page by either clicking Next on the
Rule Sets page of the Firewall Policy, or by clicking the User-Specific Add-on
Rule Sets link in the Steps to Create Policy pane.
2. In the Manage User Lists pane, select a user list.
User lists identify the users to which add-on Rule Sets apply.
Alternatively, you can click New User List to create a new user list or click
Delete User List to remove a user list from the pane.
3. In the Define User List pane, select the user type in the User Type field, enter
a name, and click Add to specify the users.
Alternatively, you can perform the following:
■ To modify an existing user, select the user and click Modify. Once you
have made the necessary changes, click Update.
■ To remove a user, select the user and click Remove.
4. In the Define User List pane, specify any additional rule sets you want
applied with this user list.
Use the double arrows to move add-on Rule Sets between the available Rule

The Policy Options page opens.
Definitions page.

Policies
Configure Policy Options for Firewall Policies
The Policy Options of a Firewall policy let you specify options that control your
firewall policy, including stealth settings and port scan detection. You can also
set the audit level for Port Scan access, to define when an event is sent to the
event server.
To configure the policy options

1. Open the Policy Options page by either clicking Next on the User-Specific
Add-on Rule Sets page of the Firewall Policy, or by clicking the Policy Options
2. Specify whether to enable Port Scan Detection.
3. If you enabled Port Scan Detection, specify the following:
Detect port scan if more than X ports are accessed in Y seconds

Once you reach the specified limit on the number of ports that can be
accessed in the defined time interval, the Management Console
considers any additional port access attempts to be a Port Scan attempt.
Specify the maximum allowable number of ports that can be accessed

and the allowed time interval between access attempts before the TD
System determines that a port scan access attempt is being made.
Port Scan Access Audit Level

The audit level defines when an event is sent to the event server. When
specifying audit levels, a high setting sends the event immediately,
where as low and medium setting send events based on the triggers
defined in the event policy. To ignore events, set the audit level to
Ignore.
Specify the audit level for port scan accesses.
4. Specify the audit level for invalid network packets in the Audit Invalid
Network Packets pane, and the audit level for the Firewall Engine in the Audit
Firewall Engine Status pane.
5. In the Stealth Setting pane, set the audit level for the stealth settings, and
enable the following monitoring options:
Enable Internal Network Zone Stealth

Enable this option to monitor internal network zones in stealth mode.
Enable Dangerous Network Zone Stealth

Enable this option to monitor dangerous network zone in stealth mode.
The Review the Rule sets page opens.

Definitions page.

Policies
Review Firewall Policy Rule Order
After adding all the Rule Sets and specifying the policy options for a Firewall
policy, you should review the rule order.
The order of the rules is important as it is possible to negate rules if the order is
incorrect. Reviewing the rule order also lets you make sure that you have
included only the rules you want in the policy. Once you have reviewed the rules,
you can save and deploy the policy.
To review the Firewall policy rule order
1. Open the Review Rule Order page by either clicking Next on the Policy
Options page of the Firewall Policy, or by clicking the Review Rule Order link
in the Steps to Create Policy pane.
2. Select a User list to display the rules that apply to that list.
Rules are listed in order, from top to bottom.
The Rule list displays the following information:
#
The order number for the rule.
Rule Name
The name of the specific rule.

Description
The description provided for this specific rule.
By enabling Show Details, the Rule list displays the following additional
information:
Access
Whether the rule is designed to prevent access or allow access.

Audit
The audit level of the rule.
Application
Applications to which the rule applies.
Transport
The transport protocols that apply to the rule.
Direction
Whether the rule applies to inbound traffic, outbound traffic, or both.
Remote IP
Any remote IP address to which the rule applies.

Policies
Routed Rule
Whether the rule applies to IP addresses that have been routed to a
different address.
Local IP
Any local IP address to which the rule applies.
Zone
The zone to which the rule applies.
Time Frame
Any time frame for the rule, if applicable.

page.

remove any changes you made, or click Close to close the policy.
Create Application Control Policies
Application Control Policies control which applications are enrolled in the known
application groups. These policies also control which applications are allowed to
spawn other applications and identify the applications for which an integrity
check is needed. You can also use these policies to specify the action to take if an
integrity check fails.
Unlike Firewall and OS Security policies, where the order of rules can determine
the successful application of a policy, rule order is not important in Application
Control policies, so you need not review it once you have created the policy.
To create an Application Control Policy

These options let you specify the Application Control Rule Sets in use by this
policy.

These options let you set Application Controls such as whether the user can
start unknown applications, or whether the Client checks to see whether an
application is in the Known Application Database.
More information:

Policies
Configure Application Control Policy Name and General Settings
Use the General Policy Settings to specify the name and description for the
policy. You can also lock the policy to prevent changes on the Client and specify
whether it is the default policy, installed on all Clients at installation.

4. Click New.

Name
Description

Protection Mode
Monitor Mode

Policies
7. In the Lock Settings pane, specify whether to enable the Lock settings when
applying this policy option to ensure that the policy is not changed by end
users.
change the settings of this policy.
8. In the Default Policy pane, specify whether to enable the Would you like to
make this policy the default for this policy type option to indicate that this is
the default policy for this policy type.
Default policies are automatically applied when a new Client is installed on

an endpoint.

Definitions page.
Configure Application Control Policy Rule Sets
When creating any Proactive Protection policy, you must select the Rule Sets,
containing the rules applied by that policy. You can use predefined Rule Sets, or
create your own rules and Rule Sets using the Advanced Configuration option.
The Application Control Policies control which applications can be installed and
run on the endpoint.
To configure the Rule Sets used by this Application Control policy
Settings page of the Application Control Policy, or by clicking the Rule Sets
this Application Control policy. You must select Rule Sets for the following
categories:
Known Applications Use Rule Set
Specify the Rule Set to use to govern the known applications on the
endpoint.
Integrity Check Rule Set
Specify the Rule Set to use to control integrity checks on the endpoint.
This is an optional is Rule Set. You must enable the Rule Set to use this
feature.
Application Spawning Rule Set

Select the Rule Set to use to determine the applications that are allowed
to spawn.

Policies
3. In the Select Add-On Application Spawning Rule Sets pane, specify any
additional rule sets you want applied with this policy.
Use the double arrows to move Rule Sets between the available Rule Set list
and the selected Rule Set list.
4. Click Next to continue creating the Application Control policy.

Definitions page.
Configure Policy Options for Application Control Policies
The Policy Options of an Application Control policy let you specify whether to use
the known application database and identify the audit levels for the Application
Control policy. The audit level defines when an event is sent to the event server.
When specifying audit levels, a high setting sends the event immediately, where
as low and medium setting send events based on the triggers defined in the
event policy. To ignore events, set the audit level to Ignore.
Add-on Rule Sets page of the Application Control Policy, or by clicking the
Policy Options link in the Steps to Create Policy pane.
2. Enable the Use Known Applications Database option to specify that the
Known Application Use Rules use this database to enroll applications in one
of the application groups as per the rule.
You must ensure that all applications used by your endpoints are properly
enrolled or you could encounter issues.
3. In the Action and Audits Levels pane, set the following options:
Missing Application Signatures Action

The action to take when an endpoint attempts to open an application
that is missing signatures.
Missing Application Signature Audit Level

The audit level for reporting applications missing signatures.
Known Applications Enrollment Audit Level
The audit level for attempts to enroll applications in the known

application database.
Integrity Check Module Status Audit Level
The audit level for all integrity checks.

Policies
Unknown Application Start Action

The action to take when an endpoint attempts to open an unknown
application.
Unknown System Application Start Action

The action to take when an endpoint attempts to open an unknown
system application.
Start Applications Audit Level
The audit level for recording application start-ups.
Stop Applications Audit Level

The audit level for recording all application terminations.
page.

Create OS System Security Policies
The OS System Security policy controls which applications have access to the
endpoint's system files and settings. Using OS System Security polices lets you
protect COM ports, devices, hidden files and directories, and other system critical
components.
To create an OS System Security Policy

These options let you select the OS System Security Rule Sets that apply to
this policy.
3. Configure the User-Specific Add-on Rule Sets. (see page 293)

These options let you select OS System Security Rule Sets and have those
Rule Sets apply to only specified users.

These options let you set policy specific controls for the OS System Security
policy.
5. Review the Rule Order. (see page 295)

You can review the rule applied by each Rule Set and see the order in which
the rules are applied.

Policies
More information:
Configure OS System Security Policy Name and General Settings
for the policy. You can also lock the policy to prevent changes on the Client and
specify whether it is the default policy, installed on all Clients at installation.
To configure the Name and General Policy Settings

4. Click New.

Name
Description

Protection Mode
Monitor Mode

Policies
7. In the Lock Settings pane, specify whether to enable the Lock settings when
applying this policy option to ensure that the policy is not changed by end
users.
change the settings of this policy.
8. In the Default Policy pane, specify whether to enable the Would you like to
make this policy the default for this policy type option to indicate that this is
the default policy for this policy type.
Default policies are automatically applied when a new Client is installed on

an endpoint.

Definitions page.
Configure OS System Security Policy Rule Sets
When creating any Proactive Protection policy, you must select the Rule Sets
applied by that policy. Rule sets contain multiple rules to be applied by the policy.
You can use predefined Rule Sets, or create your own rules and Rule Sets using
the Advanced Configuration option. The OS Security Policies control which
applications can impact your operating system.
To configure the Rule Sets used by this OS Security policy
Settings page of the OS Security Policy, or by clicking the Rule Sets link in
this OS Security policy. You must select Rule Sets for the following
categories:
Baseline OS Security Rule Set
Specify which Rule Set forms the baseline for this OS Security policy. The
baseline rule forms the foundation of your OS Security policy.
Baseline OS Security Guard Rule Set
Select the OS Security Guard Rule Set. The Guard rules can be used to
turn on or off OS security rules such as file access or device access rules
for a specific application or application group. The OS security rules are
applied only if the Guard rule is set to on.

Policies
3. In the Select Add-On OS Security Rule Sets pane, specify any additional rule
sets you want applied with this policy. Use the double arrows to move Rule
Sets between the available Rule Set and the selected Rule Set list.
4. Click Next to continue creating the OS Security policy.
Definitions page.
Configure OS System Security Policy User-Specific Add-on Rule Sets
When creating an OS Security policy, you can add Rule Sets as you create the
policy. You can use these user-specific add-on Rule Sets to limit access to certain
applications without going through the Advanced Configuration options.
To configure the user-specific add-on Rule Sets
1. Open the User-Specific Add-on Rule Sets page by either clicking Next on the
Rule Sets page of the OS Security Policy, or by clicking the User-Specific
Add-on Rule Sets link in the Steps to Create Policy pane.
2. In the Manage User Lists pane, select a user list.

User lists dictate to which users the add-on Rule Sets applies.
■ To create new user lists, click New User List.

■ To delete a user list, select the list and click Delete User List.
3. In the Define User List pane, specify the users.
■ To specify a user, select the user type in the User Type field, enter a
name, and click Add.
■ To modify an existing user, select the user and click Modify. Once you
have made the necessary changes, click Update.
■ To remove a user, select the user and click Remove.
4. In the Define User List pane, specify any additional Rule Sets you want
applied with this user list.
Use the double arrows to move add-on Rule Sets between the available Rule
5. Click Next to continue creating the OS Security policy.
The Policy Options page opens.

Definitions page.

Policies
Configure Policy Options for OS System Security Policies
The Policy Options of an OS Security policy let you specify options that control
interactions with endpoint operating systems. You can opt to bypass user-mode
hooks or DLL code injections. You can also set the audit level for the OS security
engine. The audit level defines when an event is sent to the event server. When
specifying audit levels, a high setting sends the event immediately, where as low
and medium setting send events based on the triggers defined in the event
policy. To ignore events, set the audit level to Ignore.
Add-on Rule Sets page of the OS Security Policy, or by clicking the Policy
2. Set the following options:

Bypass inject code restrictions for DLL group
You can specify that one group of DLLs can bypass any inject code
restrictions in this policy.
To allow multiple groups of DLLs to bypass these restrictions, you must
either create multiple policies or create a larger DLL group using the
Advanced Configuration options.
Bypass user mode hooks for application group

You can select a group of applications that is permitted to bypass user
mode hook restrictions in this policy. You can only select one application
group.
OS Security Engine Status Audit Level
Specify the audit level for the OS Security engine. The audit level defines
when an event is sent to the event server. When specifying audit levels,
a high setting sends the event immediately, where as low and medium
setting send events based on the triggers defined in the event policy. To
ignore events, set the audit level to Ignore.

The Review the Rule sets page opens.
Definitions page.

Policies
Review OS System Security Policy Rule Order
After adding all the Rule Sets and specifying the policy options for an OS System
Security policy, you should review the rule order. The order of the rules is
important as it is possible to negate rules if the order is incorrect. Reviewing the
rule order also lets you make sure that you have included only the rules you want
in the policy. Once you have reviewed the rules, you can save and deploy the
policy.
To review the OS System Security policy rule order
1. Open the Review Rule Order page by either clicking Next on the Policy
Options page of the OS System Security Policy, or by clicking the Review
Rule Order link in the Steps to Create Policy pane.
2. Select a Rule Type to display the rules that apply to that type.
The rules are listed in order from top to bottom.
The Rule list displays the following information:

#
The order number for the rule.

Rule Name
The name of the specific rule.

Description
The description provided for this specific rule.
By enabling Show Details, the Rule list displays the following additional
information:
Application
The application to which the rule applies.

Application Group
The application group to which the rule applies.
Protected Object
The object or object groups protected by this rule. The object listed
depends on the Rule Type selected. This column does not appear if you
select a type of System Privilege, DLL Loading, or Remote Process
Control.
Load DLL Module Group

The DLL module group allowed by this rule. This column only appears for
the DLL Loading Rule Type.

Policies
Load DLL Module

The DLL modules allowed by this rule. This column only appears for the
DLL Loading Rule Type.
Target Application Group

The application group allowed targeted by this rule. This column only
appears for the Remote Process Control Rule Type.
Target Application
The application targeted by this rule. This column only appears for the
Remote Process Control Rule Type.
Read
Whether the rule allows read access, and whether that access is audited.
This category only applies to file and registry objects.
Create
Whether the rule allows file or registry creation access, and whether that
access is audited. This category only applies to file and registry objects.
Write
Whether the rule allows write access, and whether that access is
audited. This category only applies to file and registry objects.
Delete
Whether the rule allows deletion, and whether that access is audited.
This category only applies to file and registry objects.
In-Process Creation
Whether the rule allows COM object creation during a process, and
whether that access is audited. This category only applies to COM
objects.
Out-of-Process Creation
Whether the rule allows COM object creation outside of an existing
process, and whether that access is audited. This category only applies
to COM objects.
Remote Creation
Whether the rule allows COM object to be remotely created, and whether
that access is audited. This category only applies to COM objects.
Open Service Status
Whether the rule allows a review of the status of an open service, and
whether that access is audited. This category only applies to service
objects.

Policies
Install Service
Whether the rule allows installation of a service, and whether that access
is audited. This category only applies to service objects.
Control Service
Whether the rule allows control of a service, and whether that access is
audited. This category only applies to service objects.
Delete Service
Whether the rule allows deletion of a service, and whether that access is
audited. This category only applies to service objects.
Query Service
Whether the rule allows queries for service information, and whether
that access is audited. This category only applies to service objects.
Start Service
Whether the rule allows a service to be started, and whether that access
Stop Service
Whether the rule allows a service to be stopped, and whether that access
Access Device
Whether the rule allows a device to be accessed, and whether that
access is audited. This category only applies to device objects.
Unknown Thread Code Injection

Whether the rule allows injection of unknown code, and whether that
access is audited. This category only applies to system privilege.
Acquire System Privileges

Whether the rule allows acquisition of system privileges, and whether
that access is audited. This category only applies to system privilege.
Clipboard Access
Whether the rule allows clipboard, and whether that access is audited.
This category only applies to system privilege.
System Shutdown
Whether the rule allows shutting down the system, and whether that
Set Object Security

Whether the rule allows setting of object security, and whether that

Policies
Load DLL
Whether the rule allows loading of a DLL, and whether that access is
audited. This category only applies to DLL Loading.
Forced Process and Thread Termination

Whether the rule allows remote forced process and thread termination,
and whether that access is audited. This category only applies to Remote
Control Access objects.
Inject Code to Memory
Whether the rule allows remote injection of code into memory, and
whether that access is audited. This category only applies to Remote
Set Process Attributes
Whether the rule allows remote setting of a process attributes, and

Get Process Attributes

Whether the rule allows remote retrieval of a process attributes, and
Send Terminate Message

Whether the rule allows remote sending of a termination request, and
Inject DLL
Whether the rule allows remote injection of a DLL, and whether that
access is audited. This category only applies to Remote Control Access
objects.

Policies
Inject DLL to All Processes

Whether the rule allows remote injection of a DLL into all running
processes, and whether that access is audited. This category only
applies to Remote Control Access objects.
Inject UI Activity
Whether the rule allows remote injection of UI activity, and whether that
access is audited. This category only applies to Remote Control Access
objects.
Time Frame
The time frame for the rule, if applicable.

page.
Create Intrusion Protection Policies
The Intrusion Protection policy lets you protect your network and the endpoints
from any unwanted intrusion.
To create an Intrusion Protection Policy

2. Select the Rule Set Groups. (see page 301)
These options let you select the Intrusion Protection Rule Sets that apply to
this policy.
More information:

Policies
Configure Intrusion Protection Policy Name and General Settings
type.


4. Click New.
Name
Description
length.
policy.

Policies
package.



Definitions page.
Select Intrusion Protection Policy Rule Set Group
When creating any Proactive Protection policy, you must select the Rule Set
groups applied by that policy. Rule set groups contain collections of Rule Sets.
You can use predefined Rule Set groups, or create your own using the Advanced
Configuration option.
Intrusion Protection Policies prevent unwanted access to your system. When

creating an Intrusion Protection policy, you must specify the Rule Set groups
used. Additionally you can use the Find tool to search for a Rule Set group if you
cannot easily find the Rule Set group for which you are looking.
To select Rule Set groups
1. Open the Select Rule Set Group page by either clicking Next on the General
Policy Settings page of the Intrusion Protection Policy, or by clicking the
Select Rule Set Group link in the Steps to Create Policy pane.
2. In the Available Rule Set Group table, select the Rule Set group to add to this
policy.
Use the arrows to move Rule Set groups between the available Rule Set
groups list and the selected Rule Set group.
page.

Policies
To use the Find tool

1. Click the double down arrow to open the Find tool.
2. Select to search based on one of the following options:

All Columns
Select this option to check all possible searchable columns.
Rule Set Group Name

Select this option to search in only the Ruleset Group Name column. This
column lists the names of the Rule Set groups.
Description
Select this option to search the Description column. This column lists the
descriptions for the Rule Set groups.
# of Rule Sets
Select this option to search in only the # of Rule Sets column. This
column lists the number of Rule Sets in the groups.
# of Rules
Select this option to search the Total # of Rules column. This column lists
the total number of rules in the group.
3. Enter the search string.

You can enter any number of characters and the search looks for that string
of characters. Do not use wildcards as these are treated as characters, not
wildcards.
4. Click Next to move to the next matching entry in the list. Click Prev to move
to the previous entry in the list.
The Select Rule Set Groups and Available Rule Set Groups tables contain the
following fields:
+/-
Expand or collapse the Rule Set group to display the Rule Sets in each group.
If you mouse over a Rule Set, you can see the details for that set.
Writable
Indicates whether you can edit the Rule Set group. If not checked, the Rule
Set group is read-only.
Built-In
Indicates whether the Rule Set group is built-in to the CA Total Defense
Server.

Policies
Rule Set Group Name

The name of the Rule Set group.
Rule Set Group Description

The description of the Rule Set group.
# of Rule Sets
The number of Rule Sets in the Rule Set group.

Total # of Rules
The total number of rules in the Rule Set group. This total is the sum of all
the rules in each Rule Set.
Create Vulnerability Assessment Policies
The Vulnerability Assessment policy lets you check to see if there are any
network vulnerabilities. You can specify controls such as how many login
attempts are allowed before a user is locked out, the minimum password length,
local shared directory restrictions, and other features that let you protect your
network.
To create a Vulnerability Assessment Policy

2. Configure the Scan Schedule. (see page 305)
These options let you schedule when the vulnerability assessment scan
occurs.
3. Configure the Account and Password Settings. (see page 306)
These options let you specify what you consider to be vulnerable passwords
or user settings.
4. Configure the Local Share Settings. (see page 308)
These options let you check on local shared drives, letting you prevent
network vulnerabilities associated with open shares.
More information:


Policies
Configure Vulnerability Assessment Policy Name and General Settings
type.


4. Click New.
Name
Description
length.
policy.

Policies
package.



Definitions page.
More information:

Configure Vulnerability Assessment Policy Scan Schedule
When creating a Vulnerability Assessment policy, you must specify when the
vulnerability assessment scan must take place. Generally, you can set the scan
to reoccur as often as needed. It is recommended you run the scan at least once
a month. You can also create a onetime scan to run the scan only once or if you
want to run the scan before the next scheduled scan is due.
To configure the scan schedule
1. Open the Scan Schedule page by either clicking Next on the General Policy
Settings page of the Vulnerability Assessment policy, or by clicking the Scan
Schedule link in the Steps to Create Policy pane.
2. In the Schedule pane, select a frequency for the scan.

You can choose Once if you do not want the scan to reoccur on a regular
basis.

Policies
3. In the Schedule pane, specify when the scan should start.

You must specify a date and time for the scan.
4. Click Next to continue creating the Vulnerability Assessment policy.

The Account and Password Settings page opens.
Definitions page.
More information:

Configure Vulnerability Assessment Policy Account and Password Settings
The Account and Password settings of a Vulnerability Assessment policy let you
view information on how accounts and passwords are maintained on your
network. You can see information on all the passwords that are under or over a
specified length, how long since a password was last updated, and more. You can
also specify the account lock out settings.
To configure the account and password settings
1. Open the Account and Password Settings page by either clicking Next on the
Scan Schedule page of the Vulnerability Assessment Policy, or by clicking the
Account and Password Settings link in the Steps to Create Policy pane.
2. In the Account and Password Settings pane, you can enable the following
settings:
Disabled Accounts
Allow the Management Console to review all disabled accounts.
Locked Accounts
Allow the Management Console to review all locked accounts.
Users with expired passwords

Allow the Management Console to review all expired accounts.
Users with no password required

Review all accounts that do not have password requirements.
Users with non-changeable passwords
Review all user accounts with passwords that cannot be changed.
Users with non-expiring passwords

Review all user accounts with passwords that cannot expire over time.

Policies
Maximum password age over

Report all passwords older than the number of days you specify. You
must configure the number of days.
Minimum password age under

Report all passwords newer than the number of days you specify. You
must configure the number of days.
Minimum password length under

Report all passwords that contain fewer than the number of characters
you specified. You must specify the minimum password length.
Minimum password history less than
Report all passwords that do not have a history older than the amount
you specify. You must specify the number of past passwords.
Each time a password is changed, it counts as one password history.
Force logoff more than
Report all users logged off due to inactivity for longer than the time
specified. You must specify a number of minutes.
3. In the Account Lockout Settings pane, you can enable the following options:
User Lockout more than

The number of invalid login attempts allowed before the account is
locked out of the system and reported. You must specify the number of
attempts permitted.
Lockout Duration less than

The length of time users are locked out. You must specify the duration.
Lockout reset wait time less than
The duration a user must wait before being able to be manually removed
from lockout. You must specify the length of time.
4. Click Next to continue creating the Vulnerability Assessment policy.
The Local Share Settings page opens.

Definitions page.
More information:


Policies
Configure Vulnerability Assessment Policy Local Share Settings
When performing the vulnerability assessment, you can have the Management
Console report on the open shared network drives in your network domain. You
can set the options for checking these shares on the Local Share Settings page of
the Vulnerability Assessment Policy.
To configure the local share settings

1. Open the Local Share Settings page by either clicking Next on the Account
and Password Settings page of the Vulnerability Assessment Policy, or by
clicking the Local Share Settings link in the Steps to Create Policy pane.
2. In the Share Settings pane, you can enable the following options:
Report open shares
The Management Console reports all open shares on your network.
Report shares with unlimited connections

The Management Console reports all open shares on your network that
allow unlimited connections to the share.
Report writable shares

The Management Console reports all open shares on your network that
allow outside write access to the shared drive.
page.
More information:


Policies
Manage Proactive Protection Advanced Configuration
This section describes the Advanced Configuration, found under the Proactive
Protection policies. These configurations are similar to the Building Blocks used
to create policies in the HIPS r8.0 and 8.1 releases. CA Total Defense product
includes some built-in Proactive Protection policy components, which you can
customize to your needs. You can also create your own components if you find
the built-in components do not cover the areas you need to protect. Components
include definitions, rules, Rule Sets, and Rule Set groups.
Definitions are the basic building blocks, and can be as simple as a defined time
frame when a rule applies or a range of IP address that a rule allows or blocks.
Definitions are specific and are not combined into groups or sets. You can,
however, have multiple types of a similar definition. For example, to have some
rules that apply during business hours and other rules that apply after business
hours, you could have two Timeframe definitions, one defining when business
hours are, and one defining non-business hours. Definitions can also be used
across all Proactive Protection Policies. You would only need to create one
Timeframe definition for business hours if those same hours applied to both
Firewall and OS Security policies.
Rules govern the specific behavior that is either allowed or prevented. Rules are
specific to the type of policy you are creating. A Firewall rule could not be used to
build an Intrusion Protection policy as the specifics of the rule do not apply.
Rule sets are simply collections of rules. You can use Rule Sets to group specific
rules together, allowing you to organize your rules as you need. For example,
you could have a Rule Set that applies only to outbound traffic on laptops and
another Rule Set that applies to inbound traffic on laptops.
Rule set groups are collections of Rule Sets. For example, you could have a Rule
Set group that covers all Rule Sets that apply to laptop machines and one Rule
Set group that applies to all desktop machines.

Policies
You can access Advanced Configuration pages from either the Global Policy
Definitions or the Policies and Partitions menus.
Note: If you access an Advanced Configuration page from the Global Policies
area, the components you create are Global Policy Components. If you access an
Advanced Configuration page from a specific partition area, you create Partition
Specific Policy Components.
To access Advanced Configuration pages from Global Policy Definitions

2. Select Global Policy Definitions, expand Proactive Protection, and click a
Proactive Protection policy type.
The Global Policy Definitions page for that policy type opens.
3. Click Advanced Configuration and select Built-in Policy Components or All
Advanced Policy Components from the drop-down menu.
To access Advanced Configuration pages from Policies and Partitions

menus

3. Select a Partition branch or subdivision.

You must select a partition, even if it is the Managed Endpoints root branch.
4. Click the Proactive Protection Policy Category.
5. Select the policy whose Advanced Configuration you want to access and click
Manage Policies.
6. Click Advanced Configuration and select Built-in Policy Components or All

Advanced Policy Components from the drop-down menu.

Policies
Understanding Built-in Policy Components
Built-in Policy Components apply to Firewall, Application Control, and OS

Security Advanced Configurations. Built-in Policy Components let you customize
the components used to build Proactive Protection policies without having to
create each component from rules and definitions.
Built-in Components vary, depending on the type of Proactive Protection policy.

Intrusion Protection Advanced Configuration does not include Built-in Policy
Components. These Built-in Policy Components are used in the built-in policies
supplied with the Management Console.
Note: If you access an Advanced Configuration page from the Global Policies
area, the components you create are Global Policy Components. If you access an
Advanced Configuration page from a specific partition area, you create Partition
Specific Policy Components.
Built-in Policy Components for the Firewall include:
Applications with Internet Access
The applications that are allowed to access the Internet.

Applications Accepting Network Connections
The applications that can accept connections over the network.

Internal Network Definition
The IP address of your intranet.
Open System Ports

Ports that are open and accessible on your network.
Custom Firewall Rules
Custom firewall rules for your particular network needs.

Firewall Zone Assignment
The zones in which each network adapter is placed.
Monitoring of Port Listening

How your CA Total Defense product monitors port listening attempts.

Policies
Built-in Policy Components for Application Control include:

Application White List
The CA Total Defense White list, a list of the applications allowed to run on
your network. You can enroll applications to this list
Application Black List
The CA Total Defense Black list, a list of the applications not permitted to run
on your network. You can enroll applications to this list
Installations List
The CA Total Defense Installations list, a list of the applications allowed to act
as installers for other applications. You can enroll applications to this list.
Built-in Policy Components for OS Security include:
Access Controls
Access permissions for system devices and drives.
Hidden Directories for Restricted Applications
Directories to be hidden from restricted applications.

Read-only Directories for Restricted Applications
Directories that are read-only for restricted applications.
Hidden Directories for Users

Directories to be hidden from endpoint users.
Read-only Directories for Users

Directories in which endpoint users only have read-only access.
Hidden Registry Keys for Users
Registry keys to be hidden from endpoint users.
Hidden Custom Registry Keys for Restricted Applications

Registry keys to be hidden from restricted applications.
Read-only Custom Registry Keys for Restricted Applications

Registry keys that are read-only for restricted applications.
Read-only Registry Keys for Users

Registry keys to which endpoint users have only read-only access.
Protected Custom Services for Restricted Applications
Services to be protected from restricted applications. A protected service

cannot be modified by a restricted application.

Policies
Protected Services for Users

Services to be protected from endpoint users. A protected service cannot be
modified by an endpoint user.
Protected Custom COM Objects for Restricted Applications

Custom COM objects to be protected from restricted applications.
Protected COM Objects for Users

Custom COM objects to be protected from endpoint users.
Set Firewall Advanced Configuration Options
This section describes the process of setting the Firewall Advanced configuration
options. The Built-in Policy Components for the Firewall include:
Applications with Internet Access

The applications that are allowed to access the Internet.
Applications Accepting Network Connections
The applications that can accept connections over the network.

Internal Network Definition
The IP address of your Intranet.
Open System Ports

Ports that are open and accessible on your network.
Custom Firewall Rules
Custom firewall rules for your particular network needs.

Firewall Zone Assignment
How your network treats the security zones defined on the Internet.
Monitoring of Port Listening
How CA Total Defense product monitors port listening attempts.
The other Advanced configuration options accessible from the Firewall policies
include Firewall Rules and Rule Sets, Firewall Zone Rules and Rule Sets, and the
basic definitions used by the Firewall policies. These definitions include
Transport, IP Address, and Time Frame definitions.

Policies
Configure Applications Accepting Network Connections
Applications accepting network connections are those that you would expect
others to access over your network. An example could be a timesheet application
or other service that resides on a server and is accessed remotely. You must
include these applications in the Applications Accepting Network Connections
list.
This application group is used in a built-in firewall rule which allows Internet
access to the applications enrolled in this group. This built-in rule is used in a
built-in policy. If you are using this built-in policy then you can manage the
applications accepting network connections from this page.
This page includes a Find function. You can use this function to help you find
specific applications. When using this function, specify the name or characters to
find, then use the next and previous buttons to move to the next or previous
corresponding entry.
Do not use wildcards as this is a character matching search and looks for those
specific characters when searching.
To use the Find function

1. Click the double down arrow to open Find.
2. Specify one of the following to indicate the type of search:

Definition
Search the Definition field. The definition is typically the filename of the
application only.
Filename
Search the Filename field. The filename field typically includes both the
path and the application filename.
Description
Search the Description field.

wildcards.
The search returns any results matching your criteria.

Policies
This page includes the following buttons:

New
Clicking this button opens a drop down menu with two options, Enroll New
Application and Enroll New Application Subgroup. Enrolling a new application
lets you add the application to one of the various application lists. Enrolling
new application subgroups lets you create ways to organize your
applications to help you better manager your work. More information on the
enrollment process is covered in other sections.
Edit
Select a group or application and click this button to edit that object. Editing
is the same as creating a new object; you are just changing the existing
values.
Delete
Select a group or application and click this button to remove that group or
application from the list.
Enroll Unknown Application
Click this button to enroll an unknown application. Unknown applications are

those applications which are found on the client and which are not enrolled
yet. If a user tries to run such an application, an event is sent to the event
server. The event server filters those unknown applications and makes them
available on the server. You can then enroll these applications so that they
become known on the client.
Enroll Multiple Applications
Click this button to enroll groups of applications all identified in the same
manner at one time. For example, if you are adding a list of applications
based on file names, use this option to enroll all the applications at one time
instead of enrolling each application as a new one.
This page includes the following tables:

Application Group
This table lists the available application groups. The top group can contain
subgroups of applications.
Member Application Groups
This table lists the definition, file name, and description of the applications
enrolled in the selected group.
More information:
Enroll New Applications (see page 458)

Enroll New Application Subgroup (see page 469)
Enroll Unknown Applications (see page 471)
Enroll Multiple Applications (see page 475)

Policies
Configure Applications with Internet Access
You must include all applications to which you want to give Internet access on
the Applications with Internet Access list. By default, certain instant messenger
service applications and web browser applications are pre-populated to this list.
Still, you can add or remove some of these applications, as necessary. You can
also add other software that requires activation or licensing transfers across the
Internet. This page lets you enroll or remove applications from the Applications
with Internet Access list.
This application group is used in a built-in firewall rule which allows Internet
access to the applications enrolled in this group. This built-in rule is used in a
built-in policy. If you are using this built-in policy then you can manage the
applications having Internet access from this page.

Definition
application only.
Filename
Description
wildcards.

Policies

New
Edit
values.
Delete


Application Group
More information:


Policies
Configure the Internal Network Definition
The built-in Internal Network Definition page lets you define the intranet IP
address for your network. From this page, click the Add/Remove IP Addresses
button to update the intranet definition for your network.
This internal network policy component is referenced in a built-in firewall rule.

This built-in rule is referenced in the built-in policy. If you are using the built-in
policy then you can manage the internal network definition from this page.
Add or Remove IP Addresses
Use this page to add or remove IP addresses.
When entering an IP address, you can enter a single IP address or multiple IP

addresses separated by "," ";" or a space. You can enter IP address ranges
separated by a dash. You can enter IP address ranges using CIDR or subnet
mask notation and can enter IP v6 or v4 addresses.
To add an IP address
1. Enter the IP address in the IP Address field and click Add.

The address is added to the table.
2. Click Save.
The changes are saved and you are returned to the Open System Ports page.
To remove an IP address
1. Select the IP address to remove from the list and click Remove.
The address is removed from the table.
2. Click Save.
To modify an IP address
1. Select the IP address to modify from the list and click Modify.
2. Change the IP address.
Alternatively, use the Clear button to clear the IP Address field, if necessary.
3. Click Update.
The address is updated to the new value.
4. Click Save.

Policies
Configure Open System Ports
The built-in Open System Ports page lets you define the allowed open ports on
your network. From this page, click the Add/Remove Ports button to update the
open port list for your network.
Add or Remove Open Ports
Use this page to add, edit, or remove open ports. You can also specify whether to
negate source or destination ports.
To add an open port
1. Specify the protocol used by the port.

2. Specify the Destination ports.
The manner of specifying ports depends on the protocol you use. For most
protocols, you can choose a single port, a range of ports, or all ports.
When specifying a single port or range of ports, you must also supply the
required values. For the ICMP protocol you must specify a function.
3. Click Add.
The ports are added to the table.
4. Click Save.
To remove a port
1. Select the port to remove from the list and click Remove.
The port is removed from the table.
2. Click Save.
To modify a port
1. Select the port to modify from the list and click Modify.
2. Change the protocol and destination port.
3. Click Update.
The port is updated to the new value.

4. Click Save.

Policies
Negating source or destination ports applies to all ports in the list. Negating a
group of ports means that all the ports save those listed are available to use.
To negate source or destination ports.

1. Enable one or both of the following options:
Negate Source Ports
Use all ports save the source ports specified.

Negate Destination Ports
Use all ports save the destination ports specified.

2. Click Save.
Configure Built-in Custom Firewall Rule Sets
The Custom Firewall Rules page lets you add or remove rules used by the built-in
Firewall Rule set. This Rule Set forms the basis for the Firewall policies.
New
Click this button to create a new Firewall Rule. Once the rule is created, the
rule is added to the rules table and can be used in the Custom Firewall Rule
Set.
Edit
Select a rule and click Edit to edit the rule. Some definitions are read-only
and cannot be edited.
Delete
Select a rule and click Delete to delete the rule. Deleting the rule removes
the rule from the Management Server. You should only delete rules if you do
not plan to use them again.
To simply remove a rule from the Rule Set, use the Remove Rule button.
Some definitions are read-only and cannot be deleted.
Add Rule
Select a rule and click Add Rule to add the rule to the Custom Firewall Rule
Set.

Policies
Remove Rule
Select a rule and click Remove Rule to remove the rule from the Custom
Firewall Rule Set, but not delete the rule completely.
Priority
Select a rule and use the Priority arrows to move the rule up and down the
listing. The rules are prioritized from highest to lowest. Higher priority rules
are applied first.
Note: The rules can be enabled or disabled by selecting the check box in the
Selected Rule list
To configure the built-in custom Firewall Rule Set

1. Configure the name and general settings for the built-in custom Rule Set
(see page 321).
2. Specify the communications protocols and directions (see page 322).
3. Specify the remote and local IP addresses associated with this Rule Set (see
page 323).
4. Specify the access permissions, audit levels, Firewall zones and time frame
for this Rule Set (see page 323).
More information:
Manage Firewall Rules (see page 397)

Manage Firewall Rule Sets (see page 394)
Configure Names and General Settings
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
To specify the name and general settings
1. Enter the name and description for the rule.
2. Click Next to move to the next page.

Alternatively, click Save to save your changes and close the page, click
Discard to remove any changes you made but keep the page open, or click
Close to close the page without saving changes.

Policies
Specify Applications or Application Groups
From this page, you can specify the applications or application groups to which a
rule applies:
To specify the applications or application groups of a rule
1. Specify whether you want this rule to apply to all applications, a group of
applications, or a specific application.
2. Click Next to move to the next page. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Specify Communication Protocols and Directions
This page lets you specify the communications protocol and the directions of
communication in the built-in custom Firewall Rule Set.
To specify communications protocol and directions

1. Specify the protocol to which you want this rule applied.
You can select Any protocol, or a specific one.
If you want the rule to apply to two protocols, create the rule for one
protocol, copy and paste the rule, then edit the copy and change the
protocol.
2. Specify the direction of network traffic to which the rule applies.
You can specify inbound or outbound, but you cannot select both.
To create the same rule for both traffic directions, create the rule, copy and
paste the rule, then edit the copy and change the direction.
3. Click Next.
The Remote and Local IP Address pane opens.
Alternatively, click Save to save your changes.
Your changes are saved, the page closes. Click Back to return to the previous
page. Click Discard to remove any changes you made. Click Close to close
the page without saving changes.

Policies
Specify Remote and Local IP Addresses
This page lets you specify the remote and local IP address used in the built-in
custom Firewall Rule Sets.
To specify remote and local IP addresses
1. Specify the Remote IP addresses to which this rule applies.

2. (Optional) Enable Routed Traffic, and specify any local IP address to which
this rule applies.
3. Click Next.
The Access Permission, Audit Level, Firewall Zone, and Time Frame pane
opens.
Specify Access Permissions, Audit Levels, Firewall Zones, and Time Frames
This page lets you specify the access permissions, audit levels, Firewall zones,
and time frames in the built-in custom Firewall Rule Sets.
To specify access permissions, audit levels, Firewall zones, and time

frames
1. Specify the Access Permission and Audit level for this rule.
2. Specify the Firewall Zone for this rule.
3. Specify the time frame when this rule applies
4. Click Save to save your changes.

Your changes are saved, and the page closes. Click Back to return to the
previous page. Click Discard to remove any changes you made. Click Close
to close the page without saving changes.

Policies
Configure Built-in Firewall Zone Assignment
The Firewall Zone Assignment page lets you define the rules used by the built-in
Firewall Zone Rule set. This Rule Set forms the basis for the Firewall Zone
policies. This is a built-in Firewall zone assignment Rule set which is referenced
in built-in policies. This page lets you modify this Rule Set.

New
Click this button to create a new Firewall Zone Rule. Once the rule is created,
it is added to the rules table and can be used in the Built-in Firewall Zone
Rule Set.
Edit
Select a rule and click Edit to edit the rule. Some definitions are read-only
and cannot be edited.
Delete
Select a rule and click Delete to delete the rule. Deleting the rule removes
the rule from the Management Server. Only delete rules if you do not plan to
use them again.
To simply remove a rule from the Rule Set, use the Remove Rule button.
Some definitions are read-only and cannot be deleted.
Add Rule
Select a rule and click Add Rule to add the rule to the Built-in Firewall Rule
Set.
Remove Rule
Select a rule and click Remove Rule to remove the rule from the Built-in
Firewall Rule Set, but not delete the rule completely.
Priority
Select a rule and use the Priority arrows to move the rule up and down the
listing. The rules are prioritized from highest to lowest. Higher priority rules
are applied first.

Policies
Firewall Zone rules are used to make up your Firewall Zone policy and control
settings for different network zones.
To create a firewall zone rule

1. Click New.
The Create New Firewall Zone Rule Page opens to the Name and General
Setting pane.
2. Enter the name and description for the rule and click Next.
The Interface Identification pane opens, replacing the Name and General
Settings pane.
3. In the Identify Interface By pane, use one of the radio button options to
specify how a network interface is identified.
4. In the Specify Firewall Zone and Audit Level pane, select the Firewall Zone,
then select the audit level for this rule.
Your chances are saved, and the pages close. Click Back to return to the


Policies
Configure Interface Identification
This page lets you configure the interface identifications for selected zones.
To configure interface identification for selected zones in a Firewall

Zone rule
1. In the Identify Interface By pane, specify how you would like to identify the
zone and provide the corresponding address information.

Your changes are saved, and the pages close. Click Back to return to the
Configure Monitoring of Port Listening
This page lets you monitor all the applications which can open a port. On this
page, you can enroll applications into the group or subgroups that are not
monitored. On this page, you can specify the following options:
Audit Level for Selected Applications
Select an application or application group and specify the audit level using
this option. When any application in this group opens a port, an event is
raised based on this audit level. The audit level defines when an event is sent
to the event server. When specifying audit levels, a high setting sends the
event immediately, while low and medium settings send events based on the
triggers defined in the event policy. To ignore events, set the audit level to
Ignore. You can choose from the following audit levels:
High
All details are sent immediately to the event server.
Medium
Event details are sent to the event server based on triggers defined in
the event policy.

Policies
Low
Event details are sent to the event server based on triggers defined in
the event policy.
Ignore
All events are ignored.
Audit Level for All Other Applications

Use this option to specify the audit levels for all applications not contained
within a given group. Any other application which is not in a group and opens
a port is audited based on this audit level.

Definition
application only.
Filename
Description

wildcards.


Policies

New
Edit
values.
Delete


Application Group
More information:


Policies
Set Application Control Advanced Configurations
The Application Control Advanced Configuration lets you create building blocks
used in Application Control Policies. The built-in policy components include:
Application White List
The Application White list should contain those applications allowed to run on
your network. If you limit the applications available to your end users, or
need very strong protection for your network, you may use the Application
White list heavily. For example, you could add the instant messenger
application your company uses to the White list, which would block all
others, preventing unwanted work distractions or access.
Application Black List

The Application Black list contains those applications you do not want run on
your network. Using the black list lets you allow more application freedom,
but can prevent known problem applications from being installed. For
example, if you know many employees are using an instant messenger
service on company time for non-company related endeavors, you could
black list that instant messenger application, but still allow the freedom for
your employees to use other services that meet their needs.
Installations List
The Installations list contains all the applications that are allowed to be
installed on your network. If, for example, certain application upgrades do
not meet your security standards, you could keep the older versions of the
application on the list, but remove the newest release from the list until you
feel all security issues have been resolved.
In addition to the pre-defined application lists, you can create your own
application lists, enroll applications in that list and create DLL lists, and enroll
DLLs into that list. You can also create rules governing the Known Application
Database, Integrity Checks, and Application Spawning. You can also add
Certificate definitions.
Configure the Application White List
The Configure Application White List page lets you add applications and
application groups to the Application White lists. Use this list to allow the running
of only those applications on the list.
The Application White lists let you enroll applications and sub groups in a group
named Trusted. This application group is referenced in many different type of
rules, such as the application spawning rule "Allow trusted applications". This
group is also used in many OS security rules which allow access to registries and
files for these applications.

Policies

Definition
application only.
Filename
Description

wildcards.

New
Edit
values.

Policies
Delete


Application Group

More information:

Configure the Application Black List
The Configure Application Black List page lets you add applications and
application groups to the Application Black Lists.
The Application Black lists are used in an application spawning rule called "Block
BlackList Applications" which prevents spawning of these applications by any
other application.

Policies

Definition
application only.
Filename
Description

wildcards.

New
Edit
values.

Policies
Delete


Application Group

More information:

Configure the Installations List
The Configure Installations List page lets you add applications and application
groups to the Installations lists. The Installations list is used in the Known
Application Use rule "Installations". This rule enrolls applications marked as
installers in this group. This list is also used in the Application Spawning rule
"Allow Installers". This rule lets you specify applications that can be spawned and
used as installers.

Policies

Definition
application only.
Filename
Description

wildcards.

New
Edit
values.

Policies
Delete


Application Group

More information:

Enroll Applications and Application Groups
The Enroll Applications and Application Groups of the Application Control

Advanced Configuration lets you enroll applications that can be used in all
Application Control policies. These application groups and applications are used
in other rules such as Firewall, Application spawning and OS security rules.

Policies

Definition
application only.
Filename
Description

wildcards.

New
Edit
values.

Policies
Delete


Application Group

More information:

Enroll DLL Modules and DLL Module Groups
The Enroll DLL Modules and DLL Module Groups Advanced Configuration lets you
create DLL related building blocks for use in Application Control or OS Security
policies. You can use these DLL Modules and groups to limit or allow DLL actions,
ensuring the protection of your network from unwanted actions.
You can enroll just a lone DLL as a DLL module or enroll a DLL as a DLL module,
then combine the DLL modules into a DLL module group. You can also add DLL
modules as subgroups to a DLL module group.

Policies
This page includes the Find tool. You can use this tool to help you find specific
DLLs. When using this tool, specify the name or characters to find, then use the
Next and Previous buttons to move to the next or previous corresponding entry.
Do not use wildcards as this is a character search and the search looks for those
characters in the search area.
To use the Find tool
1. Click the double down arrow to open the Find tool.

2. Select to search based on one of the following options:
Definition
Select this option to search the Definition field. Usually the definition is
the filename of the DLL only.
Filename
Select this option to search the Filename field. Usually the filename field
includes both the path and the DLL filename.
Description
Select this option to search the Description field.
3. Enter the search string. You can enter any number of characters and the
search looks for that string of characters. Do not use wildcards as these are
treated as characters, not wildcards.

New
Clicking this button opens a drop-down menu with two options, Enroll New
DLL Module and Enroll New DLL Module Group. Enrolling a new DLL lets you
add the DLL for use in policies. Enrolling new DLL module groups lets you
create ways to organize your DLL modules to help you better manager your
work. More information on the enrollment process is covered in other
sections.
Edit
Select a group or DLL and click this button to edit that object. Editing is the
same as creating a new object; you are just changing the existing values.
Delete
Select a group or DLL and click this button to remove that group or DLL from
the list.
Enroll Multiple DLL Modules

Click this button to enroll groups of DLLs all identified in the same manner at
one time.

Policies
Enroll New DLL Modules
Enrolling a DLL into a DLL Module lets you create rules that allow or restrict that
DLL. You can also enroll the DLL modules into a group, allowing you to create
rules that govern a set of DLLs.
To enroll a new DLL module
1. Configure the name and general setting for the DLL module (see page 321).
2. Specify the DLL for the DLL module (see page 339).
3. Specify any Identity Redirections that apply to the DLL (see page 341).
4. Add the DLL module to a DLL module group (see page 341).

Specify DLL Module Identification

Policies
To enroll a DLL into a new DLL module, you must specify the DLL module
identification.
To enroll a new DLL module.

1. Open the Specify DLL Module Identification page by either clicking Next on
the Name and General settings page of the Enroll DLL Module Group, or by
clicking the Specify DLL Module Identification link in the Steps to Create
Policy pane.
The DLL Module Identification pane opens.
2. Select to identify the DLL by one of the following options, and provide the
details for that option when applicable:
Path
Identify the DLL by its path. Use this option if you know the path will be
constant.
Filename
Identify the DLL by the filename. Use this method if you do not think
malware may masquerade as the DLL.
Checksum
Enroll DLLs based on their checksum. You must copy the DLL to the
WebServices\CheckSum folder where the Management Console is
installed. You can add multiple checksums as necessary.
Checksum and Path
Enroll the DLL based both on path and checksum.
Checksum and Filename

Enroll the DLL based on both checksum and filename.
Signed by Certificate in Trusted Store

Enroll the DLL based upon a signed certificate located in the trusted
store.
Signed by Certificate in Trusted Store and Path

Enroll the DLL both based on certificate and path.
Signed by Certificate in Trusted Store and Filename
Enroll the DLL both based on certificate and filename.

Policies
Signed by Known Certificate

Enroll the DLL based on a Known Certificate. You must select the
certificate definition as well.
Signed by Known Certificate and Path

Enroll the DLL based on a Known Certificate and path.
Signed by Known Certificate and Filename

Enroll the DLL based on a Known Certificate and filename.
3. Click Next to continue to the Identity Redirection page.
Alternatively, click Save to save your changes and return to the Enroll DLL
Modules and DLL Module Groups page.
Specify Identity Redirections
Some applications serve as surrogates for other code. The purpose of Identity
Redirection is to correctly handle situations where one executable interprets
other files.
For example, without Identity Redirection all *.msi installation packages would
be treated the same because the msiexec.exe application is installing them all.
All *.vbs and *.js script files are treated the same as they are interpreted by the
wscript.exe process.
The Identity Redirections page lets you specify whether an application is run
through one of the identity redirections.
To specify the identity redirection
1. Highlight any applicable Identity Redirection and use the double arrows to
move the redirection to the correct list.
More information:

Enroll New DLL Modules (see page 339)
Add DLL Module to DLL Module Groups

Policies
You can also enroll a DLL module into a DLL module group.
To enroll a new DLL module
1. Open the Add DLL Module to DLL Module Groups page by either clicking Next
on the Specify Identity Redirections page, or by clicking the Add DLL Module
to DLL Module Groups link in the Steps to Create Policy pane.
The Add DLL Module to DLL Module Groups pane opens.

2. Highlight any applicable DLL group and use the double arrows to move the
group to the correct list.
The DLL will be enrolled in the selected DLL group

Your changes are saved, and the Enroll New DLL Module pages close. Click
Back to return to the previous page. Click Discard to remove any changes
you made. Click Close to close the page without saving changes.
Enroll New DLL Module Group
In addition to enrolling DLL modules, you can create and enroll DLL module
groups. DLL module groups are a way to group similar DLLs so that you can
create policies for that set of DLLs.
You can also add DLL module groups to other groups. For example, you could
create a DLL module group for all DLLs related to a single application, and add
that group as a subgroup of a DLL module group you create for all application
DLLs.
To enroll a new DLL module group
1. Configure the name and general settings of the DLL module group (see
page 321).
2. Add DLL modules to the DLL module group (see page 343).
3. Add DLL module groups as subgroups (see page 343).


Policies


Add DLL Modules to DLL Module Groups
After specifying the name and general settings for the DLL module group, you
must specify the DLLs contained in the group. You must first enroll the DLLs in
order to add the DLLs to a DLL module group.
To add DLL modules to a DLL module group
1. Open the Add DLL Modules to DLL Module Groups page by either clicking
Next on the Name and General settings page of the Enroll DLL Module Group,
or by clicking the Add DLL Modules to DLL Module Groups link in the Steps to
Create Policy pane.
The Add DLL Modules to DLL Module Group pane opens.
2. Highlight the DLLs to add to the group and use the double arrows to move
the DLLs to the correct list.
3. Click Next to continue to the Add DLL Module Groups as Subgroups page.
Alternatively, click Save to save your changes and Enroll DLL Modules and
DLL Module Groups page.
Add DLL Module Groups as Subgroups
You may wish to combine several DLL module groups into a large group. For
example, you may have DLL module groups for each application. You may want
to create a DLL module group that contains each application DLL module group
you create. You can then use the larger group in rules so you do not have to
create the same rule for each smaller group.
To add DLL module groups as subgroups

1. Open the Add DLL Module Group as Subgroups page by either clicking Next
on the Add DLL Modules to DLL Module Group page, or by clicking the Add
DLL Module Group as Subgroups link in the Steps to Create Policy pane.
The Add DLL Modules to DLL Module Group pane opens.

Policies
2. Highlight any DLL Module Subgroups to add to the group and use the double
arrows to move the subgroup to the correct list.
3. Click Save to save your changes and return to the Enroll DLL Modules and
DLL Module Groups page.
Enroll Multiple DLL Modules
If necessary, you can enroll multiple DLL modules at one time. When enrolling
multiple modules, ensure that all the modules share the same identification
method, then select the DLL modules and add the modules to groups.
Note: When using checksum validation, you must copy the DLL modules to the
WebServices\CheckSum folder.
To enroll multiple DLL modules

1. Select the DLL modules to enroll. (see page 344)
2. Add the DLL modules to the DLL module group. (see page 345)
Select Multiple DLL Modules to Enroll
When enrolling multiple modules, all the modules must share the same
identification method. You can choose to enroll DLL modules based on path, file
name, checksum, those signed by a specific certificate or a combination of these
options.
Note: When using checksum validation, you must copy the DLL modules to the
WebServices\CheckSum folder.
To select multiple DLL modules to enroll
1. Click Enroll Multiple DLL Modules.

The Enroll Multiple DLL Modules window opens to the Select Multiple DLL
Modules to Enroll pane.
2. Select to identify the DLL modules by one of the following options, and
provide the details for that option when applicable:
Path
Identify the DLL modules by the path to the DLL modules. Use this option
if you know the path will be constant.
Filename
Identify the DLL modules by filename. Use this method if you do not
think malware may masquerade as the DLL modules.

Policies
Checksum
Enroll DLL modules based on their checksum. You must copy the DLL
modules to the WebServices\CheckSum folder, then the MD5 checksum
is calculated. You can add multiple checksums as necessary.
Checksum and Path
Enroll the DLL modules based both on path and checksum.

Enroll the DLL modules based on both checksum and filename.

Enroll the DLL modules based upon a signed certificate located in the
trusted store.

Enroll the DLL modules both based on certificate and path.
Enroll the DLL modules both based on certificate and filename.
3. (Optional) Provide the path if applicable.

You must provide the path if you are identifying the DLL modules by path in
any manner. Otherwise, you may leave this field blank.
4. Click Next to continue enrolling the DLL modules, moving to the Add DLL
Modules to DLL Module Group page. Alternatively, click Save to save your
changes. Click Discard to remove any changes you made. Click Close to close
Add DLL Modules to DLL Modules Groups
After selecting the DLL modules to enroll, you must add the modules to the
available module groups. This lets you group modules for easier use.
To add DLL modules to DLL module groups
1. Open the Add DLL Modules to DLL Module Groups page by either clicking
Next on the Select Multiple DLL Modules to Enroll page, or by clicking the Add
DLL Modules to DLL Module Groups link in the Steps to Create Policy pane.
2. Highlight the modules to add to the group and use the double arrows to
move the modules to the correct list.

Policies
Set OS Security Advanced Configuration
The OS Security Advanced Configuration lets you modify the built-in policy
components used in the built-in OS Security Policies. The built-in policy
components include:
Access Controls
Access Controls let you specify device access permissions for the built-in OS
Security policies.
Directories
The directories built-in policy components let you specify which directories
can be accessed by the restricted applications and by end users.
Registry Keys
The registry key built-in policy components let you specify which registry
keys can be accessed by the restricted applications and by end users when
using the built-in OS Security policies.
Services
The built-in services policy components let you specify which services can be
accessed by the restricted applications and by end users when using the
built-in OS Security policies.
COM Objects
The built-in COM Policy components let you specify which COM objects can
be accessed by the restricted applications and by end users when using the
built-in OS Security policies.
In addition, under the Other Advanced Configuration options, you can create OS
Security rules and Rule Sets and Guard rules and Rule Sets You can also create
definitions for File, Registry, COM, Service, Device, and Time Frame objects.

Policies
Configure the Access Controls
The OS Security Access Controls page lets you set the access controls for built-in
OS Security policies and Rule Sets. These settings are only for built-in policies or
the policies using built-in Rule Sets. You must create your own Rule Sets for
custom policies.
When specifying access controls, you can select from the following options:
No Access
No access is permitted at all. You can select this option for both storage
devices and miscellaneous ones.
Read-Only Access
Data can be read from the device, but cannot be written to the device. This
option only applies to storage devices. You can use this option to allow
access to removable media, but to prevent files from being copied to such
removable media.
Full Access
Full read and write access is allowed for the given device. This can apply to
both storage and miscellaneous devices.
To specify access controls
1. Set the access controls for all the available options to suit your needs.
2. Click Apply.
The access settings are saved, and all policies now use the new access
settings.
Configure the Hidden Directories for Restricted Applications
The Hidden Directories for Restricted Applications page lets you specify
directories which are hidden from restricted applications. There is a built-in rule
which allows full access to all files by any application, so you can use this page to
hide some files or directories from restricted applications.
To add hidden directories for restricted applications

1. Click Add/Remove Hidden Directories for Restricted Applications.
The Configure Hidden Directories for Restricted Applications pane opens.

2. In the Item field, enter the path of the hidden directory.
If you need to add special folders such as CD ROM drives, use the Special
Folders drop-down menu.

Policies
3. Click Add.
The directory is added to the list.
4. Click Save
Your changes are saved and the Configure Hidden Directories for Restricted
Application pane closes.
To remove hidden directories for restricted applications

2. Select the directory or directories to remove and click Remove.
The directory is deleted from the list.
3. Click Save
To modify hidden directories for restricted applications

2. Select the hidden directory to modify.
3. Enter the new path in the Item field and click Modify.
The directory is updated to match the new path.
4. Click Save
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
Configure the Read-only Directories for Restricted Applications
The Read-only Directories for Restricted Applications page lets you specify which
directories are read-only for restricted applications.
To add read-only directories for restricted applications
1. Click Add/Remove Read-only Directories for Restricted Applications.
The Configure Read-only Directories for Restricted Applications pane opens.

2. In the Item field, enter the path of the restricted directory.

Policies
3. Click Add.
4. Click Save
Your changes are saved and the Configure Read-only Directories for
Restricted Application pane closes.
To remove read-only directories for restricted applications

3. Click Save
To modify read-only directories for restricted applications

4. Click Save

Policies
Configure the Hidden Directories for Users
The Hidden Directories for Users page lets you specify all directories that are
hidden from users on the endpoints. If you do not specify a directory, users
cannot access any hidden directories.
To add hidden directories for users
1. Click Add/Remove Hidden Directories for Users.

The Configure Hidden Directories for Users pane opens.

3. Click Add.
4. Click Save
Your changes are saved and the Configure Hidden Directories for Users pane
closes.
To remove hidden directories for users


3. Click Save
closes.
To modify hidden directories for users



Policies
4. Click Save
closes.
Configure the Read-Only Directories for Users
The Read-only Directories for Users page lets you specify all directories that are
read-only to users. If you do not specify a directory, users have read and write
permissions for all directories.
To add read-only directories for users

1. Click Add/Remove Read-only Directories for Users.
The Configure Read-only Directories for Users pane opens.

3. Click Add.
4. Click Save
Your changes are saved and the Configure Read-only Directories for Users
pane closes.
To remove read-only directories for users


3. Click Save
pane closes.

Policies
To modify read-only directories for users


4. Click Save
pane closes.
Configure the Hidden Registry Keys for Users
The Hidden Registry Keys for Users page lets you specify registry keys that are
hidden from the users. If you do not specify a hidden registry key, users can
access any registry keys. The values you enter for the hidden registry keys
should start with HKCR, HKCU, HKLM, HKU or HKCC.
To add hidden registry keys for users
1. Click Add/Remove Hidden Registry Keys for Users.

The Configure Hidden Registry Keys for Users pane opens.
2. In the Item field, enter the value of the hidden registry key.
3. Click Add.
The registry key is added to the list.
4. Click Save
Your changes are saved and the Configure Hidden Registry Keys for Users
pane closes.
To remove hidden registry keys for users

2. Select the key to remove and click Remove.
The key is deleted from the list.
3. Click Save
pane closes.

Policies
To modify hidden registry keys for users


2. Select the hidden registry key to modify.
3. Enter the value in the Item field and click Modify.

The key is updated to match the new value.
4. Click Save
pane closes.
Configure the Hidden Custom Registry Keys for Restricted Applications
The Hidden Custom Registry Keys for Restricted Applications page lets you
specify registry keys that are hidden to applications on the restricted applications
list. The values you enter for the hidden registry keys should start with HKCR,
HKCU, HKLM, HKU or HKCC.
To add hidden custom registry keys for restricted applications
1. Click Add/Remove Hidden Custom Registry Keys for Restricted Applications.

The Configure Hidden Custom Registry Keys for Restricted Applications pane
opens.
2. In the Item field, enter the value of the hidden registry key.
3. Click Add.

4. Click Save
Your changes are saved and the Configure Hidden Custom Registry Keys for
Restricted Applications pane closes.

Policies
To remove hidden custom registry keys for restricted applications

1. Click Add/Remove Hidden Custom Registry Keys for Restricted Applications
for Users.
opens.

3. Click Save
To modify hidden custom registry keys for restricted applications
1. Click Add/Remove Hidden Custom Registry Keys for Restricted Applications.

opens.
2. Select the hidden registry key to modify.

4. Click Save
Configure the Read-only Custom Registry Keys for Restricted Applications
The Read-only Custom Registry Keys for Restricted Applications page lets you
specify which custom registry keys are read-only to the restricted application
list. If you do not specify any read-only registry keys, restricted applications
have read and write access to all non-hidden registry keys.
To add read-only custom registry keys for restricted applications
1. Click Add/Remove Read-only Custom Registry Keys for Restricted

Applications.
The Configure Read-only Custom Registry Keys for Restricted Applications

pane opens.
2. In the Item field, enter the value of the read-only registry key.

Policies
3. Click Add.
4. Click Save
Your changes are saved and the Configure Read-only Custom Registry Keys
for Restricted Applications pane closes.
To remove read-only custom registry keys for restricted applications
1. Click Add/Remove Hidden Read-only Registry Keys for Restricted

Applications for Users.
The Configure Hidden Read-only Registry Keys for Restricted Applications

pane opens.

3. Click Save
To modify read-only custom registry keys for restricted applications
1. Click Add/Remove Read-only Custom Registry Keys for Restricted

Applications.
The Configure Read-only Custom Registry Keys for Restricted Applications
pane opens.
2. Select the read-only registry key to modify.
4. Click Save

Policies
Configure the Read-Only Registry Keys for Users
The Read-only Registry Keys for Users page lets you specify which registry keys
are read-only to the users on the endpoint. If you do not specify any read-only
registry keys, users have read and write access to all non-hidden registry keys.
To add read-only registry keys for users
1. Click Add/Remove Read-only Registry Keys for Users.

The Configure Read-only Registry Keys for Users pane opens.
2. In the Item field, enter the value of the read-only registry key.
3. Click Add.
4. Click Save
Your changes are saved and the Configure Read-only Registry Keys for Users
pane closes.
To remove read-only registry keys for users


3. Click Save
pane closes.
To modify read-only registry keys for users

2. Select the read-only registry key to modify.

4. Click Save
pane closes.

Policies
Configure the Protected Custom Services for Restricted Applications
The Protected Custom Services for Restricted Applications page lets you specify
which services are protected from any attempts at running or changing the
services for restricted applications. You specify which services the restricted
applications cannot modify. If you do not specify any protected services,
restricted applications can modify or access all services.
To add protected custom services for restricted applications
1. Click Add/Remove Protected Custom Services for Restricted Applications.
The Configure Protected Custom Services for Restricted Applications pane

opens.
2. In the Item field, enter the value of the protected service.
3. Click Add.
The service is added to the list.
4. Click Save
Your changes are saved and the Configure Protected Custom Services for
To remove protected custom services for restricted applications

opens.
2. Select the service to remove and click Remove.

The service is deleted from the list.
3. Click Save
To modify protected custom services for restricted applications

opens.
2. Select the protected service to modify.

Policies

The protected service is updated to match the new value.
4. Click Save
Configure the Protected Services for Users
The Protected Services for Users page lets you specify which services are
protected from any attempts at running or changing the services by users on the
endpoint. If you do not specify any protected services, users can modify or
access all services.
To add protected services for users
1. Click Add/Remove Protected Services for Users.

The Configure Protected Services for Users pane opens.
2. In the Item field, enter the value of the protected service.
3. Click Add.
The protected service is added to the list.
4. Click Save
Your changes are saved and the Configure Protected Services for Users pane
closes.
To remove protected services for users

2. Select the protected service key to remove and click Remove.
The service is deleted from the list.

3. Click Save
closes.
To modify protected services for users

2. Select the protected service to modify.

Policies

The service is updated to match the new value.
4. Click Save
closes.
Configure the Protected Custom COM Objects for Restricted Applications
The Protected Custom COM Objects for Restricted Applications page lets you
specify which COM objects restricted applications cannot create. If you do not
specify any protected COM objects, restricted applications can create all COM
objects. The values should be in valid CLSID format, for example,
0CD7A5C0-9F37-11CE-AE65-08002B2E1262
To add protected custom COM objects for restricted applications
1. Click Add/Remove Protected Custom COM Objects for Restricted

Applications.
The Configure Protected Custom COM Objects for Restricted Applications
pane opens.
2. In the Item field, enter the value of the protected COM object.
3. Click Add.
The protected COM object is added to the list.

4. Click Save
Your changes are saved and the Protected Custom COM Objects for
To remove protected custom COM objects for restricted applications

Applications.

pane opens.
2. Select the protected COM object to remove and click Remove.

The protected COM object is deleted from the list.
3. Click Save
Your changes are saved and the Configure Protected Custom COM Objects

Policies
To modify protected custom COM objects for restricted applications

Applications.

pane opens.
2. Select the protected COM object to modify.

The protected COM object is updated to match the new value.
4. Click Save
Your changes are saved and the Configure Protected Custom COM Objects
Configure the Protected COM Objects for Users
The Protected COM Objects for Users page lets you specify which COM objects
users on the endpoint cannot create. If you do not specify any protected COM
objects, users can modify or access all COM objects.
The values should be in valid CLSID format, for example,

0CD7A5C0-9F37-11CE-AE65-08002B2E1262
To add protected COM objects for users

1. Click Add/Remove Protected COM Objects for Users.
The Configure Protected COM Objects for Users pane opens.
2. In the Item field, enter the value of the protected COM object.
3. Click Add.
The protected COM object is added to the list.
4. Click Save
Your changes are saved and the Configure Protected COM Objects for Users
pane closes.

Policies
To remove protected COM objects for users


2. Select the protected COM object to remove and click Remove.
The protected COM object is deleted from the list.
3. Click Save
pane closes.
To modify protected COM objects for users

2. Select the protected COM object to modify.
The protected COM object is updated to match the new value.

4. Click Save
pane closes.
Set Intrusion Protection Advanced Configuration
The Intrusion Protection Advanced Configuration lets you configure the

definitions and components that are used to construct the Intrusion Protection
Policies. The Intrusion Protection Advanced Configuration lets you create Rules,
Rule Set and Rule Set Groups for your Intrusion Protection Policies. Also, you can
create Transportation, IP Address, and Time Frame definitions from the Intrusion
Protection Advanced Configuration.
When creating Intrusion Protection Advanced Configuration objects, you must

first create the Rule Sets, then rules for the individual sets. Then you can
combine the Rule Sets into Rule Set Groups, if necessary.
When populating a Rule Set with rules, you can copy rules from one Rule Set and
paste them into another rules set using the copy and paste feature. When
pasted, the copy uses the original rule's name with a number appended to the
end.

Policies
Configure Rule Set Groups
Rule Set Groups let you organize your Rule Sets into groups. You can then use
these groups when creating policies. This lets you easily create policies by only
selecting one Rule Set group that applies instead of having to pick the Rule Sets
each time you create a policy.
Note: Some Rule Set groups are read-only. You can view the details of these
Rule Set groups, but you cannot edit those details. If you select a read-only Rule
Set group, the Edit button changes to the View button.
New
Click this button to create a new Rule Set group.
Edit
Select a Rule Set group and click this button to edit that object. Editing is the
same as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set group and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set group.
Delete
Select a Rule Set group and click this button to remove that group from the
list.
View
This button only appears if you select a read-only Rule Set group. Click this
button to view the details of the Rule Sets group. You cannot edit the details
of the Rule Set group.
To create an Intrusion Protection Rule Set group
1. Click New.
The Create Intrusion Protection Rule Set Group window opens to the Name
and General Settings pane.
2. Enter the name and description for the application and click Next.
The Select Rule Sets pane opens.

Policies
3. Select the Rule Set to add from the Available Rule Sets table and use the Up
arrow to move the Rule Set to the Selected Rules table.

Configure Name and General Settings
for the rule set group you are creating.
Note: if you access this page from the Global Policy Definition menu, you will
create a global rule set group that can be used across all partitions. If you access
this page from within a specific partition, you will create a rule set group that can
only be used in that partition.

2. Click Next to move to the next page. Click Save to save your changes. Your
changes will be saved, and the page closes. Click Discard to remove any
Select Rule Sets
When creating a Rule Set group, you must add the Rule Sets to the group. You
add the Rule Sets on the Select Rule Sets page for that rule group.
To add Rule Sets to a Rule Set group
1. Select the Rule Set to add from the Available Rule Sets table.
2. Use the Up arrow to move the Rule Set to the Selected Rules table.
Additionally, you can remove a Rule Set from the Selected Rule Sets table by
selecting the Rule Set and using the Down arrow button to move the rule to the
Available Rule Sets table.

Policies
Configure Intrusion Protection Rule Sets
Rule Sets contain rules that can be used in Rule Set groups or in policies. From
this page you can create new Rule Sets or view existing Rule Sets.
Note: Some Rule Sets are read-only. You can view the details of these Rule Sets,
but you cannot edit those details. If you select a read-only Rule Set, the Edit
button changes to the View button.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that set from the list.
View
This button only appears if you select a read-only Rule Set .Click this button
to view the details of the Rule Set. You cannot edit the details of the Rule Set.
To create an Intrusion Protection Rule Set
1. Click New.
The Create Intrusion Protection Rule window opens to the Name and General
Settings pane.
2. Enter the name and description for the application and click Save.
Your changes are saved and you are returned to the Rule Set page.

Policies
for the rule set you are creating. This page is common to almost all Advanced
Configuration policy component objects.
Note: if you access this page from the Global Policy Definition menu, you will
create a global rule set that can be used across all partitions. If you access this
page from within a specific partition, you will create a rule set that can only be
used in that partition.
1. Enter the name and description for the rule set.

2. Click Next to move to the next page. Click Save to save your changes. Your
changes will be saved, and the page closes. Click Discard to remove any
View Included Rules
You can view the rules included in a Rule Set from the View Included Rules page.
To view included rules
1. Select a Rule Set whose rules to view.

2. Click Edit or View depending on if the Rule Set is read only or not.
The Name and General Setting page opens.
3. Click Next.
4. The View Included Rules page opens displaying the rules found in the Rule
Set.
Note: Rules are added to the Rule Set from the Configure Intrusion Protection
Rules page.
Configure Intrusion Protection Rules
Intrusion Protection rules are used to make Intrusion Protection policies. These
rules let you specify expected packet content and other information using
tokens. You can create rules with one or multiple tokens, depending on your
needs for that rule. When creating an Intrusion Protection rule, you can create
the tokens in the order suggested and later reorder the tokens as necessary.
Alternatively, you can jump around, creating the tokens in the order you need.
However, the process described here follows the order suggested by the
Intrusion Protection Rule editor.

Policies
When viewing rules, the page only displays the rules for the Rule Set you select.
Use the Select Rule Set drop-down menu to pick the Rule Set to view.
Important! You cannot add rules to the built-in Rule Sets. If you attempt to
create a rule without first creating a user-defined Rule Set, the Management
Console displays an error when you try to save the rule.
To create an Intrusion Protection rule

Provide a name and description for the rule.
2. Configure the Transports Setting. (see page 368)
Specify the protocol to which this rule applies.
3. Configure the IP Addresses. (see page 369)

Specify the IP address to which this rule applies. You can specify a remote
address, local, or both. You can also specify whether this rule applies to
outbound or inbound traffic.
4. Set the Access Permission and Audit Level. (see page 370)
Specify whether this rule prevents or monitors access. You must also specify
the audit level for this rule.
5. Select the Rule Set. (see page 371)

Verify the Rule Set which contains this rule. You can switch the Rule Set to
any user created Rule Set if necessary.
6. Configure the Flow Tokens. (see page 372)

Specify the details for any Flow tokens related to this rule. Use Flow tokens
to allow rules to only apply to certain directions of traffic flow.
7. Configure the IP Fragmentation Tokens. (see page 374)

Specify the details for any IP Fragmentation tokens related to this rule. Use
IP Fragmentation tokens to have the rule apply only if certain IP
Fragmentation Bits are set.
8. Configure the TCP Flag Tokens. (see page 376)

Specify the details for any TCP Flag tokens related to this rule. Use TCP Flag
tokens to have the rule apply only if specific TCP flag bits are present in the
packet.
9. Configure the Content Tokens. (see page 378)

Specify the details for any Content tokens related to this rule. Use Content
tokens to create rules that search for specific content in a packet payload.
10. Configure the General Tokens. (see page 381)

Specify the details for any General tokens related to this rule. Use General
tokens to specify an exact value that the rule checks for in the packet.

Policies
11. Configure the Flow Bits Tokens. (see page 384)

Specify the details for any Flow Bits tokens related to this rule. Use Flow Bits
tokens to control a temporary variable that rules can check, set, or unset.
12. Configure the Byte Test Tokens. (see page 386)

Specify the details for any Byte Test tokens related to this rule. Use the Byte
Test token to test a byte field against a specific value.
13. Configure the Byte Jump Tokens. (see page 389)

Specify the details for any Byte Jump tokens related to this rule. Use the Byte
Jump token when you want to read a length of the packet, then skip ahead
that length in the packet and check the packet contents at the new location.
14. Configure the PCRE Tokens. (see page 391)
Specify the details for any PCRE tokens related to this rule. Use Perl
Compatible Regular Expressions (PCRE) tokens to create rules using a
regular expression C library based on Perl's external interface.
15. Reorder the Tokens. (see page 393)
Review the order of the tokens. Tokens are applied in the order listed on this
page and might need to be adjusted to ensure the rule behaves properly.
for the rule you are creating. This page is common to almost all Advanced
Configuration policy component objects.
Note: If you access this page from the Global Policy Definition menu, the rules
you create are global, and can be used across all partitions. If you access this
page from within a specific partition, you create rules that can only be used in
that partition.

Policies
Configure Transport Settings
The Transport Settings page lets you specify the protocol and port or set of ports
to which this rule applies. You can select from a list of existing transports, or
specify your own private transport settings. Specifying your own settings lets
you create rules that apply to only certain source or destination ports, limiting
the scope of the rule to match your needs.
To add a new transport for use with multiple rules, create the transport using the
Transport Definitions found under Configure Other Intrusion Protection
Advanced Policy Components.
To configure the Transport Settings

1. Open the Transport Settings page by either clicking Next on the Name and
General Settings page of the Intrusion Protection Rule editor, or by clicking
the Transport Settings link in the Steps to Create Rule pane.
The Transports Setting page opens.
2. Enable one of the following options:
Use Existing Transport

Select this option and a protocol from the drop-down list to use that
protocol for this rule. Use this option if you know you have a protocol that
matches your needs. You can create these protocols on the Create
Transport Definition page.
Use Private Transport
Select this option to specify your own transport setting unique to this
rule. If you use this option, you must add additional protocol
information. This protocol cannot be reused in other rules. If you wish to
reuse the protocol, create a Transport Definition for this protocol.
3. (Optional) If you selected Use Private Transport, enable Negate Source Ports
to prevent this rule from applying to incoming traffic.
4. (Optional) If you selected Use Private Transport, enable Negate Destination

Ports to prevent this rule from applying to outgoing traffic.

Policies
5. (Optional) If you selected Use Private Transport, you must add information
to describe the one or more protocols.
■ To add protocols, select the appropriate protocol type from the

drop-down menu, specify the Source and Destination Port and click Add.
■ To remove a protocol item, select the protocol and click Remove.
■ To modify a protocol, select the protocol and click Modify.

■ To clear the data fields without making any changes, click Clear.
6. Click Next to move to the IP Addresses page. Alternatively, click Save to save
your changes and return to the Intrusion Protection Rules page. Click Back to
return to the previous page. Click Discard to remove any changes you made.
Click Close to close the page without saving changes.
More information:
Create Transport Definitions (see page 452)

Create Intrusion Protection Policies (see page 299)
Configure IP Addresses
You can create Intrusion Protection rules that apply only to traffic between two
sites. When configuring such rules, you must specify the remote IP address, the
local IP address, and which traffic you want blocked or monitored.
You can only specify inbound or outbound traffic per rule. To block both types of
traffic, you must create two rules, one blocking inbound, the other blocking
outbound traffic.
When specifying an address, you must select the address from a drop-down
menu of IP addresses that have already been defined. To define an IP Address,
use the IP Address Definitions editor found under Configure Other Intrusion
Protection Advanced Policy Components.
To configure the IP Address Settings

1. Open the IP Address Settings page by either clicking Next on the Transport
Settings page of the Create Intrusion Protection Rule, or by clicking the IP
Transport link in the Steps to Create Rule pane.
The IP Addresses page opens.

2. Use the drop-down menu to select the IP addresses to which you want this
rule to apply.
You can specify a remote address, local, or both.

Policies
3. Specify whether this rule applies to outbound or inbound traffic.

4. Click Next.
The Access Permission and Audit Level page opens.

Alternatively, click Save to save your changes and return to the Intrusion
Protection Rules page. Click Back to return to the previous page. Click
Discard to remove any changes you made. Click Close to close the page
More information:
Create IP Address Definitions (see page 454)

Configure Access Permission and Audit Level
The Access Permission and Audit Level page lets you specify if the Intrusion
Protection rule prevents access or simply monitors access.
You can also specify the audit level of the rule. Every time the endpoint applies
this rule, the endpoint generates an event based on the level you specify on this
page. The Event Management Policy in force on the endpoint controls whether if
the event is reported to the Event Server.
To configure Access Permission and Audit Level
1. Open the Access Permission and Audit Level page by either clicking Next on
the IP Address Settings page of the Create Intrusion Protection Rule, or by
clicking the Access Permission and Audit Level link in the Steps to Create
Rule pane.
The Access Permission and Audit Level page opens.
2. Specify whether you want this rule to prevent access or simply to monitor
access, and specify the audit level for this rule.
3. Click Next.
The Select Rule Set Used page opens.
Protection Rules page, click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the page without
saving changes.

Policies
More informaton:

Create Event Management Policies (see page 239)
Select the Rule Set Used
The Select Rule Set Used page lets you specify which Rule Set should contain the
rule you are creating. You can use this page to create a rule in a Rule Set other
than the one you selected in the Select Rule Set drop-down menu.
You can only select a user-defined Rule Set. You cannot add a rule to a built-in
Rule Set. If you try to save the rule you created to a built-in Rule Set, the
Management Console displays an error message.
By default, if you did not select a Rule Set from the Select Rule Set drop-down
list, or you selected a built-in Rule Set, the Management Console places the rule
in the first Rule Set listed on this page.
To select the Rule Set used

1. Open the Select Rule Set page by either clicking Next on the Access
Permissions and Audit Level page of the Create Intrusion Protection Rule, or
by clicking the Select Rule Set link in the Steps to Create Rule pane.
The Select Rule Set page opens.
2. Select the Rule Set to contain this rule and click Next.
The Configure Flow Tokens page opens.

saving changes.
More information:

Configure Intrusion Protection Rule Sets (see page 364)

Policies
Configure Flow Tokens
Use Flow tokens to allow rules to apply only to certain directions of traffic flow.
You can specify if the rule applies from Client to Server or from Server to Client.
You can also specify if the rule applies to established connections or to rebuilt
packet streams.
To add a Flow token

1. Open the Configure Flow Tokens page by either clicking Next on Select Rule
Set Used page of the Create Intrusion Protection Rule, or by clicking the
Configure Flow Tokens link in the Steps to Create Rule pane.
The Configure Flow Tokens page opens.
2. Specify the Flow Direction. You can choose one of the following options:
Client to Server
Select this option to have this rule apply to packets going from the
endpoint to a server, in reassembled TCP stream, when the endpoint is a
client in relation to the server.
Server to Client
Select this option to have this rule apply to packets going from the
endpoint to a client, in reassembled TCP stream, when the endpoint acts
as a server in relation to the client.
Both Directions
Select this option to have this rule apply to both directions of
communication.
3. Specify the Connection State. You can choose one of the following options:
Any Connection State
Select this option to have this rule apply regardless of the state of the
connection.
Stateless
Select this option to have this rule apply only to stateless connections.
Established
Select this option to have this rule apply only to established TCP
connections.

Policies
4. Specify the Stream Type. You can choose one of the following options:
Any Stream
Select this option to have this rule apply regardless of the stream state.
No Stream
Select this option to have this rule apply only on stream packs that were
not rebuilt.
Stream Only
Select this option to have this rule apply only on rebuilt stream packets.
Use this option if you suspect an outside source is altering the stream
packets.
5. Click Add.
The Flow token is added to the list.
6. Click Next.
7. The Configure IP Fragmentation Tokens page opens.
saving changes.
This page contains the following buttons:
Add
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
De-Select Grid Item
To add a new item, you cannot have any of the items in the list selected. Use
this button to de-select the current item, so that you can add a new token.
This button is active if you have a token selected.

Policies
Configure IP Fragmentation Tokens
Use IP Fragmentation tokens to have the rule apply to packets with certain IP
Fragmentation Bits set or unset. For example, you can create a rule that detects
packets with only the Reserve Bit set or with the Reserve Bit and Do not
Fragment Bit not set.
To add an IP Fragmentation token

1. Open the Configure IP Fragmentation Tokens page by either clicking Next on
the Configure Flow Token page of the Create Intrusion Protection Rule, or by
clicking the Configure IP Fragmentation Tokens link in the Steps to Create
Rule pane.
The Configure IP Fragmentation Tokens page opens.
2. Enable one or more of the IP Fragmentation Bits. You can enable the
following bits:
MF Bit
Enable to have the rule check the More Fragment bit.
DF Bit
Enable to have the rule check the Do Not Fragment bit.
Res Bit
Enable to have the rule check the Reserve bit.
3. Select the appropriate Flag Set Modifiers. You can select from the following
options:
Match only if all specified bits are set

Select this option to have the rule apply only if all the bits you specified
are set. If one bit is not set, the rule does not apply.
Match if all specified bits plus any others are set

Select this option to have the rule apply if the bits you specified and at
least one other bit are set.
Match if any specified bits are set

Select this option to have the rule apply if any of the bits you specified
are set. As long as one bit is set, even if others are not, the rule is
applied. Use this option to ensure that at least one of the selected bits is
set.
Match if the specified bits are not set
Select this option to have the rule apply only if the bits you specified are
not set. Select this option to create a rule that blocks traffic if the bits are
not set.

Policies
4. Click Add.
The token is added to the list.
5. Click Next.
6. The Configure TCP Flag Tokens page opens.
saving changes.
Add
Update
Delete
Clear
De-Select Grid Item


Policies
Configure TCP Flag Tokens
Use TCP Flag tokens to have the rule apply only if specific TCP flag bits are
present in the packet.
To add a TCP Flag token
1. Open the Configure TCP Flag Tokens page by either clicking Next on the
Configure IP Fragmentation Token page of the Create Intrusion Protection
Rule, or by clicking the Configure TCP Flag Tokens link in the Steps to Create
Rule pane.
The Configure TCP Flag Tokens page opens.

2. Set the TCP Flags as appropriate.
Flags can be set to Ignore, On, or Off. Ignored flags are not checked. Flags
that are set to On are allowed. Flags set to Off are prevented.
You can select to check the following TCP flag tokens:
FIN
Select this option to check the FIN flag. The FIN flag is set if the sender
is not transmitting any more data.
SYN
Select this option to check the Synchronize sequence number flag.

RST
Select this option to check if the Reset Connection flag is set.
PUSH
Select this option to check if the Push flag is set.
ACK
Select this option to check the Acknowledgement flag.

URG
Select this option to check if the Urgent flag bit is set.
RES 1 and RES 2

Select one of these options to check if either of the reserve bits are set.
Generally, these bits are reserved for future protocol use and should not
be set.

Policies
3. Select the appropriate Modifier Flags. You can select from the following
options:
Match only if all specified bits are set

Select this option to have the rule apply only if all the bits you specified
are set. If one bit is not set, the rule does not apply.
Match if all specified bits plus any others are set

Select this option to have the rule apply if the bits you specified and at
least one other bit are set.
Match if any specified bits are set

Select this option to have the rule apply if any of the bits you specified
are set. As long as one bit is set even if the others are not, the rule is
applied. Use this option to ensure that at least one of the selected bits is
set.
Match if the specified bits are not set

Select this option to have the rule apply only if the bits you specified are
not set. Select this option to create a rule that blocks traffic if the bits are
not set.
4. Click Add.

5. Click Next
The Configure Content Tokens page opens.
saving changes.
Add
Update
Delete

Policies
Clear
De-Select Grid Item

Configure Content Tokens
Use Content tokens to create rules that search for specific content in a packet
payload. During the check, if Intrusion Protection finds data exactly matching the
argument data string within the packet’s payload, it applies the rule to this
communication.
Note: Checking the packet payload can have significant CPU requirements and
can hinder a computer's performance.
When creating Content tokens, you define a string or binary sequence using
c-notation. This is the data for which the Intrusion Protection searches in the
payload. Under normal circumstances, the data is case sensitive.
To add a Content token
1. Open the Configure Content Tokens page by either clicking Next on the
Configure TCP Flag Token page of the Create Intrusion Protection Rule, or by
clicking the Configure Content Tokens link in the Steps to Create Rule pane.
The Configure Content Tokens page opens.

2. Specify the value of the token.
You must specify the value for each Content token. The value is the string or
binary sequence for which the Intrusion Protection is searching.
3. Specify the Offset if you are not enabling the Relative Offset option in the
Search Flags.
4. Specify the Depth if you are not enabling the Relative Depth option in the
Search Flags.
5. Set the Within value, if necessary.
To set this value, enable Relative Depth in the Additional Search Flags
column, then enter the Within value.
You must enable Relative Depth to identify content by Within.
6. Set the Distance value, if necessary. To set this value, enable Relative Offset
in the Additional Search Flags column, then enter the Distance.
You must enable Relative Offset to identify content by Distance.

Policies
7. Enable any Search Flags to meet your needs.

You can enable any of the following flags:
Negation/Complement
Apply the rule to all packets not containing the value you set.
URI Content
Restrict the search to only the normalized request URI field. URI
normalization is the process by which URIs are modified and
standardized in a consistent manner. Normalization helps you determine
if two syntactically different URIs are equivalent.
No Case
Have Intrusion Protection search for the data, regardless of case. For
example, if you are searching for the value "Too" and enable this option,
Intrusion Protection would apply this rule if the payload contained "too",
"Too", or even "tOO".
RegExp
Treat the value as a PERL compatible regular expression. The rule only
applies if the expression is true based on the data in the packet.
Relative Depth
Have the rule check against a relative depth rather than a set value. If
you enable this option, you must specify the range of the relative depth
in the Within field.
Relative Offset
Have the rule check against a relative offset rather than a set value. If
you enable this option, you must specify the range of the relative offset
in the Distance field.
8. Click Add.
9. Click Next.
The Configure General Tokens page opens.

saving changes.

Policies

Add
Update
Delete
Clear
De-Select Grid Item

Policies
Configure General Tokens
Use General tokens to specify an exact value that the rule checks for in the
packet. This value must fulfill the specified relation within the rule with the
protocol parameters of the analyzed packet. You can also specify if the token
should be equal to, not equal to, greater than, or lesser than the value you
assign.
To add a General token
1. Open the Configure General Tokens page by either clicking Next on the
Configure Content Token page of the Create Intrusion Protection Rule, or by
clicking the Configure General Tokens link in the Steps to Create Rule pane.
The Configure General Tokens page opens.
2. Specify the token identifier to be checked in the Token ID field.
You can select from one of the following options:

D Size (Data Size)
Use this token to test the packet payload size. You can set a high value
to check for abnormally sized packets, which can be useful for detecting
buffer overflows.
Is Data At
Use this token to check whether the packet payload has data at a
specified location. Unlike other tokens, this token has special Relation.
Leave the Relation blank to check for data at a specific location. Select
Relative to check the data relative to the last correct match.
Same Address
Use this token to check if the source IP address is the same as the
destination IP address. For this token, do not specify a Relation or Value.
IP TTL
Use this token to check the IP time-to-live value. Use this token in the
detection of trace route attempts.
IP TOS
Use this token to check the IP TOS field for the value you specify.

Policies
IP Opt
Use this token to check if a specific IP option is present. All of these
options are defined in the Internet Protocol documentation found at
http://www.iana.org/, under IP Option Numbers. You can check for the
following options:
Note: You can only have one IP Opt token per rule.
■ Record Route: Checks if the Record Route option is present. If this

option is present, the packet should include the address information
for the route the packet traveled.
■ End of List: Checks if the End of List option is present. If this option
is present, there should be no additional IP options listed after this
value.
■ No Operation: Checks if the No Operation IP option is set in the IP

options of the packet.
■ Time Stamp: Checks if the Time Stamp option is present. If this

option is present, the packet should contain the time it originated.
■ IP Security: Checks if the IP Security option is present.
■ IP Extended Security: Checks if the IP Extended Security IP option is

present.
■ Loose Source Routing: Checks if the Loose Source Routing option is

present.
■ Strict Source Routing: Checks if the Strict Source Routing option is

present. This option records the route of the packet with more
restrictions than the Loose Source Routing option.
■ Stream Identification: Checks if the Stream Identification option is
present.
■ Any IP Options are Set: Use this value to check if any IP options are
set in the packet.
IP Protocol
Use this token to check the IP protocol header for the protocol you
specify.
TCP Seq
Use this token to check for a specific TCP sequence number.
TCP Ack
Use this token to check for a specific TCP acknowledgment number.
ICMP Type
Use this token to check for a specific ICMP type value.

Policies
ICMP Code
Use this token to check for a specific ICMP code value.
Echo Id
Use this token to check for a specific ICMP ID value. Some channel
programs use static ICMP fields when communicating. If you know the
field value, you can use this token to check for that value.
Echo Seq
Use this token to check for a specific ICMP sequence value. Some
channel programs use static ICMP fields when communicating. If you
know the field value, you can use this token to check for that value.
TCP Window
Use this token to check for a specific TCP window size.
3. Specify the Relation of the token to the value.

For the majority of the tokens, you can select Equal to, NotEqual, Greater, or
Less for the Relation. For example, you could create a token where the D
Size must be less than the value specified.
To create a range, you must create two tokens, one for each boundary of the
range. For example, you could set D Size to greater than 10 and less than
100 to create a rule that applies when the packet payload size is between 10
and 100.
For the Is Data At token, select Absolute to look for data at a specific point in
the payload, or select Relative to look for the data based on a relative to the
end of the data.
For Same Address there is no Relation to specify.
4. Specify the value you want the token checked against.
For Same Address there is no Value to specify.

For the IP Opt token, you must select one of the previously-described
options available.
5. Click Add.
6. Click Next.
The Configure Flow Bits Tokens page opens.

saving changes.

Policies

Add
Update
Delete
Clear
De-Select Grid Item
Configure Flow Bits Tokens
Use Flow Bits tokens to control a temporary variable in the Intrusion Protection
engine that rules can check, set, or unset. For example, you can use this token
if you want to signal capture of a specific packet for future searches. This token
allows rules to track states across transport protocol sessions.
There are seven operations associated with the Flow Bits token. For these
operations you must specify a name for the state being checked. Limit this name
to any alphanumeric string including periods, dashes, and underscores.
To add a Flow Bits token
1. Open the Configure Flow Bits Tokens page by either clicking Next on the
Configure General Token page of the Create Intrusion Protection Rule, or by
clicking the Configure Flow Bits Tokens link in the Steps to Create Rule pane.
The Configure Flow Bits Tokens page opens.
2. Specify the Connection State.

This is the name of the temporary variable.

Policies
3. Select the Operation.

You can choose one of the following Operations:
Set
Set the specified state for the current flow.
Unset
Unset the specified state for the current flow.
Toggle
Toggle the specified state. If the state is set, it becomes unset; if the
state is unset, it becomes set.
Isset
Check whether the specified state is set.
Isnotset
Check whether the specified state is not set.
Noalert
Specify that the rule should not generate an alert, regardless of the rest
of the detection options specified for this token.
Reset
Check whether the specified state has been reset.
4. Click Add.

5. Click Next.
The Configure Byte Test Tokens page opens.
saving changes.

Add
Update

Policies
Delete
Clear
De-Select Grid Item
Configure Byte Test Tokens
Use the Byte Test token to test a byte field against a specific value. You can use
this token to test binary values or to convert representative byte strings to their
binary equivalent and then test.
To add a Byte Test token
1. Open the Configure Byte Test Tokens page by either clicking Next on the
Configure Flow Bits Token page of the Create Intrusion Protection Rule, or by
clicking the Configure Byte Test Tokens link in the Steps to Create Rule pane.
The Configure Byte Test Tokens page opens.

2. In the Extracted Number section, specify the following:
Value
Specify the value that the byte test token checks against.
Offset
Specify any offset value for this token. If you specify an offset, the token
jumps this distance ahead in the packet before checking values.
Size
Specify the number of bytes examines when checking values.
3. In the Data Type section, select a Format for this token.

You can select from the following formats:
Little Endian
Select this option to process the contents data as little-endian.
Big Endian
Select this option to process data as big-endian.

Policies
Auto
Select this option to let the Intrusion Protection determine the best
processing option.
Like C
Select this option to convert the contents in a string format.
Hex
Select this option to convert the string data to hexadecimal notation.
Dec
Select this option to convert the string data to decimal notation.

Oct
Select this option to convert the string data to octal notation.
4. In the Data Type section, select an Operator for this token.

You can select from the following operators:
Equal
Select this option to have the rule apply if the values match.
Xor
Select this option to match 2 values so that one or the other but not both
match the value specified in the rule.
Greater
Select this option to have the rule apply if the value specified is greater
than the value in the packet.
Less
Select this option to have the rule apply if the value specified is less than
the value in the packet.
And
Select this option to match two values so that both match the value
specified in the rule.
Or
Select this option to match two values so that one or both match the
value specified in the rule.
5. (Optional) In the Value section, enable Relative to use an offset relative to

the last successful pattern match. Enable Negation to have the token check
if the value and operator do not match.
For example, to match a value not greater than 3, enter 3 as the Value,
select Greater as the Operator and enable the Negation option.

Policies
6. Click Add.
7. Click Next.
The Configure Byte Jump Tokens page opens.
saving changes.

Add
Update
Delete
Clear
De-Select Grid Item


Policies
Configure Byte Jump Tokens
Use the Byte Jump token to read a length from the packet, skip ahead that
distance in the packet and check the packet contents at the new location. Use
these tokens to skip over specific portions of length-encoded protocols and
perform detection in very specific locations. When creating Byte Jump tokens,
you specify the extracted number information, data type, and search flags.
To add a Byte Jump token
1. Open the Configure Byte Jump Tokens page by either clicking Next on the
Configure Byte Test Token page of the Create Intrusion Protection Rule, or
by clicking the Configure Byte Jump Tokens link in the Steps to Create Rule
pane.
The Configure Byte Jump Tokens page opens.
2. In the Extracted Number section, specify the following:

Offset
Specify the offset value for this token. The rule jumps this distance into
the packet before checking the content.
Multiplier
Specify the multiplier value for this token. The token multiplies the
number of calculated bytes by this value and skips forward that number
of bytes in the packet before checking contents.
Size
Specify the number of bytes to extract from the packet.
3. In the Data Type column, select a Format for this token.
You can select from the following formats:
Little Endian
Select this option to process the contents data as little-endian.
Big Endian
Select this option to process data as big-endian.
Auto
Select this option to let the Intrusion Protection determine the best
processing option.
Like C
Select this option to store the contents in a string format in the packet

Policies
Hex
Select this option to convert the string data to hexadecimal notation.
Dec
Select this option to convert the string data to decimal notation.
Oct
Select this option to convert the string data to octal notation.
4. (Optional) In the Search Flags column, enable flags that control how the
search behaves.
You can select from the following flags:

Align
Select this option to round the number of converted bytes up to the next
32-bit boundary.
Relative
Select this option to use an offset relative to last pattern match.
From Beginning
Select this option to skip forward from the beginning of the packet
payload instead of from the current position in the packet.
5. Click Add.
6. Click Next.
The Configure PCRE Tokens page opens.

saving changes.
Add
Update
Delete

Policies
Clear
De-Select Grid Item

Configure PCRE Tokens
Use Perl Compatible Regular Expressions (PCRE) tokens to create rules using a
regular expression C library based on Perl's external interface. For more detail on
what you can do using a PCRE regular expression, see the PCRE web site at
http://www.pcre.org. When creating PCRE tokens, you provide an expression
string. By default, the expression string is treated as one big line of characters.
The characters ˆ and $ are matched at the beginning and ending of the string
respectively.
The PCRE expression format is:

=/<expression>/<modifiers>
In this format, you include the following:
<expression>
This is the PCRE compatible string of characters
<modifiers>
This is a modifier or list of modifiers. You can use any of the following
modifiers:
■ i: Use this modifier if you want the expression to be matched regardless
of case.
■ s: Use this modifier to include new lines in the dot metacharacter.

■ m: Use this modifier to have Intrusion Protection look for ˆ and $
matches immediately following or immediately before any newline in the
buffer, as well as the very start and very end of the buffer.
■ R: Use this modifier to have Intrusion Protection search relative to the
previous token.

Policies
To add a PCRE token

1. Open the Configure PCRE Tokens page by either clicking Next on the
Configure Byte Jump Token page of the Create Intrusion Protection Rule, or
by clicking the Configure PCRE Tokens link in the Steps to Create Rule pane.
The Configure PCRE Tokens page opens.
2. In the Value field, enter the expression for the token. The PCRE expression
format is:
=/<expression>/<modifiers>
3. Click Add.

4. Click Next.
The Reorder Tokens page opens.

saving changes.
Add
Update
Delete
Clear
De-Select Grid Item

Policies
Reorder the Tokens
The order of tokens in a rule is important. Tokens are applied by Intrusion

Protection in the order they are shown in the Token table on this page.
Initially the tokens are added to this list in the order in which you created them.
If, for example, you create the tokens in the same order as the pages of the Rule
editor, you would have created your Flow tokens before any Content or General
tokens. If this does not meet your needs, especially with more complicated
tokens, you can use the Reorder the Tokens page to change the order of the
tokens to ensure that they are used in the correct order.
For example, if you want to detect a value using Flow Bits tokens and you follow
the steps, you create a Content token first, then Flow Bits tokens. However, the
Flow Bits order always depends on the operation, and, for the operation "ISSET",
the Flow Bits token must come before the Content token. In this case, you would
have to reorder the tokens so that the Flow Bits token is applied first.
For another example, if a rule contains several Content and PCRE tokens, these
tokens must be arranged in sequential order,
<Content1><PCRE1><Content2><PCRE2>, etc. One method to create this
sequence is to add all the Content tokens first, then add all the PCRE tokens. You
would then rearrange the tokens on this page to match the order you need.
Note: You do not have to create tokens in the order presented by the editor. You
can go to the needed page using the Back and Next buttons, or click the link to
the page in the Steps to Create pane. The tokens are added in the in the order
you create them. However, the Reorder the Tokens page is the only place where
you can see all the tokens entered and in the current order.
To reorder the tokens
1. Open the Reorder Tokens page by either clicking Next on the Configure PCRE
Token page of the Create Intrusion Protection Rule, or by clicking the
Reorder Tokens link in the Steps to Create Rule pane.
The Reorder Tokens page opens.
2. Select the token whose position you want to change.
3. Use the priority arrows to move the token up or down in the priority list.
The higher the token is in the list, the earlier in the Intrusion Protection
process the token is used. You can also drag-and-drop tokens to change
their position.
4. Click Save.
The tokens are re-ordered and the rule is saved.

Policies
Configure All Advanced Policy Components
The All Advanced Policy Components option let you create definitions, rules, and
Rule Sets for Proactive Protection policies. The rules and Rule Sets are specific to
the policy type. Definitions can be used across policies and rules.
Manage Firewall Rule Sets
Firewall Rule Sets contain a collection of Firewall Rules. Use the Rule Sets when
creating Firewall policies. This page lets you create, edit, and delete Rule Sets.
You can also reorder the Rule Set as necessary and disable or enable selected
rules within the Rule Set.
To access the Firewall Rule Sets tab
1. In the Navigation pane, click Policies, expand Global Policy Definitions, and
expand Proactive Protection.
2. Click Firewall.
The Global Firewall Policy Definitions page opens.
3. Click Advanced Configuration and select All Advanced Policy Components

from the drop-down menu.
4. Click the Firewall Rules and Rule Sets tab.
5. Click the Firewall Rule Sets sub tab.

The Firewall Rule Sets page opens.
New
Edit
Copy
Paste

Delete
Select a Rule Set and click this button to remove that Rule Set from the list.
Order Rule Set

Click this button to reorder the Rule Sets, changing the priority of the Rule
Sets.

Policies
From this page, you can perform the following procedures:
To create a firewall Rule Set
1. Click New.
The Create New Firewall Rule Set window opens to the Name and General
Settings pane.
2. Enter the name and description for the Rule Set and click Next.
The Select Rules pane opens.
3. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
4. Change the rule order, if necessary, by selecting a rule and using the up and
down arrows to move it up or down the list.

Your changes are saved, and the page closes.
Alternatively, click Discard to remove any changes you made but keep the
page open, or click Close to close the page without saving changes.
To order the Rule Sets
1. Click Order Rule Set.
The Order Rule Set window opens.

2. Specify whether to view all Rule Sets, only the baseline Rule Set, or add-on
only Rule Sets.
3. Select the Rule Set whose order you want to change and use the Priority
arrows to move the rule up and down the list.
The rule with the highest priority is at the top of the list.
Your changes are saved once you move the rule.

4. Click Close to close the window.
To enable or disable a rule
1. Expand the Rule Set.

2. Select the check box next to the rule to enable or disable.
If there is a check mark in the box, the rule is enabled. If there is no check
mark, the rule is disabled.

Policies
Order the Rule Set
Rule Sets can be ordered as necessary. Ordering the Rule Sets lets you ensure
the rules which are most important to you have the highest priority.
When viewing the Rule Sets order, the Rule Set at the top of the list has the
highest priority.
1. Click Order Rule Sets.
The Order Rule Sets page opens.

2. Use the View Rule Set drop-down menu to view all Rule Sets, Baseline Rule
Sets or Add-on Rule Sets.
3. Select a Rule Set, then change the position of the Rule Set using the up and
down Priority arrows. The higher the Rule Set is on the list, the higher the
priority.
Changes are saved once you move a rule.
4. When you are finished setting the order, click Close.

The Order Rule Sets page closes.
Configure the Rule Set Name and General Settings
for the Policy Component you are creating. For Rule sets, this page includes an
additional option letting you set whether a Rule Set is a baseline Rule Set or an
add-on Rule Set. Baseline Rule Sets form the ground work of a policy, whereas
add-on Rule Sets are additional rules that can be optionally added to policies.
1. Enter the name and description for the application.

2. Specify the level of the Rule Set.
A Rule Set can be either a baseline rule or an add-on rule.

Policies
Select Rules
When creating a Rule Set, you must add the rules to the set. You add the rules on
the Select Rules page for that Rule Set.
To add rules to a Rule Set
down arrows to move the rule up or down the list.
This option may not apply to all Rule Sets.
3. You can disable or enable rules within the rules set, if necessary.
■ To disable a rule, remove the check mark in the Enable field of that rule.
■ To enable a rule, ensure that the check mark is present.

Manage Firewall Rules
You can manage Firewall rules from the Firewall Rules tab. These rules control
access to and from your network. You can create, edit, or delete rules from this
page. You can also copy and paste rules as necessary.
To access the Firewall Rules tab
2. Click Firewall.
3. Click Advanced Configuration and select All Advance Policy Components

4. Click the Firewall Rules and Rule Sets tab.
5. Click the Firewall Rules sub tab.

The Firewall Rules page opens.

Policies
Firewall rules are used to make up your Firewall policy and control access to and
from your network.
To create a firewall rule

1. Click New.
The Create Firewall Rule Page opens to the Name and General Setting pane.
The Application or Application Group pane opens, replacing the Name and
General Settings pane.
3. Specify whether this rule applies to all applications, a group of applications,

or a specific application, and click Next.
The Communications Protocol and Direction pane opens, replacing the
Application or Application Group pane.

protocol.

6. Click Next.
The Remote and Local IP Address pane opens, replacing the
Communications Protocol and Direction pane.
this rule applies.
9. Click Next.
opens.

Policies
11. Specify the Firewall Zone for this rule, and specify the time frame during
which this rule applies

Your chances are saved, and the Enroll Application pages close. Click Back to

Firewall rules are used to make up your Firewall policy and control access to and
from your network.
To create a firewall rule
1. Click New.
The Create Firewall Rule Page opens to the Name and General Setting pane.
The Application or Application Group pane opens, replacing the Name and
3. Specify whether this rule applies to all applications, a group of applications,

or a specific application, and click Next.
The Communications Protocol and Direction pane opens, replacing the

Application or Application Group pane.

Policies

protocol.

6. Click Next.
The Remote and Local IP Address pane opens, replacing the
Communications Protocol and Direction pane.
this rule applies.
9. Click Next.
opens.
11. Specify the Firewall Zone for this rule, and specify the time frame during
which this rule applies

Your chances are saved, and the Enroll Application pages close. Click Back to
Specify Communication Protocols and Directions
This page lets you specify the communications protocol and the directions of
communication in the built-in custom Firewall Rule Set.
To specify communications protocol and directions

protocol.

Policies

3. Click Next.
The Remote and Local IP Address pane opens.

Specify Remote and Local IP Addresses
This page lets you specify the remote and local IP address used in the built-in
custom Firewall Rule Sets.
To specify remote and local IP addresses

this rule applies.
3. Click Next.
opens.

Specify Access Permissions, Audit Levels, Firewall Zones, and Time Frames
This page lets you specify the access permissions, audit levels, Firewall zones,
and time frames in the built-in custom Firewall Rule Sets.
To specify access permissions, audit levels, Firewall zones, and time

frames
2. Specify the Firewall Zone for this rule.
3. Specify the time frame when this rule applies


Policies
Manage Firewall Zone Rule Sets
Firewall Zone Rule Sets contain a collection of Firewall Zone Rules. Use the Rule
Sets when creating Firewall policies. This page lets you create, edit, and delete
Rule Sets.
To access the Firewall Zone Rule Sets tab
2. Click Firewall.

4. Click the Firewall Zone Rules and Rule Sets tab.

5. Click the Firewall Zone Rule Sets sub tab.
The Firewall Zone Rule Sets page opens.

New

Edit
Copy
Paste
Delete
Select a Rule Set and click this button to remove that group or application
from the list.

Policies
To create a firewall zone Rule Set
1. Click New.
The Create New Firewall Zone Rule Set window opens to the Name and
4. Click Save to save your changes and close the page.



Policies
Select Rules

Manage Firewall Zone Rules
You can manage Firewall Zone rules from the Firewall Zone Rules tab. These
rules control zone access and communication. You can create, edit, or delete
rules from this page. You can also copy and paste rules as necessary.
To access the Firewall Zone Rules tab
2. Click Firewall.

4. Click the Firewall Zone Rules and Rule Sets tab.
5. Click the Firewall Zone Rules sub tab.

The Firewall Zone Rules page opens.

Policies
Firewall Zone rules are used to make up your Firewall Zone policy and control
settings for different network zones.
To create a firewall zone rule

1. Click New.
The Create New Firewall Zone Rule Page opens to the Name and General
Setting pane.
The Interface Identification pane opens, replacing the Name and General
Settings pane.
3. In the Identify Interface By pane, use one of the radio button options to
specify how a network interface is identified.
Your chances are saved, and the pages close. Click Back to return to the


Policies
Configure Interface Identification
This page lets you configure the interface identifications for selected zones.
To configure interface identification for selected zones in a Firewall

Zone rule
1. In the Identify Interface By pane, specify how you would like to identify the
zone and provide the corresponding address information.

Your changes are saved, and the pages close. Click Back to return to the
Manage Known Applications Database Use Rule Sets
Known Application Database Rule Sets contain a collection of Known Application

Database Use Rules. Use the Rule Sets when creating Application Control
policies. This page lets you create, edit, and delete Rule Sets.
To access the Known Application Database Rule Sets tab
2. Click Application Control.
The Global Application Control Policy Definitions page opens.

4. Select Other Advanced Policy Components from the Select Application

Control Configuration Task drop-down.
5. Click the Known Application Database Rules and Rule Sets tab.
6. Click the Known Application Database Rule Sets sub tab.

The Known Application Database Rule Sets page opens.
New
Edit

Policies
Copy
Paste
Delete
from the list.
To create a Known Application Database Rule Set
1. Click New.
The Create New Known Application Database Rule Set window opens to the
Name and General Settings pane.
3. Select the rule to add from the Available Rules table, and use the double
4. (Optional) You can disable or enable rules within the rules set.
■ To enable a rule, make sure the check mark is present.


Policies


Select Rules


Policies
Manage Known Applications Database Use Rules
Known Applications Database Use Rules are used to populate application groups
on the endpoints using the Known Application Database.
To access the Known Application Database Use Rules tab
1. In the Navigation pane, click Policies, expand the Global Policy Definitions
item, expand the Proactive Protection item, and click Application Control.


Control Configuration Tasks drop-down.
4. Click the Known Application Database Rules and Rule Sets tab.
5. Click the Known Application Database Use Rules sub tab.
The Known Application Database Use Rules page opens.

New
Click this button to create a new rule.

Edit
Select a rule and click this button to edit that object. Editing is the same as
creating a new object; you are just changing the existing values.
Copy
Select a rule and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the rule.
Delete
Select a rule and click this button to remove that rule from the list.
To create a Known Application Database Use rule

1. Click New.
The Create New Known Application Database Use Rule window opens to the
The Specify Application Group and Enrollment Options pane opens.

Policies
3. Specify the Application group for the rule and indicate whether the rule
should allow applications to be enrolled in the group or prevented from
enrolling.
4. Specify the Audit Level and click Next.

The Specify How the Application is Identified pane opens.
5. Specify how the application is identified.

You can select as many options as necessary.
6. Click Next.
The Specify Usage Expression Flags pane opens.
7. Select all of the necessary Usage Expression Flags that must be true for an
application to qualify for the enrollment in the group, and click Next.
The Specify Special Access Flags pane opens.
8. Select all of the applicable Special Access Flags that must be true for an
application to qualify for the enrollment in the group.
You can select as many as necessary.



Policies
Specify Application Group and Enrollment Options
Known Application Database Rules are used to build Application Control policies.
To create a Known Application Database rule

1. Click New.
enrolling.

5. Specify how the application is identified and click Next. You can select as
many options as necessary.
6. Select all of the applicable Usage Expression Flags that must be true for an
7. Click Next.


Policies
Specify How the Application is Identified

1. Click New.
enrolling.

7. Click Next.

changes you made but keep the page open. Click Close to close the page without
saving changes.

Policies
Specify Usage Expression Flags

1. Click New.
enrolling.

7. Click Next.

saving changes.

Policies
Specify Special Access Flags

1. Click New.
enrolling.

7. Click Next.

saving changes.

Policies
Manage Integrity Check Rule Sets
Integrity Check Rule Sets contain a collection of Integrity Check Rules. Use the
Rule Sets when creating Application Control policies. This page lets you create,
edit, and delete Rule Sets.
To access the Integrity Check Rule Sets tab


5. Click the Integrity Check Rules and Rule Sets tab.
6. Click the Integrity Check Rule Sets sub tab.

The Integrity Check Rule Sets page opens.
New
Edit
Copy
Paste

Delete
from the list.

Policies
To create an Integrity Check Rule Set
1. Click New.
The Create New Integrity Check Rule Set window opens to the Name and



Policies
Select Rules

Manage Integrity Check Rules
You can manage Integrity Check rules from the Integrity Check Rules tab. These
rules lets you specify whether the application is allowed to run or prevented if the
integrity check fails.
Use these rules when creating Integrity Check Rule Sets and Application Control
policies.
You can create, edit, or delete rules from this page. You can also copy and paste
rules as necessary.
To access the Integrity Check Rules tab



Policies

5. Click the Integrity Check Database Rules and Rule Sets tab.
6. Click the Integrity Check Rules sub tab.
The Integrity Check Rules page opens.
New
Click this button to create a new rule.

Edit
Select a rule and click this button to edit that object. Editing is the same as
creating a new object; you are just changing the existing values.
Copy
Select a rule and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the rule.
Delete
Select a rule and click this button to remove that rule from the list.
To create an Integrity Check rule
1. Click New.
The Create New Integrity Check Rule Set window opens to the Name and
The Specify Application, Module, or Group pane opens.
3. In the Check Integrity Of section, specify the object to have its integrity
checked by selecting the category and using the drop-down menu to pick the
object.
You can only select one category and one object.
4. In the Access Result and Audit Level section, specify the access result.
■ To allow the application to run if the integrity check succeeds, select
Allow.
■ To prevent the application from running if the integrity check fails,

choose Prevent.

Policies
5. In the Access Result and Audit Level section, specify the Audit Level for this
rule.


Specify Application, Module, or Group
Use the Specify Application, Module, or Group page to indicate which object has
its integrity verified by this rule.
To specify the application, module, or group of an Integrity Check rule
1. In the Check Integrity Of section, specify the object to be checked by

selecting the category and using the drop-down menu to pick the object.
You can only select one category and one object.
2. In the Access Result and Audit Level section, specify the action to take based
on the result of the integrity check:
■ To allow the application to run if the integrity check succeeds, select
Allow.
■ To prevent the application from running if the integrity check succeeds,

choose Prevent.

Policies
3. In the Access Result and Audit Level section, specify the Audit Level for this
rule.

Manage Application Spawning Rule Sets
Application Spawning Rule Sets contain a collection of Application Spawning

Rules. Use the Rule Sets when creating Application Control policies. This page
lets you create, edit, and delete Rule Sets.
To access the Application Spawning Rule Sets tab
item, and expand the Proactive Protection item.


5. Click the Application Spawning Rules and Rule Sets tab.

6. Click the Application Spawning Rule Sets sub tab.
The Application Spawning Rule Sets page opens.
New
Edit
Copy
Paste
Delete
from the list.

Policies
To create an Application Spawning Rule Set
1. Click New.
The Create New Application Spawning Rule Set window opens to the Name
and General Settings pane.



Policies
Select Rules

Manage Application Spawning Rules
Application Spawning Rules are used in Application Control Policies. An

Application Spawning rule lets you specify whether an application or group is
allowed to spawn or run another application. This page lets you create, edit, and
delete rules.
To access the Application Spawning Rules tab



Policies
5. Click the Application Spawning Rules and Rule Sets tab.

6. Click the Application Spawning Rules sub tab.
The Application Spawning Rules page opens.
New
Edit
Copy
Paste
Delete
from the list.
To create an Application Spawning rule
1. Click New.
The Create New Application Spawning Rule window opens to the Name and
The Target and Spawned Applications pane opens.
3. In the Apply this Rule to section, specify whether this rule applies to all
applications, an application group, or a specific application.
If you select Application Group or Application, you must specify the group or
application using the drop-down menus.
4. In the Select Which Application is Spawned section, specify whether this rule
allows all applications, an application group, or a specific application to
spawn.
5. Click Next.
The Specify Rule Actions and Time Frame pane opens.

Policies
6. In the Allow or Prevent Action and Audit level, specify the following
information and the audit level for each of these:
Start Application
Whether the application is allowed to start other applications.
Use Security
Whether spawned applications use their own security setting (Child) or

that of the application which spawned them (Parent).
Use Default Integrity Level
Whether you want the application to allow use of the default integrity
level or whether it is prevented from doing so.
7. In the Select Time Frame section, specify the time frame during which this
rule applies.
If you do not specify a time frame, the rule always applies.


Policies
Specify Target and Spawned Applications
This page lets you specify the target and spawned applications allowed by the
Application Spawning rule.
To specify the target and spawned applications
2. In the Select Which Application is Spawned section, specify whether this rule
allows all applications, an application group, or a specific application to
spawn.
3. Click Next.
Specify Rule Actions and Time Frame
This page lets you specify the rule actions and when the rule applies.
To specify the Allow or Prevent Action and Audit Level
1. In the Allow or Prevent Action and Audit level, specify the following
information and the audit level for each of these:
Start Application
Whether the application is allowed to start other applications.
Use Security
Whether spawned applications use their own security setting (Child) or
that of the application which spawned them (Parent).
Use Default Integrity Level
Whether you want the application to allow use of the default integrity
level or whether it is prevented from doing so.
rule applies.

Policies
Manage OS Security Rule Sets
OS Security Rule Sets contain a collection of OS Security Rules. Use the Rule
Sets when creating OS Security policies. This page lets you create, edit, and
delete Rule Sets. You can also reorder the Rule Sets as necessary.
To access the OS Security Rule Sets tab
item, expand the Proactive Protection item, and click OS Security.
The OS Security Policy Definitions page opens.

3. Select the OS Security Rules and Rule Sets tab and select the OS Security
Rule Sets sub tab.
The OS Security Rule Sets page opens.
New
Edit
Copy
Paste
Delete
from the list.
Order Rule Sets

Click this button to set the order in which the Rule Sets are applied.

Policies
To create an OS Security Rule Set
1. Click New.
The Create New OS Security Rule Set window opens to the Name and
2. Enter the name and description for the Rule Set and click Next.
The File Access Rules pane opens.
Change the rule order, if necessary by selecting a rule and using the up and
4. Click Next.
5. Repeat these rule selection steps in each of the subsequent panes.

■ Registry Access Rules pane
■ COM Object Rules pane

■ Device Access Rules pane
■ System Privilege Rules pane
■ Service Control Rules pane

■ Remote Process Control Rules pane
■ DLL Loading Rule pane

In each of these panes, select the rule to add, use the double arrows to move
it to the Selected Rules table, change the rule order, if necessary, and click
Next.


Policies
Order the Rule Set
Rule Sets can be ordered as necessary. Ordering the Rule Sets lets you ensure
the rules which are most important to you have the highest priority.
When viewing the Rule Sets order, the Rule Set at the top of the list has the
highest priority.
1. Click Order Rule Sets.
The Order Rule Sets page opens.

2. Use the View Rule Set drop-down menu to view all Rule Sets, Baseline Rule
Sets or Add-on Rule Sets.
3. Select a Rule Set, then change the position of the Rule Set using the up and
down Priority arrows. The higher the Rule Set is on the list, the higher the
priority.
Changes are saved once you move a rule.
4. When you are finished setting the order, click Close.

The Order Rule Sets page closes.


Policies
Select the File Access Rules
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
1. Select the rule to add from the Available Rules table.

2. Use the double arrows to move the rule to the Selected Rules table.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
4. Click Next to continue to the next page if applicable.
Alternatively, click Save to save your changes, click Discard to remove any
changes you made but keep the page open, or click Close to close the page
Select the Registry Access Rules

5. Alternatively, click Save to save your changes, click Discard to remove any
Select the COM Object Rules

Policies

Select the Device Access Rules

Select the System Privilege Rules


Policies
Select the Service Control Rules

Select the Remote Process Control Rules

Select the DLL Loading Rules

Policies

Manage OS Security Rules
OS Security Rules let you protect certain objects from applications. Use the rules
when creating OS Security policies and Rule Sets. This page lets you create, edit,
and delete rules for the objects. This page is divided into several tabs, one for
each object type you can protect. All tabs function in the same manner, but only
display rules related to objects of that type.
To access the OS Security Rules tab
2. Click OS Security.
The OS Security Policy Definitions page opens.

4. Click the OS Security Rules and Rules tab.

5. Click the OS Security Rules sub tab.
The OS Security Rules page opens.
New
Edit
Copy
Paste
Delete
from the list.

Policies
To create a OS Security rule
1. Click the tab of the object type you want to protect and click New.
The Create New OS Security Rule window opens to the Name and General
Settings pane.
The Target Application and Protected object pane opens.
4. In the bottom section, specify whether this rule protects against all objects
of this type or a specific object.
If you select a specific object, you must specify the object in the drop-down
menu. The objects available vary depending on the type of object you
selected for this rule.
5. Click Next.
The Specify Rule Action and Time Frame pane opens.
6. In the Allow or Prevent Action and Audit level, specify which actions are
allowed or prevented and the audit level for each of these actions.
rule applies.


Policies


Specify Target Application and Protected Object
This page lets you specify the target application and any applicable protected
objects.
To specify the target application details
2. In the bottom section, specify the protection options of this rule.

The options vary depending on the type of object you have selected.
3. Click Next.
Specify Rule Action and Time Frame
This page lets you specify the rule actions and when the rule applies.
To specify the Allow or Prevent Action and Audit Level
1. In the Allow or Prevent Action and Audit level, specify which actions are
allowed or prevented and the audit level for each of these.
rule applies.


Policies
Manage Guard Rule Sets
The Guard Rule Sets contain a collection of Guard Rules. Guard rules let you
specify which of the OS Security rules are applied for the selected application or
group.
For example, application file access rules are applicable only if the file guard is
active for that application in the guard rule. Use the Rule Sets when creating OS
Security policies.
This page lets you create, edit, and delete Rule Sets.
To access the Guard Rule Sets tab

item, and expand Proactive Protection item.
The Global OS Security Policy Definitions page opens.

4. Select the Guard Rules and Rule Sets tab and select the Guard Rule Sets sub
tab.
The Guard Rule Sets page opens.
New
Edit
Copy
Paste
Delete
from the list.

Policies
To create a Guard Rule Set
1. Click New.
The Create New Guard Rule Set window opens to the Name and General
Settings pane.



Policies
Select Rules

Manage Guard Rules
The Guard Rules let you protect your applications from unwanted access.
This page lets you create, edit, and delete rules.
To access the Guard Rules tab
The Global OS Security Policy Definitions page opens.

4. Select the Guard Rules and Rule Sets tab, and select the Guard Rules sub
tab.
The Guard Rules page opens.

Policies

New

Edit
Copy
Paste
Delete
from the list.
To create an Guard rule

1. Click New.
The Create New Guard Rule Set window opens to the Name and General
Settings pane.
The Select Application or Application Group pane opens.
applications, or a specific application, and click Next.
The Active Guard Setting pane opens.
4. In the Active Guard Settings section, enable each object that you want to
have protected by the active guard.


Policies

From this page, you can specify the applications or application groups to which a
rule applies:
To specify the applications or application groups of a rule
applications, or a specific application.
Specify Active Guard Settings
From this page, you can specify the Active Guard settings for this rule:
To specify the Active Guard settings
1. In the Active Guard Settings section, enable each object that you want to
have protected by the active guard.


Policies
Create Certificate Definitions
Certificate definitions let you specify certificate details for use in Application
Control policies. Each definition covers one certificate. If you have multiple
certificates, you must create a definition for each. When creating certificate
definitions, follow this process:
1. Specify the name and general setting (see page 321).

2. Specify the certificate details (see page 396).
New
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.

Policies


Specify Certificate Details
The Certificate Details page lets you specify the details of a certificate for a
certificate definition. Each definition applies to only one certificate.
To add certificate details
1. In the Public Key field, enter the value of the public key for this certificate.
This field is required.
2. In the Issued To field, enter to whom the certificate has been issued.
This field is optional. You can use this field if the certificate was issued by a
third party and you want to ensure only certificates issued by that third party
are valid.
3. Using the Valid From and Valid To fields, entering the date range for which
the certificate is valid.
This field is optional.
Your changes are saved, and the page closes.

page open, click Close to close the page without saving changes, or click
Back to return to the Name and General Settings for this definition.
Create File Definitions
File definitions define a group of files or folders for use in OS Security. When
creating file definitions, follow this process:
2. Specify the file items (see page 443).

Policies

New
Edit
existing values.
Copy
Paste
Delete


Policies
Add File Items
The file definition page lets you add file definitions for OS Security rules and
policies.
To add file items
1. In the Item field, enter the path of the file.

To add a special folder such as a CD ROM drive, use the Special Folders
drop-down menu.
2. Click Add.
The file is added to the list.
To remove file items
1. Select the item to remove and click Remove.

The item is deleted from the list.

To modify a file item

1. Select the file item to modify and click Modify.
2. Enter the new path in the Item field.

Note: To clear the Item field, click Clear.
3. Click Update.
The file item is updated to match the new details.


Policies
Create Registry Definitions
Registry definitions define a group of registry keys for use in OS Security. When
creating registry definitions, follow this process:
2. Specify the registry items (see page 445).
New
Edit
existing values.
Copy
Paste
Delete


Policies
Add Registry Items
The registry definition page lets you add registry definitions for OS Security rules
and policies. The values you enter for the registry keys should start with HKCR,
HKCU, HKLM, HKU or HKCC.
To add registry items
1. In the Item field, enter the value of the registry item and click Add.
The registry item is added to the list.

To remove registry items

To modify a registry item
1. Select the registry item to modify and click Modify.

2. Enter the new value in the Item field.
3. Click Update.
The registry item is updated to match the new details.
4. Click Update to accept the changes.
5. Click Save.
without saving changes. .
Create COM Definitions
COM definitions define a group of OLE or COM objects for use in OS Security.
When creating COM definitions, follow this process:

2. Specify the OLE/COM items (see page 447).

Policies

New
Edit
existing values.
Copy
Paste
Delete


Policies
Add OLE/COM Items
The OLE/COM definition page lets you add OLE or COM definitions for OS Security
rules and policies.
To add OLE/COM items
1. In the Item field, enter the CLSID (class ID) of the COM component in a valid
format and click Add.
The OLE/COM item is added to the list.

To remove OLE/COM items

To modify a OLE/COM item
1. Select the OLE/COM item to modify and click Modify.

3. Click Update.
The OLE/COM item is updated to match the new details.
Create Service Definitions
Service definitions define a group of services for use in OS Security. When

creating service definitions, follow this process:

2. Specify the service items (see page 449).

Policies

New
Edit
existing values.
Copy
Paste
Delete


Policies
Add Service Items
The service definition page lets you add service definitions for OS Security rules
and policies. The items you are defining are service names. A service is identified
by its registry key name found under
HKLM\System\CurrentControlSet\Services.
To add service items

1. In the Item field, enter the value of the service item and click Add.
The service item is added to the list.

To remove service items

To modify a service item
1. Select the service item to modify and click Modify.

3. Click Update.
The service item is updated to match the new details.

Create Device Definitions
Device definitions define a device or group of devices for use in OS Security.

When creating device definitions, follow this process:

2. Specify the device items (see page 451).

Policies

New
Edit
existing values.
Copy
Paste
Delete


Policies
Add Device Items
The device definition page lets you add device definitions for OS Security rules
and policies. For devices, there is a strict pattern you must follow for specifying
the path.
Paths must be in one of the following patterns:

■ <driver-name>\DevN\*\
■ <device-name> <driver-name>\Link\<class>\<link>
You can use wildcards to define the path. For example, you can specify the
following path using wildcards:
Tcpip\DevN\*\RawIp *\Link\Modem\*
To add device items
1. In the Item field, enter the value of the device item and click Add.
The device item is added to the list.

To remove device items

To modify a device item
1. Select the device item to modify and click Modify.

3. Click Update.
The device item is updated to match the new details.


Policies
Create Transport Definitions
Transport definitions define a group of open ports and protocols that can be used
in various rules. One transport definition can contain any number of protocols
over any ports. When creating a transport definition, follow this procedure:
2. Specify the open ports (see page 319).
New
Edit
existing values.
Copy
Paste
Delete

Policies


Add or Remove Open Ports
Use this page to add, edit, or remove open ports. You can also specify whether to
negate source or destination ports.
To add an open port
1. Specify the protocol used by the port.

2. Specify the Destination ports.
The manner of specifying ports depends on the protocol you use. For most
protocols, you can choose a single port, a range of ports, or all ports.
When specifying a single port or range of ports, you must also supply the
required values. For the ICMP protocol you must specify a function.
3. Click Add.
The ports are added to the table.

4. Click Save.
To remove a port
1. Select the port to remove from the list and click Remove.
The port is removed from the table.

2. Click Save.
To modify a port
1. Select the port to modify from the list and click Modify.
2. Change the protocol and destination port.
3. Click Update.
The port is updated to the new value.
4. Click Save.

Policies
Negating source or destination ports applies to all ports in the list. Negating a
group of ports means that all the ports save those listed are available to use.
To negate source or destination ports.

1. Enable one or both of the following options:
Negate Source Ports
Use all ports save the source ports specified.

Negate Destination Ports
Use all ports save the destination ports specified.

2. Click Save.
Create IP Address Definitions
IP Address definitions identify a group of IP Addresses that can be used in

different rules.

When creating an IP Address definition, follow this procedure:
2. Specify the IP addresses (see page 318).
New
Edit
existing values.
Copy

Policies
Paste
Delete

Add or Remove IP Addresses
Use this page to add or remove IP addresses.

To add an IP address
1. Enter the IP address in the IP Address field and click Add.

The address is added to the table.
2. Click Save.

Policies
To remove an IP address
1. Select the IP address to remove from the list and click Remove.
The address is removed from the table.

2. Click Save.
To modify an IP address
1. Select the IP address to modify from the list and click Modify.
2. Change the IP address.

Alternatively, use the Clear button to clear the IP Address field, if necessary.
3. Click Update.
The address is updated to the new value.

4. Click Save.
Create Time Frame Definitions
Time Frame definitions define an interval or intervals of time that can be used in
rules. When creating a Time Frame definition, follow this procedure:
2. Specify the time periods for the Time Frame definition (see page 457).

New
Edit
existing values.
Copy

Policies
Paste
Delete
Configure Time Frame General Settings

3. Alternatively, click Save to save your changes and close the page, click
Add Time Intervals to Time Frame Definitions
Use this page to add or remove time intervals to your time frame definition.
To add time intervals
1. Select the day of the week for this time interval.

To have the definition span multiple days, you must add each day
separately.
2. Enter the start time in the Time From field and the ending time in the Time To
field to identify the time interval and click Add.
The time interval is added to the table.
3. Repeat the preceding steps for each time interval to add.

4. Click Save.
The changes are saved.

Policies
To remove a time interval

1. Select the time interval to remove from the list and click Remove.
The time interval is removed from the table.

2. Click Save.
To modify a time interval

1. Select the time interval to modify from the list and click Modify.
2. Change time interval data.

You can modify the Day of Week, Time to, or Time from field.
3. Click Update.
The time interval is updated to the new value.

4. Click Save.
Additionally, you can use the Clear button to clear the data fields instead of
adding the time interval.
Enroll New Applications
The Proactive Protection policies of CA Total Defense product include several

application lists. These lists include the Application White list, the Application
Black list, the Applications with Internet Access list, and several others. You can
enroll new applications to these lists. For example, if your company supports a
certain web browser, you would enroll that application in the Applications with
Internet Access list. Though the lists vary, the process for enrolling new
applications is the same.

Policies
When using checksums, the checksum related options are used for integrity
check rules. To use integrity check on an application, you must enroll the
application using one of the checksum options. When using checksums, you
must copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can also add multiple
checksums, as necessary. This must be done if there are multiple versions of
same file, since each file has a different checksum.
To enroll a new application
1. Click New, and select Enroll New Application from the drop-down menu.
The Enroll New Application window opens to the Name and General Settings
pane.
The Application Identification pane opens.
3. Specify one of the following options to indicate how to identify the

application, and provide details for that option, when applicable:
Path
Use this option to specify the path to the application executable. Use this
option if you know the path is constant.
Filename
Use this option to specify the filename of the application.
Checksum
Use this option to enroll applications based on their checksum. You must
copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can add
multiple checksums if you have multiple versions of same file, since each
file has a different checksum.
Checksum and Path

Use this option to enroll the application based both on path and
checksum.

Use this option to enroll the application based on both checksum and
filename.

Use this option to enroll the application based on a signed certificate
located in the trusted store.

Use this option to enroll the application based on both certificate and
path.

Policies

filename.

Use this option to enroll the application based on a Known Certificate.
You must specify the location of the certificate and select the certificate
definition. You can create a certificate definition using Application
Control advanced configuration options.
Use this option to enroll the application based on a Known Certificate and
path.
filename.
4. Click Next.
The Associated Group pane opens.
5. Enable the Associated group option, if applicable, and specify which

associated group is used.
You can use Associated groups if the application you enroll creates another
application. The Associated Group specifies an application group in which the
created application is enrolled.
These groups are especially useful in installations, since you can have any
files installed by an installer enrolled in the associated group.
6. Click Next.
The Identity Redirection pane opens.
7. Highlight any applicable Identity Redirection, use the double arrows to move
the redirection to the correct list, and click Next.
The Add Application to Application Groups pane opens.
8. Highlight any applicable application group and use the double arrows to
move the group to the correct list.
Your changes are saved, and the Enroll New Application page closes.
remove any changes you made, or click Close to close the page without
saving changes.

Policies

Configure Application Identification

pane.

Policies

Path
Filename
Checksum
Checksum and Path

checksum.

filename.

path.

filename.

Policies

path.
filename.
4. Click Next.

6. Click Next.
Specify Associated Groups


Policies
pane.

Path
Filename
Checksum
Checksum and Path

checksum.

filename.


path.

Policies

filename.

path.
filename.
4. Click Next.

6. Click Next.

Policies
Specify Identity Redirections
Some applications serve as surrogates for other code. The purpose of Identity
Redirection is to correctly handle situations where one executable interprets
other files.
For example, without Identity Redirection all *.msi installation packages would
be treated the same because the msiexec.exe application is installing them all.
All *.vbs and *.js script files are treated the same as they are interpreted by the
wscript.exe process.
The Identity Redirections page lets you specify whether an application is run
through one of the identity redirections.
To specify the identity redirection
1. Highlight any applicable Identity Redirection and use the double arrows to
move the redirection to the correct list.
More information:

Enroll New DLL Modules (see page 339)
Add Application to Application Groups


Policies
pane.

Path
Filename
Checksum
Checksum and Path

checksum.

filename.


path.

Policies

filename.

path.
filename.
4. Click Next.

6. Click Next.

Policies
Enroll New Application Subgroup
In addition to enrolling applications, you can create application groups.

Application groups are a way to group similar applications so you can create rules
for those applications.
For example, you can create an application group for instant messenger
applications. You can then limit these applications using certain rules without
adding a new rule for each new instant messenger application. Simply create one
rule for the instant messenger application group and add applications to that
group as necessary.
To create a new application group
1. Click New and select Enroll New Application Group from the drop-down
menu.
pane.
2. Enter the name and description for the application group and click Next.
The Add Applications to Application Group pane opens.
3. Highlight the applications to add to the group and use the double arrows to
move the application to the correct list.
4. Click Next.
The Add Application Groups as Subgroups pane opens.
Note: Not all Enroll New Application Groups pages include the Add
Application Groups as Subgroups pane.
5. Highlight the application subgroup to add to the group and use the double
arrows to move the application subgroup to the correct list.
6. Click Save to save your changes and close the Enroll New Application Group
Page.
saving changes.

Policies


Add Applications to Application Groups
When creating an application group you must add applications to that group. The
Add Applications to Application Group page lets you add these applications to the
group.
To add applications to an application group
1. Highlight the applications to add to the group and use the double arrows to
move the application to the correct list.
Your changes are saved, and the Enroll New Application Group pages close.
Click Back to return to the previous page. Click Next to move to the next

Policies
Enroll Unknown Applications
Unknown applications are applications found on an endpoint that are not

enrolled. When an unknown application is started on endpoint an event is
generated and sent to the event server. The event server stores the list of
unknown applications on the management server, letting you enroll these
unknown applications.
To enroll an unknown application
1. Click Enroll Unknown Applications.
The Enroll Unknown Applications window opens to the Select Unknown

Applications to Enroll pane.
2. Select how the unknown application is identified.
The application can be identified by one of the following options:

Path
Identify the application by the path to the application.
Filename
Identify the application based on the application filename.
Checksum
Identify the application based on its checksum.
Checksum and Path

Identify the application based both on path and checksum.

Identify the application based on both checksum and filename.

Identify the application based on a signed certificate located in the
trusted store.
Identify the application based on both certificate and path.

Identify the application based on both certificate and filename.
3. Highlight the available unknown applications to enroll and use the double
arrows to move the application to the correct list.
4. Click Next.
The Add Applications to Application Groups pane opens.

Policies
5. Highlight the groups in which to enroll the unknown applications selected on

the first page and use the double arrows to move the group to the correct
list.
6. Click Save to save your changes and close the Enroll Unknown Applications
Page.
saving changes.
Select Unknown Applications to Enroll



Path

Filename
Checksum
Checksum and Path

Policies

trusted store.


4. Click Next.

list.
Page.
Alternatively, click Back to return to the previous page, click Discard to remove
any changes you made, or click Close to close the page without saving changes.

Policies



Path
Filename
Checksum
Checksum and Path



trusted store.

4. Click Next.

Policies

list.
Page.
If necessary, you can enroll multiple applications at one time. When enrolling
multiple applications, all the applications must share the same identification
method.
To enroll multiple applications
1. Click Enroll Multiple Applications.

The Enroll Multiple Applications window opens to the Select Multiple
2. Select how the applications are identified.
The applications can be identified by one of the following options:
Path
Identify applications by the path to the applications.
Filename
Identify applications based on the individual application's filename.

Checksum
Identify applications based on their checksum.
Checksum and Path

Identify applications based both on path and checksum.

Identify applications based on both checksum and filename.
Identify applications based upon a signed certificate located in the

trusted store.
Identify applications based on both certificate and path.

Identify applications based on both certificate and filename.

Policies
3. Provide the path, if applicable.

You must provide the path if you are identifying the applications by path in
any manner. Otherwise, you can leave this field blank.
4. Click Add, browse to the applications location, select the application and click
Open to add the multiple applications to enroll.
If you are selecting applications based on checksum, the files must reside on
the server so the proper checksum can be calculated.
5. Add the multiple applications and click Next.
6. Highlight the groups in which to enroll the applications selected on the first
page and use the double arrows to move the group to the correct list.

Your changes are saved, and the Enroll Multiple Applications page closes.
changes you made. Click Close to close the page without saving changes.
Select Multiple Applications to Enroll
If necessary, you can enroll multiple applications at one time. When enrolling
multiple applications, all the applications must share the same identification
method.
To enroll multiple applications
1. Click Enroll Multiple Applications.

The Enroll Multiple Applications window opens to the Select Multiple
2. Select how the applications are identified.

The applications can be identified by one of the following options:
Path
Identify applications by the path to the applications.

Filename
Identify applications based on the individual application's filename.
Checksum
Identify applications based on their checksum.
Checksum and Path
Identify applications based both on path and checksum.

Identify applications based on both checksum and filename.

Policies

Identify applications based upon a signed certificate located in the
trusted store.

Identify applications based on both certificate and path.

Identify applications based on both certificate and filename.
3. Provide the path, if applicable.
You must provide the path if you are identifying the applications by path in
any manner. Otherwise, you can leave this field blank.
4. Click Add, browse to the applications location, select the application and click
Open to add the multiple applications to enroll.
If you are selecting applications based on checksum, the files must reside on
the server so the proper checksum can be calculated.
5. Add the multiple applications and click Next.

6. Highlight the groups in which to enroll the applications selected on the first
page and use the double arrows to move the group to the correct list.
Your changes are saved, and the Enroll Multiple Applications page closes. Click
Back to return to the previous page. Click Discard to remove any changes you
made. Click Close to close the page without saving changes.

Policies



Path
Filename
Checksum
Checksum and Path



trusted store.

4. Click Next.

Policies

list.
Page.
Create Groupware Policies
The Groupware policies let you control the Client Groupware scanner. The
Groupware scanner is placed on your email or groupware servers and is
responsible for checking groupware for malware. You do not need to use all of
the Groupware policies. For example, if your company does not use a NetApp
server, you do not need to configure a NetApp Real-time policy. Groupware
policies include the following:
MS Exchange Real-time Policies

The MS Exchange Real-time policies let you control the settings of the MS
Exchange real-time Groupware scanner. This scanner protects your MS
Exchange email server.
MS Exchange Schedule Scan Policies

The MS Exchange Schedule Scan policy lets you schedule when the Client
scans the email server. You can schedule when the scans occur, if the scans
are reoccurring, what is scanned, and any time limitations on the scan.
Lotus Domino Real-time Policies

The Lotus Domino Real-time policies let you control the settings of the Lotus
Domino real-time Groupware scanner. This scanner protects your Lotus
Domino email server.
Lotus Domino Schedule Scan Policies
The Lotus Domino Schedule Scan policies let you schedule when the Client
scans the email server. You can schedule when the scans occur, if the scans
are reoccurring, what is scanned, and any time limitations on the scan.
MS SharePoint Real-time Policies
The MS SharePoint Real-time policies let you control the settings of the MS
SharePoint real-time Groupware scanner. This scanner protects your MS
SharePoint content management server.

Policies
MS SharePoint Schedule Scan Policies

The MS Sharepoint Schedule Scan policies let you schedule when the Client
scans the server. You can schedule when the scans occur, if the scans are
reoccurring, what is scanned, and any time limitations on the scan.
NetApp Real-time Policies
The NetApp Real-time policies let you control the settings of the NetApp
real-time Groupware scanner. This scanner protects your NetApp Filer.
More information:

Create MS Exchange Real-time Policies
The MS Exchange Real-time policy lets you control the settings of the MS
Exchange real-time Groupware scanner. This scanner protects your email MS
Exchange server.
To create an MS Exchange Real-time Policy

2. Configure the Scan Options.

These options let you control how the scanner functions. You can set options
such as whether the quarantine feature is enabled, or the action to take if the
scanner cannot clean an infection.
3. Configure the Scan Filter. (see page 485)

These options let you limit the scope of the scanner. You can ensure that
specific files are either included or excluded from the scan.
4. Configure the Mail Options. (see page 486)

These options let you determine if the scanner checks the body of emails for
malware, set the scan timeout duration, and whether to use proactive
scanning.
5. Configure the Notifications. (see page 487)

These options let you specify who is notified when malware is found on the
MS Exchange server.

Policies
6. Configure the Pre-Scan Filters. (see page 488)

These options let you configure the pre-scan filters. These filters let you
block unwanted attachments and other filtered content.
7. Configure the Archive Options. (see page 489)

These options let you control how the Groupware scanner handles archived
files.
More information:

Configure MS Exchange Real-time Policy Name and General Settings
type.
4. Click New.

Policies

Name
Description
length.
policy.
package.



Definitions page.

Policies
More information:

Configure MS Exchange Real-time Policy Scan Options
The Scan Options settings of an MS Exchange Real-time policy let you specify the
options for the MS Exchange Real-time Groupware scanner. These options
include specifying the secondary cleaning action, whether the Quarantine is
enabled, and how many threads are devoted to scanning.
Settings page of the MS Exchange Real-time Policy, or by clicking the Scan
2. Select the Enable Protection option. You must select this option if you want
real-time protection for your MS Exchange server.
3. In the Options pane, you can set the following options:
Quarantine
Enable or disable the quarantine for the email Exchange server. Enabling
the quarantine means that infected emails are first moved to the
quarantine before any cleaning attempts are made.
Secondary Clean Action

Set the secondary cleaning action taken by the email scanner. If the
initial cleaning attempt fails, the scanner can either attempt to delete the
infected email, or leave the infected email untouched.
Scan Error Action

Set the cleaning action taken by the email scanner if the scanner
encounters an error when attempting to clean an infected email. If the
Scan Mode
Use the drop-down menu to select one of the following scan mode
options:
■ Normal: Select this option to run the scanner in the normal, default
mode.
■ Deep: Select this mode to have the scanner perform additional

low-level scanning. Selecting this option makes the scanner run
significantly slower than normal mode.

Policies
Heuristic Scanning
Enable or disable heuristic scanning. Enabling heuristic scanning lets the

email scanner search for infections using alternative methods in addition
to the regular scanning methods. These alternative methods require
more time for the scan to complete, but help to ensure all infections are
located. Disabling Heuristic Scanning speeds up the scanning process,
but might not catch all infections.
Scanning Threads
Specify the number of threads in the global thread pool. Note that when
you increase the number of scanning threads, you can adversely affect
the performance of your system.
5. Click Next to continue creating the MS Exchange Real-time policy.
The Scan Filter page opens.

Definitions page.
More information:


Policies
Configure MS Exchange Real-time Policy Scan Filters Settings
The Scan Filters settings of an MS Exchange Real-time policy let you specify the
files you want included or excluded from the email scan. When you set these
filters, you must first specify whether to include or exclude the file, then list the
file.
To configure the Scan Filters settings

1. Open the Scan Filters page by either clicking Next on the Scan Options page
of the MS Exchange Real-time Policy, or by clicking the Scan Filter link in the
2. For the Filter, select one of the following:
Edit Inclusion List
Select this option to edit the inclusion list. Any file found in the inclusion
list is always scanned even if the scanner would normally ignore the file
because of other options.
Edit Exclusion List
Select this option to edit the exclusion list. Any file found in the exclusion
list is always skipped during scanning. You can exclude a file if you know
that file is accessed or shared often, but poses no security risk, such as
a known signature image.
3. Specify the files for the list you selected and specify the action to take:
■ To add a file to the list, enter the file name and click Add.
■ To remove a file from the list, select the file and click Remove.
■ To edit a file name, select the file name and click Edit.
The Mail Options page opens.

Definitions page.
More information:


Policies
Configure MS Exchange Real-time Policy Mail Options
The Mail Options settings of an MS Exchange Real-time policy let you determine
whether the scanner checks the body of emails for malware, set the scan timeout
duration, and indicate whether to use proactive scanning.
To configure the Mail Options
1. Open the Mail Options page by either clicking Next on the Scan Filter page of
the MS Exchange Real-time Policy, or by clicking the Mail Options link in the
2. Enable Scan Message Bodies if you want the email scanner to actively scan
the bodies of emails for any malware.
3. In the Scanning Options pane, you can enable the following options:
Proactive Scanning
Select this option to allow the email Exchange scanner to proactively
scan all emails. This proactive scanning means the emails are scanned
before reaching their intended target. This ensures better protection, but
requires more processing cycles.
Exchange Background Scanning

Select this option to have the scanner run in a background mode. The
scanner still attempts to scan all emails, but has a lower priority to
prevent the scanner from slowing down the mail transmission.
Scan Timeout
Specify the timeout duration for any scanned email. If the scanner takes
longer than the specified time when scanning an email, the scanner
reports a failure due to timeout and uses the Scan Error Action you
specified in the Scan Options page of this policy.

The Notifications page opens.
Definitions page.
More information:


Policies
Configure MS Exchange Real-time Policy Notification Settings
The Notification settings of an MS Exchange Real-time policy let you specify who
is notified when malware is found on the Exchange server. When malware is
found, a notification email is sent out to specific recipients, depending on the
options you select on this page.
To configure the Notification settings

1. Open the Notification page by either clicking Next on the Mail Options page of
the MS Exchange Real-time Policy, or by clicking the Notification link in the
2. In the Notification pane, you can enable the following options:
Notify Mailbox Owner
The notification email is sent to the mailbox owner.

Notify Message Sender
The sender of the infected message receives the notification email.
Notify System Administrators

The system administrators receive the notification email. Enabling this
option opens the Administrators pane.
3. If you enabled Notify System Administrators, you must specify the email
address for each administrator in the Administrators pane. Enter the email
address and click Add.
To remove an email address from the list, select the address and click
Remove.
4. In the Notification pane, specify the following:

Return Address
The return address used when sending out notification emails. All replies
to the notification email are sent to the return address.
Subject
The subject line to use in notification emails.

The Pre-Scan Filter page opens.
Definitions page.

Policies
More information:

Configure MS Exchange Real-time Policy Pre-Scan Filter Settings
The Pre-Scan Filter of an MS Exchange Real-time policy lets you configure the
pre-scan filters that let you block unwanted attachments and other content from
your network. You can any combination of these filters. For example, you can
use the Extension Block filter to block all .zip files, but create an exception
allowing the file update.zip in the Extension Block Exemption list.
To configure the Pre-Scan Filters

1. Open the Pre-Scan Filters page by either clicking Next on the Notification
page of the MS Exchange Real-time Policy, or by clicking the Pre-Scan Filters
2. In the Pre-Scan Block pane, select a filter. You can choose from the following
options:
Extension Blocks
Use this list to block files based on the file extension. For example, you
can block all .zip files from being sent.
Extension Block Exemptions
Use this list to create exemptions to the Extension Block list. For
example, to block all .txt attachments, but allow the file update.txt, add
.txt to the Extension Block list and add the file update.txt to the
Extension Block Exemption list.
MIME Blocks
Use this list to block specific MIME types. For example, you can block
jpeg files from your email Exchange by blocking the jpeg MIME type.
Folder Exemptions
Use this list to block emails from being transferred to certain folders or
locations.

Policies
3. Specify the objects for the list you selected and select the action to take.
■ To add an object to the list, enter the object name and click Add.
■ To edit an object name, select the object name and click Edit.
The Archive Options page opens.

Definitions page.
More information:

Configure MS Exchange Real-time Policy Archive Options
The Archive Options of an MS Exchange Real-time policy lets you configure how
the scan handles archives such as .zip and .rar files.
To configure the Archive Options
1. Open the Archive Options page by either clicking Next on the Pre-Scan Filter
page of the MS Exchange Real-time Policy, or by clicking the Archive Options
2. Enable the Scan Archives option.
You must enable this option to customize this feature in the policy.
scan.
For example, if you want the Client to scan zip files, enable the ZIP archive
row.

Policies
4. In the Settings pane, you can enable the following options:

Delete encrypted archives
Enable this option to have the scanner remove all encrypted archived
files. Encrypted archive files cannot be scanned and can pose a danger to
your network.
Stop scanning on first infection

infection is found. If you do not enable this option, the Client continues
to scan archives after finding an infected item. Enabling this option stops
the Client from spending time scanning a known infection, but the Client
cannot find any additional infections in the file if they are present.

archive is an archive file stored within another archive file.
For example, if you added the file example zip to an existing archive, the
file example zip would be nested at level one. If you set the Maximum
nested level to zero, the Client would not scan the example zip file or its
contents. Any file in the archive nested at a level higher than the value
you set, is ignored and viewed as clean. All files nested at levels lower
than the level you set are scanned.

computer.

expand too much and slow down or freeze your computer. However,
these large archives can still contain malware and lead to vulnerability.
page.

Policies
More information:

Create MS Exchange Scheduled Scan Policies
The MS Exchange Schedule Scan policy lets you schedule when the Client scans
the email server. You can schedule when the scans occur, specify whether the
scans are reoccurring, identify what is scanned, and set any time limitations on
the scan.
To create an MS Exchange Schedule Scan Policy
These settings include naming and describing the policy and indicating
whether this is the default policy.
2. Configure the Job Schedule. (see page 493)

These options let you schedule when the scan occurs and whether the scan
is a reoccurring job.

These options let you set whether the scan checks all email messages or
ignores messages which have been previously scanned. You can also limit
the amount of time the scan is allowed to run.
More information:


Policies
Configure MS Exchange Scheduled Scan Policy Name and General Settings
for the policy.
You can also specify the policy as a default policy. A default policy is included in
the Remote Installation package that includes this policy type. However, you can
default policy are used to initialize fields when a new policy of this type is being
created.

2. Click Global Policy Definitions.

5. Click New.

Name
Provide a name for the policy. Names are limited to 128 characters in
Description
Provide a description for the policy. Descriptions should help explain the
length.
7. In the Default Policy pane, enable or disable the Make this policy the default
for this policy type option.
package.

Policies

present. If the Policy Scope pane is present, select one of the following
options:

9. Click Next to move to the next page in the policy creation. Alternatively, click
Save to save your changes and return to the Global Policy Definitions page.
More information:

Configure MS Exchange Scheduled Scan Policy Job Schedule Settings
The Job Schedule settings of an MS Exchange Scheduled Scan policy let you
schedule when the scan occurs and if the scan is a reoccurring job.
To configure the Job Schedule settings
Settings page of the MS Exchange Scheduled Scan Policy, or by clicking the
Job Schedule link in the Steps to Create Policy pane.
2. Enable Perform Scheduled Scan.
Note: You must enable this option to include a scheduled scan in the policy.
If you do not want to include a scheduled scan, do not enable this option.
3. In the Job Settings pane, enter the following information:
Job Name
Provide a name for this scheduled scan.
Job Description
Provide a description for this scheduled scan.
4. Using the Start Time fields, specify the date and time when the scheduled
scan should start.

Policies
5. Using the Repeat Every fields, specify if and when you want the schedule to
reoccur.
If you do not want the scheduled scan to reoccur, leave the fields set to zero.
6. Click Next to continue creating the MS Exchange Scheduled Jobs Policy.
The Scan Options page opens.
Definitions page.
More information:


Policies
More information:

Configure MS Exchange Scheduled Scan Policy Scan Options
The Scan Options of an MS Exchange Scheduled Scan policy let you set whether
the scan checks all email messages or ignores messages which have been
previously scanned. You can also limit the amount of time the scan is allowed to
run.
To configure the Scan Options
1. Open the Scan Options page by either clicking Next on the Job Schedule
page of the MS Exchange Scheduled Scan Policy, or by clicking the Scan
2. In the Scan Selection pane, select one of the following options:

Scan All Messages
Select this option to scan all messages on the email server.
Start From Last Mailbox Scanned

Select this option to have the scan check only those mailboxes that it did
not scan the last time the scanner ran.
If this is the first time the scanner is checking this Exchange server, all
messages are scanned.
Scan Messages Dated After
Select this option and specify a date to scan all emails that arrived after
the specified date. Only those emails received after this date are
scanned.
3. In the Scan Run Time pane, specify the time limit of the scan.
If the scan exceeds this time limit, the scan stops. If this is a reoccurring
scan, the scan begins where it left off at the next occurrence.
page.

Policies
Create Lotus Domino Real-time Policies
The Lotus Domino Real-time policy lets you control the settings of the Lotus
Domino real-time groupware scanner. This scanner protects your Lostus Domino
email server.
To create a Lotus Domino Real-time Policy

such as whether the quarantine is enabled, or the action to take if the
scanner cannot clean an infection.

certain files are either included or excluded from the scan.
4. Configure the Mail Options. (see page 501)

These options let you determine whether the scanner checks the body of
emails for malware.
5. Configure the Notifications. (see page 502)

These options let you specify who is notified when malware is found on the
email server.
6. Configure the Pre-Scan Filters. (see page 503)

These options let you configure pre-scan filters. These filters let you block
unwanted attachments and other filtered content.
These options let you control how the groupware scanner handles archived
files.
More information:


Policies
Configure Lotus Domino Real-time Policy Name and General Settings
type.


4. Click New.
Name
Description
length.
policy.

Policies
package.



Definitions page.
More information:

Configure Lotus Domino Real-time Policy Scan Options
The Scan Options settings of a Lotus Domino Real-time policy let you specify the
options for the Lotus Domino real-time groupware scanner. These options
include specifying the secondary cleaning action, indicating whether the
Quarantine is enabled, and setting the number of threads devoted to scanning.
Settings page of the Lotus Domino Real-time Policy, or by clicking the Scan
2. Select the Enable Protection option.
You must select this option if you want real-time protection for your Lotus
Domino server.

Policies

Quarantine
Enable or disable the quarantine for the email server. Enabling the
quarantine means that infected emails are first moved to the quarantine
before any cleaning attempts are made.

Set the secondary cleaning action taken by the email scanner. If the
Scan Error Action

Set the cleaning action taken by the email scanner if it encounters an
error when attempting to clean an infected email. If the initial cleaning
attempt fails, the scanner can either attempt to delete the infected
email, or leave the infected email untouched.
Scan Mode
options:
mode.

Heuristic Scanning
more time for the scan to complete, but help to ensure that all infections
are located. Disabling Heuristic Scanning speeds up the scanning
process, but might not catch all infections.
Scanning Threads
Specify the number of threads in the global thread pool.
Note that when you increase the number of scanning threads, you can
adversely affect the performance of your system.
5. Click Next to continue creating the Lotus Domino Real-time policy.

Definitions page.

Policies
More information:

More information:

Configure Lotus Domino Real-time Policy Scan Filters Settings
The Scan Filters settings of a Lotus Domino Real-time policy let you specify the
files you want included or excluded from the email scan. When you set these
filters, you must first specify whether to include or exclude the file, then list the
file.
of the Lotus Domino Real-time Policy, or by clicking the Scan Filter link in the
Edit Inclusion List

Select this option to edit the inclusion list. The files in the inclusion list
are always scanned even if the scanner would normally ignore them
Edit Exclusion List

Select this option to edit the exclusion list. The files in the exclusion list
are always skipped during scanning. You can exclude a file if you know
that file is accessed or shared often, but poses no security risk, such as
a known signature image.

Policies
3. Specify the files for the list you selected and select an action.

Definitions page.
Configure Lotus Domino Real-time Policy Mail Options
The Mail Options settings of a Lotus Domino Real-time policy let you determine
whether the scanner checks the body of emails for malware.
To configure the Mail Options
1. Open the Mail Options page by either clicking Next on the Scan Filter page of
the Lotus Domino Real-time Policy, or by clicking the Mail Options link in the
2. Enable Scan Message Bodies if you want the email scanner to actively scan
the bodies of emails for malware.
The Notifications page opens.
Definitions page.
More information:


Policies
Configure Lotus Domino Real-time Policy Notifications Settings
The Notification settings of a Lotus Domino Real-time policy let you specify who
is notified when malware is found on the email server. When a malware is found,
a notification email is sent out to specified recipients based on the options you
select on this page.
To configure the Notification settings

1. Open the Notification page by either clicking Next on the Mail Options page of
the Lotus Domino Real-time Policy, or by clicking the Notification link in the
2. In the Notification pane, you can enable the following options:
Notify Mailbox Owner
Enable this option to have the notification email sent to the mailbox
owner.
Notify Message Sender
Enable this option to have the sender of the infected message receive
the notification email.
Notify System Administrators

Enable this option to have the system administrators receive the
notification email. Enabling this option causes the Administrators pane
to open.
3. If you enabled Notify System Administrators, you must specify the email
address for each administrator in the Administrators pane.
■ To add an email address to the list, enter the email address and click
Add.
■ To remove an email address from the list, select the address and click
Remove.
4. In the Notification pane, set the following options:

Return Address
Specify the return address used when sending out notification emails. All
replies to the notification email are sent to the return address.
Subject
Specify the subject line to use in notification emails.

The Pre-Scan Filter page opens.
Definitions page.

Policies
More information:

Configure Lotus Domino Real-time Policy Pre-Scan Filters Settings
The Pre-Scan Filter of a Lotus Domino Real-time policy lets you configure
pre-scan filters that let you block unwanted attachments and other content from
your network. You can use any combination of these filters. For example, you
could use the Extension Block filter to block all .zip files, but create an exception
allowing the file update.zip with the Extension Block Exemption list.
To configure the Pre-Scan Filters

1. Open the Pre-Scan Filters page by either clicking Next on the Notification
page of the Lotus Domino Real-time Policy, or by clicking the Pre-Scan Filters
2. In the Pre-Scan Block pane, select a filter. You can choose from the following
options:
Extension Blocks
Use this list to block files based on the file extension. For example, you
can block all .zip files from being sent.
Extension Block Exemptions
Use this list to create exemptions to the Extension Block list. For
example, to block all .txt attachments, but allow the file update.txt, you
would add .txt to the Extension Block list and add the file update.txt to
the Extension Block Exemption list.
3. Specify the objects for the list you selected.

■ To add an object to the list, enter the object name then click Add.
■ To edit an object name, select the object name and click Edit.

Definitions page.

Policies
More information:

Configure Lotus Domino Real-time Policy Archive Options
The Archive Options of a Lotus Domino Real-time policy lets you configure how

page of the Lotus Domino Real-time Policy, or by clicking the Archive Options
2. Enable the Scan Archives option. You must enable this option to customize
this feature in the policy.
scan. For example, if you want the Client to scan zip files, you would enable
the ZIP archive row.

your network.
Client from spending time scanning a known infection, but the Client

Policies

nested at levels higher than the value you set is ignored and viewed as
clean. All files nested at levels lower than the level you set are scanned.

computer.

any file in an archive that when extracted is larger than this limit. Setting
a high value prevents the Client from scanning archived files that expand
too much and slow down or freeze your computer. However, these large
archives could still contain malware and lead to vulnerability.
page.
More information:


Policies
Create Lotus Domino Scheduled Scan Policies
The Lotus Domino Schedule Scan policy lets you schedule when the Client scans
the email server. You can schedule when the scans occur, if the scans are
reoccurring, what is scanned, and any time limitations on the scan.
To create a Lotus Domino Schedule Scan Policy

These options let you schedule when the scan occurs and if the scan is a
reoccurring job.
These options let you set whether the scan checks all email messages or
ignore messages which have been previously scanned. You can also limit the
amount of time the scan is allowed to run.
More information:

Configure Lotus Domino Scheduled Scan Policy Name and General Settings
for the policy.
created.


Policies

5. Click New.

Name
Description
length.
package.

options:
More information:


Policies
Configure Lotus Domino Scheduled Scan Policy Job Schedule Settings
The Job Schedule settings of a Lotus Domino Scheduled Scan policy let you
schedule when the scan occurs and specify whether the scan is a reoccurring job.
Settings page of the Lotus Domino Scheduled Scan Policy, or by clicking the
3. In the Job Settings pane, provide a name and a description for this scheduled
scan.
4. Specify the date and time when the scheduled scan should start in the Start
Time fields.
5. Specify when you want the schedule to reoccur in the Repeat Every fields.
6. Click Next to continue creating the Lotus Domino Scheduled Jobs Policy.

Definitions page.
More information:


Policies
Configure Lotus Domino Scheduled Scan Policy Scan Options
The Scan Options of a Lotus Domino Scheduled Scan policy let you set whether
the scan checks all email messages or ignore messages which have been
run.

page of the Lotus Domino Scheduled Scan Policy, or by clicking the Scan
Scan All Messages
Select this option to scan all messages on the email server.
Start From Last Mailbox Scanned

Select this option to have the scan check only those mailboxes that it did
not scan the last time the scanner ran. If this is the first time the scanner
is checking this exchange server, all messages are scanned.
Scan Messages Dated After
Select this option to scan all emails that arrived after a specified date.
After selecting this option, you must provide a date. Only those emails
received after this date are scanned.
3. In the Scan Run Time pane, specify the time limit of the scan. If the scan
exceeds this time limit, the scan stops. If this is a reoccurring scan, the scan
begins wherever it left off at the next occurrence.
page.
More information:


Policies
Create MS SharePoint Real-time Policies
The MS SharePoint Real-time policy lets you control the settings of the MS
SharePoint real-time groupware scanner. This scanner protects your MS
SharePoint content management server.
To create an MS SharePoint Real-time Policy

such as whether the quarantine is enabled, or if an item should be deleted if
the scanner cannot clean an infection.


files.
More information:


Policies
Configure MS SharePoint Real-time Policy Name and General Settings
type.


4. Click New.
Name
Description
length.
policy.

Policies
package.



Definitions page.
More information:

Configure the Scan Options
The Scan Options settings of a MS SharePoint Real-time policy let you specify the
options for the MS SharePoint real-time groupware scanner. These options
include specifying the secondary cleaning action, if the Quarantine is enabled,
and how many threads are devoted to scanning.
Settings page of the MS SharePoint Real-time Policy, or by clicking the Scan
real-time protection for your MS SharePoint server.

Policies

Quarantine
Enable or disable the quarantine for the server. Enabling the quarantine
means that infected files are first moved to the quarantine before any
cleaning attempts are made.

Set the secondary cleaning action taken by the scanner. If the initial
cleaning attempt fails, the scanner can either attempt to delete the
infected file, or leave the infected file untouched.
Scan Error Action

Set the cleaning action taken by the scanner if the scanner encounters
an error when attempting to clean an infected file. If the initial cleaning
attempt fails, the scanner can either attempt to delete the infected file,
or leave the infected file untouched.
Scan Mode
options:
mode.

Heuristic Scanning
scanner search for infections using alternative methods in addition to the
regular scanning methods. These alternative methods require more time
for the scan to complete, but help ensure all infections are located.
Disabling Heuristic Scanning speeds up the scanning process, but might
not catch all infections.
Scanning Threads
5. Click Next to continue creating the MS SharePoint Real-time policy.
Definitions page.

Policies
More information:

Configure MS SharePoint Real-time Policy Scan Filters Settings
The Scan Filter settings of an MS SharePoint Real-time policy let you specify the
files you want included or excluded from the scan. When specifying. you must
first select to either include or exclude the file, then list the file.
1. Open the Scan Filter page by either clicking Next on the Scan Options page
of the MS SharePoint Real-time Policy, or by clicking the Scan Filter link in
2. For the Filter , select one of the following:
Edit Inclusion List

Select this option to edit the inclusion list. Any file in the inclusion list is
always scanned even if the scanner would normally ignore the file
Edit Exclusion List
Select this option to edit the exclusion list. Any file in the exclusion list is
always skipped during scanning. You can exclude a file if you know it is
accessed or shared often but poses no security risk, such as a known
signature image.
3. Specify the files for the list you selected.
4. Click Next to continue creating the MS SharePoint Real-time policy.

Definitions page.
More information:


Policies
Configure MS SharePoint Real-time Policy Archive Options
The Archive Options of an MS SharePoint Real-time policy lets you configure how
1. Open the Archive Options page by either clicking Next on the Scan Filter
page of the MS SharePoint Real-time Policy, or by clicking the Archive
scan. For example, if you want the Client to scan zip files, you would enable
the ZIP archive row.

your network.

archive is an archive file stored within another archive file.
For example, if you added the file example zip to an existing archive, the
file example zip would be nested at level one. If you set the Maximum
nested level to zero, the Client would not scan the example zip file or its
contents. Any file in the archive nested at a level higher than the value
you set, is ignored and viewed as clean. All files nested at levels lower
than the level you set are scanned.

Policies

computer.
these large archives can still contain malware and lead to vulnerability.
page.
More information:

Create MS SharePoint Scheduled Scan Policies
The MS SharePoint Schedule Scan policy lets you schedule when the Client scans
the MS SharePoint server. You can schedule when the scans occur, whether the
scans are reoccurring, what is scanned, and any time limitations on the scan.
To create an MS SharePoint Schedule Scan Policy

These options let you schedule when the scan occurs and if the scan is a
reoccurring job.
These options let you set whether the scan checks all files or ignore files
which have been previously scanned. You can also limit the amount of time
the scan is allowed to run.

Policies
More information:

Configure MS SharePoint Scheduled Scan Name and General Settings
for the policy.
created.

5. Click New.
Name
Description
length.

Policies
package.

options:


More information:

Configure MS SharePoint Scheduled Scan Policy Job Schedule Settings
The Job Schedule settings of an MS SharePoint Scheduled Scan policy let you
schedule when the scan occurs and indicate whether the scan is a reoccurring
job.
Settings page of the MS SharePoint Scheduled Scan Policy, or by clicking the
3. In the Job Settings pane, enter a name and description for this scheduled
scan.
4. Specify the date and time when the scheduled scan should start in the Start
Time fields.

Policies
5. Specify if and when you want the schedule to reoccur in the Repeat Every
fields.
6. Click Next to continue creating the MS SharePoint Scheduled Jobs Policy.
Definitions page.
More information:

Configure MS SharePoint Scheduled Scan Policy Scan Options
The Scan Options of an MS SharePoint Scheduled Scan policy let you set whether
the scan checks the files in all folders or ignores files in folders which have been
run.
page of the MS SharePoint Scheduled Scan Policy, or by clicking the Scan
Scan All Folders
Select this option to scan all folders on the server.
Start From Last Folder Scanned

Select this option to have the scan check only those folders that it did not
scan the last time the scanner ran. If this is the first time the scanner is
checking this server, all folders are scanned.
Scan Folders Dated After
Select this option to scan all folders created or added after a specified
date. After selecting this option, you must provide a date. Only those file
found in folders created or added after this date are scanned.

Policies
3. In the Scan Run Time pane, specify the time limit of the scan. If the scan
exceeds this time limit, the scan stops. If this is a reoccurring scan, the scan
begins wherever it left off at the next occurrence.
page.
More information:

Create NetApp Real-time Policies
The NetApp Real-time policy lets you control the settings of the NetApp real-time
groupware scanner. This scanner protects your NetApp Filer.
To create a NetApp Real-time Policy
such as whether the quarantine is enabled, or if an item should be deleted if
the scanner cannot clean an infection.

files.
More information:


Policies
Configure NetApp Real-time Policy Name and General Settings
type.


4. Click New.
Name
Description
length.
policy.

Policies
package.



Definitions page.
More information:

Configure NetApp Real-time Policy Scan Options
The Scan Options settings of a NetApp Real-time policy let you specify the
options for the NetApp real-time groupware scanner. These options include
specifying the secondary cleaning action, if the Quarantine is enabled, and the
number of threads devoted to scanning.
Settings page of the NetApp Real-time Policy, or by clicking the Scan Options
real-time protection for your NetApp server.

Policies

Quarantine
Enable or disable the quarantine for the NetApp Filer. Enabling the
quarantine means that infected files are first moved to the quarantine
before any cleaning attempts are made.

Set the secondary cleaning action taken by the scanner. If the initial
cleaning attempt fails, the scanner can either attempt to delete the
infected file, or leave the infected file untouched.
Scan Error Action

Set the cleaning action taken by the scanner if the scanner encounters
an error when attempting to clean an infected file. If the initial cleaning
attempt fails, the scanner can either attempt to delete the infected file,
or leave the infected file untouched.
Scan Mode
options:
mode.

Heuristic Scanning
more time for the scan to complete, but help ensure all infections are
located. Disabling Heuristic Scanning speeds up the scanning process,
but might not catch all infections.
Scanning Threads
5. Click Next to continue creating the NetApp Real-time policy.
Definitions page.

Policies
More information:

Configure NetApp Real-time Policy Scan Filters Settings
The Scan Filters settings of a NetApp Real-time policy let you specify the files you
want included or excluded from the email scan. When specifying. you must first
select to either include or exclude the file, then list the file.
of the NetApp Real-time Policy, or by clicking the Scan Filter link in the Steps
to Create Policy pane.
Edit Inclusion List

Select this option to edit the inclusion list. Any file found in the inclusion
list is always scanned even if the scanner would normally ignore the file
Edit Exclusion List
Select this option to edit the exclusion list. Any file found in the exclusion
list is always skipped during scanning. You can exclude a file if you know
it is accessed or shared often but poses no security risk, such as a known
signature image.
3. Specify the files for the list you selected.
4. Click Next to continue creating the NetApp Real-time policy.

Definitions page.
More information:


Policies
Configure NetApp Real-time Policy Archive Options
The Archive Options of a NetApp Real-time policy lets you configure how the scan
handles archives such as .zip and .rar files.
page of the NetApp Real-time Policy, or by clicking the Archive Options link in
scan.
For example, if you want the Client to scan zip files, you would enable the ZIP
archive row.

your network.


nested larger than the value you set, is ignored and viewed as clean. All
files nested less than the level you set are scanned.

Licensing

computer.
any file in an archive that when extracted is larger than this limit. Setting
a high value prevents the Client from scanning some archived files that
these large archives could still contain malware and lead to vulnerability.
page.
Licensing
This section contains procedures related to licensing.
Manage License Status
The License Management page lets you perform the following actions:
■ Access the Product Subscription Management tool
■ Manually synchronize the licenses
■ Set when automatic synchronization occurs
Note: To access the Product Subscription Management (PSM) tool or manually

synchronize the licenses you must have an active Internet connection.
The PSM tool lets you proactively manage your CA Total Defense licenses.
To manage your licenses
1. Click Environment, Licensing.

Licensing
2. Click Manage Licenses.

The Product Subscription Management tool opens in a new browser window.
For further information, consult the help system for the Product Subscription
Management tool.
You should manually synchronize any license modifications with the CA

Entitlement Management System.
To manually synchronize the licenses


Your system automatically synchronizes with the licensing servers every twenty
four hours. You may specify the time when this occurs.
To set when synchronization occurs

2. Enter the time when you want the synchronization to occur.
3. Click Apply to save the changes or Reset to cancel them.
Licensing Messages
Depending on the status of your license, you may see a message in the banner
area of the Management Console. The banner appears near the top of the
console, just below the product name. It also contains "Logged in as:" and the
date and time.
If you have not activated your license the banner displays the following
message:

Licensing
If your license is within 90, 60, or 30 days of expiration, the banner displays the
following message:
The CA Total Defense license will expire in <#> days.
At 90 days and 60 days, you only see the message displayed the first time you
log in to the Management Console. Thirty days prior to license expiration, the
Management Console always displays this message.
If the license is past the expiration date and within the grace period, the banner
displays the following message:
CA Total Defense License has expired. Grace period will end in <#>
days.
CA provides a 30-day grace period at the end of the license subscription to allow
time for product renewal. You must purchase a new license prior to the end of the
grace period.
Complete the Licensing Registration Process
If you did not activate the license for your CA Total Defense product, the
Management Console displays the following message:
This message appears if you did not activate your license when you installed the
product. You must activate your license within 30 days or the product will no
longer work.
There are two options for completing the licensing registration process and
activating your license, online license activation and offline license activation.
Online license activation
Online license activation requires Internet access for the Management

Server and the license activation email. The CA Entitlement Management
System sends you this email after you have entered a valid license key
during installation. The email should arrive quickly, but at most within 24
hours. If you cannot find the activation email, contact your sales
representative or visit the CA Support website and click the Licensing link.
Offline license activation
For offline license activation, you must download and install the CA Total
Defense Licensing Utility, then follow the instructions provided in the help for
that utility. Visit this site https://ems.ca.com/synctool to download the
utility.

View Endpoint Details
To perform online license activation

1. Locate and open your license activation email.
2. Click the link in the email to activate your license.

After activating your license, you must then click the Synchronize button
located in on the Licensing page in the Management Console to immediately
end the trial period.
3. Click Environment, Licensing in the Management Console.
4. Click Licensing.

Note: You must have an active Internet connection during the license
activation and manual synchronization steps.
Product Subscription Management Tool
The following sections contain procedures for the Product Subscription Licensing
tool.

The Total Defense Product Subscription Management tool displays information
about your license status for the various endpoints on your network.
To view license information
1. Expand either Assigned Endpoints or Unassigned Endpoints.
2. Select a proxy or server to view the license information and endpoints

associated with that proxy or server.
The license information and endpoint details for the selected proxy display.
The Total Defense Product Subscription Management tool displays the

identifying attributes for each endpoint. From this page you can perform the
following procedures:
■ Filter the endpoint lists (see page 530)

■ Reassign licenses (see page 530)
■ Unassign licenses (see page 531)

Filter the Endpoint List
Filtering either the Assigned or Unassigned endpoint list to locate a specific

endpoint or set of endpoints.
To filter an endpoint list
1. Expand either Assigned Endpoints or Unassigned Endpoints. Both have

endpoint lists that you can filter
2. In the Filter Endpoints section, enter your filter criteria. You can filter the list
using the following criteria:
Note: You cannot use wildcard characters when filtering the endpoint lists.
Domain Name
Filter the endpoints based on the domain name of the endpoints.

Endpoint Name
Filter the endpoints based on the name of the endpoints.
License Start Date

Filter the endpoints based on the day the license started. Dates must be
entered in the format used in the table listing the endpoints.
License End Date

Filter the endpoints based on the day the license ends. Dates must be
entered in the format used in the table listing the endpoints.
3. After entering the criteria, press Enter to filter the list.
The list displays only those endpoints that match your criteria.
Reassign Licenses
Reassigning licenses lets you reuse licenses.
To reassign a license from an endpoint

1. Select the the server or proxy that contains the endpoint from which you
want to reassign a license.
You can reassign a license to an endpoint without first unassigning the

previous license if applicable.
2. Filter the endpoints as needed and select one or more endpoints to which to
reassign licenses.
3. Click Reassign.
A warning message appears.

View Product Information
4. Click OK.
A list of available Entitlement Keys replaces the list of endpoints.
5. Select the Entitlement Key for the license you want to assign to the endpoint.
6. Click Reassign.
The endpoint is reassigned to the license you specified. If the endpoint was
listed as unassigned, it moves to the Assigned Endpoint list.
Unassign Licenses
Unassigning licenses allows you to recover licenses from endpoints that are no
longer in use, so that you can reassign those licenses to other endpoints.
To unassign a license from an endpoint
1. Select the the server or proxy that contains the endpoint from which you
want to unassign a license.
The Assigned Endpoints page opens, displaying the server or proxy details.
2. Filter the endpoints as needed and select one or more endpoints from which
to unassign licenses.
3. Click Unassign.
A warning message appears.
4. Click OK.
The licenses are unassigned from the endpoints and ready to be reassigned
as necessary. The endpoints now appear in Unassigned Endpoints list. They
will remain there in case you decide to reassign a license to them at a later
time.

The Product Information page displays basic information about the product you
purchased, including the features and their versions. From this page you can also
edit your contact details, link orders to your account, view reseller information,
and access support information.
To view the Product Information page, click Product Information. The Product
Information page opens, displaying the details of your current product.

The Product Information page displays the following information:

Package Name
The package name for the product you purchased.

Version
The version number of the product installed.
Expiration Date
The license expiration date for your product. If you have not renewed your
product by this date, your system enters the thirty day grace period. Once
that grace period expires, you must request a product upgrade instead of
renewing your license.
Number of Endpoint License Purchased
The total number of endpoint licenses purchased.

Number of Licenses Currently in Use
The total number of endpoint licenses currently in use.
Number of Days Left on this License

The number of days remaining before your license expires.
The Product Information has a table listing the features included in your product.
This table displays the following information:
Serial Number
The serial number assigned to the feature.
Feature Name
The name of the feature.
Version
The current version number of the feature installed.
The Product Information page provides the following tabs:
Customer Details
This tab displays the customer details for your purchase, including the
purchasing contact and the technical contact in your company for this
product. You can edit these details from this tab.
Order Details
This tab displays the order details for your purchased products. Use this tab
to link new orders to your existing product listings. You may need to link
orders if you purchase a new product or additional endpoints.

Reseller Details
This tab contains the reseller details included with your product, if you are
reselling the product as part of your own applications.
Support Contact Details

This tab lets you view the support contact details for the different regions
around the world. Use this page when you need to see the hours of operation
and the phone number to use when contacting support in your region.
From this page you can perform the following procedures:
■ Edit contact details (see page 533)

■ Link an order to your account (see page 534)
■ View support contact details (see page 534)
Edit Contact Details
Editing the contact details lets you update the contact information for both your
purchase contact details and technical contact details.
To edit contact details
1. Click Product Information.

The Product Information page opens, displaying the details of your current
product.
2. Select the Customer Details tab and click the Edit Contact button next to the
contact to edit.
The tab displays the edit fields for the selected contact.
3. Update the contact information as needed.

4. Click Update Contact.
The contact information is updated.
To cancel your changes, click Cancel.

Link an Order to Your Account
If your company has purchased several orders over a period of time, you can link
each order your account to ease the management of your licenses. When linking
an order to your account you need the Order Number and the associated license
key.
To link your order details

The Product Information page opens and displays the details of your current
product.
2. Click the Order Details tab.
The Order Details tab opens and displays the order information for your
product purchases.
3. Click Link Order

The Link Order fields replace the Order Details.
4. Enter the Order Number and License Key.

5. Click Submit.
The PSM sends your request to the Entitlement Management System and
links the order with your account.
View Support Contact Details
You can view the support contact details for a variety of regions.
To view support contact details

The Product Information page opens, displaying the details of your current
product.
2. Click the Support Contact Details tab.

The Support Contact Details tab opens, displaying the contact information
for your region.
3. Use the drop down menu to view contact information for other regions.

Manage License Requests

If you must request a renewal of your existing license or migrate your current
license to include additional product components at any time, you can use the
License Request page. The License Request page lets you request a renewal of
your license, migrate your license to a new product, and view your current
product license details.
To view the License Request page, click License Request. The License Request
page opens, displaying the details of your current product license.
The License Request page displays the following information:

Package Name
The package name for the product you purchased.

Version
The version number of the product installed.
Expiration Date
The license expiration date for your product. If you have not renewed your
product by this date, your system enters the thirty day limited function grace
period. Once that grace period expires, you must repurchase your product
license instead of renewing your license.
Number of Endpoint License Purchased

The total number of endpoint licenses purchased.
Number of License Currently in Use

The total number of endpoint licenses currently in use.
Number of Days Left on this License
The number of days remaining before your license expires.

The License Request page provides the following tabs:

Renewal
Use this tab when requesting an active license renewal. If your license and
the grace period have expired, this tab changes to Upgrade and you have to
request a product upgrade instead. The procedure for upgrading is the same
as renewing.
Migrate to
Use this tab to request a product migration. Migrating your product allows
you to carry your existing license over to a new product suite, increasing the
features you can access.
From this page you can perform the following procedures:
■ Renew or upgrade a license (see page 537)
■ Migrate a license (see page 538)

Renew or Upgrade a License
Use the Renew tab when requesting a renewal of an active license. If your license
and the grace period have expired, this tab changes to Upgrade and you have to
request a product upgrade instead. The procedure for upgrading is the same as
renewing.
To request a renewal of your license
1. Click License Request.

The License Request page opens, displaying the details of your current
product license.
2. Click the Renewal tab.
3. In the Renewal Period field, select for how long you want to renew your
product.
4. Enter the number of endpoints you want included with this renewal.
5. Click Send Request.
Your request is submitted. To cancel your request before clicking Send

Request, click Cancel.
After you submit a request, the reseller or partner will contact you to proceed
with the renewal, migration, or upgrade procedure. You will then receive a new
license key. If performing a migration, you enter the new license key during
installation. If renewing or upgrading the product, you add the new license key
with the PSM tool.
To add a new license key
The Product Information page opens and displays the details of your current
product.
2. If renewing a product:
a. Click the Order Details tab.
The Order Details tab opens and displays the order information for your
product purchases.
b. Click Link Order.
The Link Order fields replace the Order Details.

3. If upgrading a product, click the Upgrade tab.
4. Enter the Order Number and License Key.
5. Click Submit.

At the next regularly scheduled synchronization time, the PSM sends the
information to the CA Entitlement System and associates the new key with
the server's node-id. If renewing a product, you can use the Synchronize
Licenses button in the Management Console to send the information
immediately.
Migrate a License
Use the Migrate tab to request a migration of your product. Migrating your
product allows you to carry your existing license over to a new product suite,
increasing the features you can access. The Migrate tab only captures the sales
request. After submitting a request, the reseller or partner completes the
migration process and sends you a new license-key which is used for the
migration.
To request a migration of your license
1. Click License Request.
The License Request page opens, displaying the details of your current
product license.
2. Click the Migrate tab.
3. Select the product to which you want to migrate.

4. Enter the number of endpoints purchased with your license.
5. Click Send Request.
Your request is submitted. To cancel your request before clicking Send

Request, click Cancel.
After you submit a request, the reseller or partner will contact you about the
migration and give you a new license key. You then install the components
from your product DVD, and when prompted by the Installation Wizard,
enter the new license key.

Endpoint Discovery
Endpoint Discovery
Endpoint Discovery searches your network and collects a list of all unmanaged
endpoints. By default, this feature runs every 24 hours to ensure that all
endpoints are accounted for, including laptops or other endpoints that may be
disconnected from the network on a regular basis. You can change this schedule
depending on how often you expect endpoints to be disconnected from and
reconnected to your network. You can also configure the time of day when
Endpoint Discovery runs. You can also manually run Endpoint Discovery. This is
advantageous if you have installed a large number of endpoints and you want to
discover these machines quickly instead of waiting for the scheduled interval.
For more information on Endpoint Discovery, consult the Endpoint Discovery

section of the CA Total Defense Administration Guide.
You can run Endpoint Discovery in either of the following modes:

Full Discovery
Endpoint Discovery checks the entire network for endpoints. This process is
slower than running an Incremental Discovery, but ensures no endpoints are
missed.
Endpoint Discovery ignores previously detected endpoints and detects only

new, unmanaged endpoints. If you have never run Endpoint Discovery, the
Incremental Discovery takes as long as a Full Discovery, otherwise, an
Incremental Discovery saves time and reduces network load and traffic.
To view the results of the most recent Endpoint Discovery

Management Server.
2. Click Endpoint Discovery.
The Endpoint Discovery pane opens and displays the results from the last
time the discovery process ran.
The Results of the Most Recent Discovery displays the following information:
Discovery Type
The type of last discovery, Full or Incremental.
Start Time
The time when the last discovery began.
Completion Time
The time when the last discovery ended.

Endpoint Discovery
Completion Status
The completion status for the last discovery. The status may either be
SUCCESS or FAILED. If the status is FAILED, the Management Console lists
the possible reason.
Job Initiation
Whether the job was Manual or Scheduled. A manual job was started by a
user, where as a scheduled job is planned and run by the Management
Server.
Total Endpoints Found
The total number of endpoints found during the last discovery process. This
count includes both known and new endpoints.
New Endpoints Found
The total number of new endpoints found during the last discovery process.
This count only includes new endpoints, and excludes previously discovered
endpoints.
Endpoints Removed
Lists the number of endpoints that were previously in the list of discovered
endpoints, but were not found when this discovery process ran. If you run a full
discovery, then any previously discovered endpoint that is not found, is
removed. If you run an incremental discovery, the Maximum Missed Discoveries
parameter determines when an endpoint is removed from the list of discovered
endpoints. During incremental discovery, the Management Server records the
number of times an endpoint is not found. Once this number matches the
Maximum Missed Discoveries parameter, the Management Server removes the
endpoint from the list. If Management Server finds the endpoint during an
incremental discovery, this count is reset.
Manage Endpoint Discovery
Endpoint Discovery finds unmanaged endpoints on your network. The results of

the Endpoint Discovery scan are displayed on the Maintain, Endpoints,
Unmanaged Endpoints page.
To view the results of the most recent Endpoint Discovery

Management Server.


Endpoint Discovery
The Results of the Most Recent Discovery displays the following information:
Discovery Type
The type of last discovery, Full or Incremental.

Start Time
The time when the last discovery began.
Completion Time
The time when the last discovery ended.
Completion Status
The completion status for the last discovery. The status may either be
SUCCESS or FAILED. If the status is FAILED, the Management Console lists
the possible reason.
Job Initiation
Whether the job was Manual or Scheduled. A manual job was started by a
user, where as a scheduled job is planned and run by the Management
Server.
Total Endpoints Found

The total number of endpoints found during the last discovery process. This
count includes both known and new endpoints.
New Endpoints Found

The total number of new endpoints found during the last discovery process.
This count only includes new endpoints, and excludes previously discovered
endpoints.
Endpoints Removed
The total number of endpoints the discovery process did not find during the
last discovery. The Management Console keeps track of the total number of
endpoints found prior to running the discovery process. When the discovery
process is run, if this number exceeds the total number of endpoints found,
the difference is listed here as the number of endpoints removed.
By default, Endpoint Discovery is scheduled to run every day. Running the

discovery process every day ensures that all endpoints are accounted for,
including laptops and other machines that are disconnected from the network on
a regular basis. You can change this schedule depending on how often you
expect the endpoints to be pulled on and off your network and the best time to
run Endpoint Discovery.
You can also run Endpoint Discovery manually. Manually running Endpoint
Discovery can be advantageous if you installed a large number of machines and
want the Management Console to discover these machines quickly, rather than
waiting for the scheduled interval.

Endpoint Discovery
You can run the Endpoint Discovery in either Full Discovery mode or Incremental
Discovery mode. When you run Endpoint Discovery in Full Discovery mode, your
entire network is scanned for new endpoints. This process is slower than running
an Incremental Discovery, but ensures that no endpoints are missed.
When you run Endpoint Discovery in Incremental Discovery mode, previously

discovered endpoints are ignored. If you have never run Endpoint Discovery, the
Incremental Discovery takes as long as a Full Discovery. However, if you have
run a previous Endpoint Discovery, running the Incremental Discovery can save
you time and reduce the load on your network for the discovery process.
To start Full Endpoint Discovery

Management Server.

3. Click Start Full Discovery.
The Full Discovery process begins. As new endpoints are found, count is
updated on the display.
The process runs until completion unless you click Stop Discovery or
Endpoint Discovery encounters an error.
To start Incremental Endpoint Discovery

Management Server.
3. Click Start Incremental Discovery.

The Incremental Discovery begins where ever the last Discovery process
ended. As Endpoint Discovery finds new endpoints, it updates the display
count.
Note: You can stop the discovery process at any time by clicking Stop. If you
stop the discovery process, the discovery process begins from the first scan
engine when restarted.
The process runs until completion unless you click Stop or the Endpoint
Discovery encounters an error.

Endpoint Discovery
Configure Endpoint Discovery
You must configure the Endpoint Discovery process to ensure the Management
Console can properly discover each endpoint. The configurations you set include
the scheduled interval for the Endpoint Discovery. When you run a manual
Endpoint Discovery, it uses whatever configuration values you last set. Use the
following process when configuring the Endpoint Discovery:
1. Schedule the Endpoint Discovery process. (see page 544)

Scheduling the Endpoint Discovery allows this process to take place at
regularly scheduled time and interval.
2. Select the Endpoint Discovery methods used. (see page 546)
Using the proper Endpoint Discovery method ensures the Management

Console can find all possible endpoints on your network.
3. Enter any necessary authentication credentials for the Endpoint Discovery.

(see page 547)
The Endpoint Discovery must have Administrative access to properly find all
endpoints.
4. Specify the IP range exclusions for the Discovery process. (see page 544)
Excluding certain IP address ranges lets you skip over network devices such
as printers allowing for a faster Endpoint Discovery process.
5. (Optional) Specify the Port Scanning parameters for the Discovery process.
(see page 549)
You must set the ports the Management Console will use if you are using the
TCP sweep to scan for endpoints or are using Active Fingerprinting scanning
to determine the OS of the endpoint. If these methods are enabled, the
performance of the system greatly depends on how well you configure the
port scanning parameters.
6. Specify any advanced parameters for the Discovery process. (see page 551)
Setting the Advanced parameters lets you determine the timeouts and
number of retries allowed for the various Endpoint Discovery methods. You
can also specify the maximum number of packets or threads used when the
Management Console runs the Endpoint Discovery.
7. Specify the logging options for the Endpoint Discovery log. (see page 553)
Setting the logging option ensures that the Endpoint Discovery records all
transactions that are of interest to you.
Note: At any point, you can click Save to save all the changes you have made.
Click Back or Next to save any changes you make and move to a different page.
To restore the settings to the previously saved state, click Restore Previous
Settings. You can also jump to a specific page by clicking the page link in the
Steps for Configuring Discovery pane.

Endpoint Discovery
Schedule Endpoint Discovery
Scheduling the Endpoint Discovery allows this process to take place at regularly
scheduled times and intervals. This ensures that your list of endpoints remains
up to date, and allows for proper protection for your network. To run Endpoint
Discovery at the scheduled times, you must enable the Schedule Discovery Jobs
option. If you do not enable this option, you must manually run the Endpoint
Discovery to locate new endpoints.
You should schedule Endpoint Discovery if you believe that endpoints can be
added or removed from your network without your knowledge. This may happen
in a large organization with distributed IT Departments handling the addition of
endpoints to the network. If you have a small network and know when endpoints
are added or removed, you may opt to manually run Endpoint Discovery only
when you add or remove endpoints.
To schedule the Endpoint Discovery process

Management Server.
3. Click Configure.
The Configure Discovery window opens on the Schedule Discovery page.
4. Enable Schedule Discovery Jobs.
Note: You must enable this option to run Endpoint Discovery at a scheduled
time. If you do not enable this option, you must periodically manually run
Endpoint Discovery to locate new endpoints.

Endpoint Discovery
5. In the Specify Discovery Schedule, enter the following information:

Date
Enter the date on which you want the Endpoint Discovery process to
begin.
Note: Do not pick a date that has already passed unless you plan to
have the Endpoint Discovery process repeat at a specified interval. If you
do set the date and time to a past day and do not set the Repeat Every
interval, the scheduled Endpoint Discovery process will not run.
Time
Enter the time at which you want the Endpoint Discovery process to
begin.
Repeat Every
Enter the interval between each Endpoint Discovery. For example, to run
the Discovery every day, enter either 1 in the Days field or 24 in the
Hours field.
6. In the Select Rediscovery method pane, select one of the following options:
Full Discovery
When you run Endpoint Discovery in Full Discovery mode, the
Management Console checks the entire visible network for new
endpoints. This process is slower than running an Incremental
Discovery, but ensures no endpoints are missed.
When you run Endpoint Discovery in Incremental Discovery mode, the

Management Console keeps track of the areas in your network it has
scanned, and ignores these areas each time you run the scan. If you
have never run Endpoint Discovery, the Incremental Discovery takes as
long as a Full Discovery. However, if you have run a previous Endpoint
Discovery, running the Incremental Discovery will save you time and
reduce the load on your network for the discovery process.
7. In the Options pane, enter a value in the Maximum Missed Discoveries field
to specify the maximum number of attempts the Management Console
makes before declaring an endpoint as inactive.
One attempt is made for each scan. If an endpoint is not active for the
specified number of attempts, the endpoint is considered inactive and
removed from the list of active endpoints.
8. Click Save.
9. Click Close to close the page.

Endpoint Discovery
Specify Endpoint Discovery Methods
endpoints.
To select the Endpoint Discovery method

Management Server.

3. Click Configure.
4. In the Steps for Configuring Discovery, click Select Discovery Methods.
The Select Discovery Methods page opens.
5. In the Discovery Method pane, configure the following options:

Enable DNS Scan
Select this option to enable the DNS Scan discovery method. Using the
DNS method, the Management Console searches for endpoints based on
the domain names used.
Enable ICMP Sweep

Select this option to enable the ICMP Sweep discovery method. Using
the ICMP sweep method, the Management Console checks all possible
addresses in its known IP range for endpoints.
Enable TCP Sweep

Select this option to enable the TCP Sweep discovery method. Using the
TCP sweep method, the Management Console checks all possible
addresses using the TCP protocol to locate endpoints.
Enable Port Scanning

Select this option to enable the Port Scanning discovery method. Using
the Port Scanning method, the Management Console checks all possible
ports it can access for any endpoints.
Note: This option is only available if you enabled TCP Sweep.

Endpoint Discovery
6. In the OS Detection Methods pane, configure the following options:

Enable OS Detection by WMI
Select this option to enable OS detection using Windows Management

Instrumentation (WMI). WMI is installed on all Windows Operating
systems from Windows 2000 onwards. You can also download WMI for
Windows 95 and 98.
Enable OS Detection WinRM

Select this option to enable OS detection using Windows Remote
Management (WinRM). WinRM is the Microsoft implementation of the
WS-Management Protocol, a standard Simple Object Access Protocol
(SOAP)-based, firewall-friendly protocol that allows hardware and
operating systems from different vendors, to communicate.
Enable OS Detection by Active Fingerprinting
Select this option to enable OS detection by Active Fingerprinting.

TCP/IP stack fingerprinting is the passive collection of configuration
attributes drawn from a remote device during standard layer 4 network
communications. Active Fingerprinting checks this information to
determine the OS used by the system.
7. Click Save.
Your changes are saved and the Discovery Authentication Credentials page
appears.
Enter Authentication Credentials
endpoints. Enter these credentials on the Discovery Authentication Credentials
page.
To enter the authentication credentials


Management Server.
3. Click Configure.

Endpoint Discovery
4. In the Steps for Configuring Discovery, click Discovery Authentication

Credentials.
The Configure Discovery window changes to the Discovery Authentication

Credentials page.
5. In the Basic Scan Authentication pane, enter a username with administrative

access to your network and the appropriate password.
You must enter a username and password or the Endpoint Discovery does
not function.
6. Click Save.

Specify IP Range Exclusions
When running an Endpoint Discovery, you can exclude certain IP address ranges
using the IP Range Exclusion list. The Exclusion list lets you exempt a range of IP
addresses from the Endpoint Discovery. For example, if you know that the IP
addresses in a range are all assigned to printers or other devices that you do not
want to discover, you can exclude the IP address range.
To specify the IP range exclusion

Management Server.

3. Click Configure.
4. In the Steps for Configuring Discovery, click Specify IP Range Exclusions.

The Specify IP Range Exclusions page opens.
5. Enter an IP address in the IP address field in the Exclude Ranges pane and
click Add to add an address to the IP Range Exclusion list.
IP ranges can be entered using the following formats:

■ Explicit range support, such as 1.2.3.12-1.2.3.252
■ Trailing wild card support, such as: 1.2.3.* or 1.2.*.*

Endpoint Discovery
■ Explicit range support with fixed CIDR suffix for the starting and ending
IP address, for example: 1.2.3.12/24-1.2.3.252/24.
■ Explicit range support for full IPv6 addresses (not abbreviated) and use
of CIDR type prefix masking is also supported.
6. Click Clear to reset the IP address field. You can also modify or remove
addresses from the list.
■ To modify an IP address, click the IP address to change, enter the new

address in the IP address field, and click Modify. The new address
replaces the old address.
■ To remove an IP address from the list, select the address and click
Remove,
7. Click Save.

Specify Port Scanning Parameters
You can set the ports the Management Console uses for the discovery process by
configuring the port scanning parameters.
To specify the port scanning parameters


Management Server.
3. Click Configure.
The Configure Discovery window opens to the Schedule Discovery page.
4. In the Steps for Configuring Discovery, click Specify Port Scanning

Parameters.
The Configure Discovery window changes to the Specify Port Scanning
Parameters page.

Endpoint Discovery
5. In the Options pane, enable or disable the following options:

Use Configured Ports
The Management Console scans for endpoints using the Preferred Ports
that are defined after this option. You can use both configured ports and
open ports when scanning.
Scan for Open Ports

The Management Console scan for any open ports and uses those when
running the Endpoint Discovery. You can use both configured ports and
open ports when scanning.
Note: These options are only available if you enabled Port Scanning.
6. In the Options pane, set the following values:
Port Scan Delay

Enter the delay between each port scan. This delay allows other traffic to
use the port, if necessary. You should use a delay if you perform your
endpoint discovery during business hours to avoid network congestion.
Maximum Number of Ports to Scan

Enter the maximum number of ports the Management Console is allowed
to scan. Limiting the number of ports can improve the performance of
endpoint discovery.
7. Use the Preferred Ports pane to add or delete preferred ports used when you
enable Port Scanning and Use Configured Ports.
These preferred ports are the first ports the Management Console uses when
attempting to locate endpoints through Port Scanning.
■ To add a port, enter the port number in the Add Port to Preferred List
field and click Add. You can have a maximum of 10 preferred ports.
■ To remove a port, select the port in the List of Preferred Ports to Scan
table and click Remove. The port is removed from the list.
8. Click Save.
Your changes are saved. Click Close to close the page, or go back and make
any additional changes using the Back button.

Endpoint Discovery
Specify Advanced Parameters
Set the Advanced parameters to determine the timeouts and number of retries
allowed for the various Endpoint Discovery methods. You can also specify the
maximum number of packets or threads used when the Management Console
runs the Endpoint Discovery.
To specify advanced parameters

Management Server.
3. Click Configure.
4. In the Steps for Configuring Discovery, click Specify Advanced Parameters.

The Specify Advanced Parameters page opens.
5. In the Timeouts and Retries pane, configure the time the Management
Console waits before it declares an address is invalid due to timeout, and the
number of retries the Management Console attempts before declaring an
address as invalid. Set the following values:
DNS Lookup Timeout

Set the timeout value for the DNS lookup. If the Management Console
does not receive a reply within the specified limit, it does not find an
endpoint and moves to the next IP address attempt.
ICMP Sweep Timeout

Set the timeout value for the ICMP sweep. If the Management Console
ICMP Sweep Number of Retries

Enter the number of attempts allowed before the Management Console
moves to the next valid IP address.

Endpoint Discovery
TCP Sweep Timeout

Set the timeout value for the TCP Sweep. If the Management Console
TCP Sweep Number of Retries

moves to the next valid TCP address.
6. In the Active Fingerprinting pane, configure the following options:
Active Fingerprinting OS Detection Timeout

Set the timeout value for the Active Fingerprinting OS Detection. If the
Management Console does not receive a reply within the specified limit,
it cannot determine the endpoint's operating system and moves to the
next endpoint.
Active Fingerprinting Number of Retries

moves to the next valid endpoint.
7. In the Other pane, set the following values:

Maximum ICMP/TCP Packet Rate
Enter the maximum packet rate for the Management Console. The
Management Console does not exceed this maximum. Entering a higher
value lets the Management Console complete the scan at a faster rate,
but hinders overall network performance.
Maximum Number of Scanning Threads

Enter the maximum number of scanning threads you want the
Management Console to use. A high value speeds the scanning attempt,
but hinders network performance.
8. Click Save.

Endpoint Discovery
Specify Endpoint Discovery Logging Options
Specify the logging options to ensure that the Endpoint Discovery records all
transactions that are of interest to you.
To specify the logging options for the Endpoint Discovery
Note: At any point, click Save to save the changes you have made. Click Back or
Next to save changes and move to a different page. To restore the settings to the
previously-saved state, click Restore Previous Settings. You can also jump to a
specific page by clicking the page link in the Steps for Configuring Discovery
pane.
Management Server.

3. Click Configure.
The Configure Discovery window opens to the Schedule Discovery page.
4. In the Steps for Configuring Discovery, click Specify Discovery Logging.

The Configure Discovery window changes to the Specify Discovery Logging
page.
5. In the Options pane, set the Log Level to one of the following values:
Critical
This option logs only critical events that cause the Endpoint Discovery
process to terminate unexpectedly.
Error
This option logs only critical events and other errors. Warning and
informational messages are not logged.
Warning
This option logs all warnings, errors, and critical events. Only
informational events are not logged.

Management Server Proxy
Informational
This option logs all events. Selecting this option can result in your log
reaching its size limit very quickly.
Debug
This setting records the maximum amount of information, but should not
be used unless you are instructed to by CA support personnel. Using this
option greatly increases the amount of information logged, and quickly
causes your log to reach its maximum size.
6. Enter a value for the Maximum Log Size field.
When the log exceeds this size, the Management Console either overwrites
or rotates the log, depending on the next option you set.
7. Specify one of the following options in the Action When Maximum Log Size is
Reached section:
Overwrite
The Log overwrites the oldest date when the log reaches its size limit.
Rotate
The Log rotates out and creates a new log when the log reaches its size
limit.
8. Click Save.
9. Click Close to close the page, or click Back to return and make any additional
changes.

This topic contains procedures related to Management Server Proxies.
Manage Proxy Servers
In a Distributed Installation there is a single Master Management Server and one

or more Management Proxy Servers. Proxies allow you to balance the load of
managing endpoints among multiple machines. Using the Phone Home policy
you can configure endpoints to contact a proxy rather than contacting the Master
Management Server. You can manage and configure proxy servers using the
Management Proxy Servers page.

To view the Management Proxy Servers page, click Environment, Management

Proxy Servers.
The Management Proxy Servers page opens, displaying the name and status of
each proxy with following information:
Endpoints Managed
The total number of managed endpoints that contact this proxy.

Proxy Created at
The date and time the proxy server was created.
CPU
Lists the percentage of CPU in use on the proxy server across all applications.
This is the same percentage you see in use on the server if you looked at the
Windows Task Manager.
Disk
List the percentage of total disk space in use on the proxy server.
Click the arrow to expand the information. The page displays the following
additional information for that proxy:
Last Endpoint Synchronization
The time the last endpoint synchronization attempt occurred.

Average Network Utilization
The average number of packets used during synchronization.
Synchronization Interval
How often the proxy attempts to synchronize with the Management Server.
Total Proxy Synchronizations

The total number of synchronization attempts made by this proxy.
Last Proxy Synchronized
When the proxy server last synchronized with the primary management
server.

The Management Proxy Servers page also provides the following features:
Add
Opens the Add Installed Proxy page where you can manually add a proxy
server. You should only have to add a proxy manually if the proxy cannot
automatically communicate with the Master Management Server. A proxy
may not be able to communicate if the proxy is located in a DMZ or another
location with limited network access.
Configure
Opens the Configure Proxy Settings page for the selected proxy
Disable
Disables the selected proxy server. If a proxy server is disabled, endpoints
can no longer communicate it. An endpoint will not attempt to communicate
with another proxy server unless the endpoint's Phone Home policy lists
another proxy.
Enable
Enables the selected proxy server.
Remove
Removes the selected proxy server. The proxy is completely removed from
the proxy database and that server can no longer act as a proxy. Do not
remove a proxy unless the proxy software has been uninstalled from the
machine or the machine has been permanently removed from your network.
Activate
Activates the selected inactive proxy server. If a new proxy server can
communicate with the Master Management Server, the proxy is
automatically added to the proxy list. However, if the proxy is inactive you
must activate the proxy. If you add a proxy server using the Add button, you
do not need to activate the proxy.
You can narrow down the number of proxy servers displayed at one time using
the View by Status drop-down list. To narrow down the list, select one of the
following statuses from the View by Status drop-down menu:
Show All
Displays all proxy servers.
Active
Displays only currently active proxy servers.
Inactive
Displays only currently inactive proxy servers.

Out of Date
Displays all proxy servers that are not currently synchronized with the
management server.
Enabled
Displays only currently enabled proxy servers.
Disabled
Displays only currently disabled proxy servers.
To find a proxy, enter the exact name of the proxy in the Find field and click Go.
The Management Console highlights the proxy whose name you entered. The
server reports an error if it cannot find the proxy by name.
Add Management Proxy Servers
There are two methods you can use when adding a management proxy server.
Under most circumstances, you can simply install the proxy server and the
server shows up in the Management Proxy Server list. In this case, you simply
need to activate the server to finish the installation and start using the proxy.
Activation requires user interaction to prevent someone from infiltrating your
network by gaining your security certificate and masquerading as a proxy.
If your proxy is in a DMZ or an isolated environment, you may have to add the
proxy server manually. In this case, you must add the proxy and provide the
correct security certificate.
To activate a proxy server
1. Click Environment, Management Proxy Servers.

2. Select the server to activate and click Activate.
The proxy server becomes active.
To add a proxy server manually
1. Install the proxy server.

2. Ensure that a copy of the security certificate is accessible from the computer
you use to view the Management Console.Ensure that a copy of the security
certificate is accessible from the Management Console.
4. Click Add.
The Add Installed Proxy page opens.

5. Enter a name for the server in the Server Name field, click Browse, and
locate the security certificate for the proxyV. Enter a name for the
server in the Server Name field. This name must exactly match the server
name on the certificate.
Note: If you plan to use the default port of 44346, you only need to enter the
server name.
If you are not using the default port, you must enter the server name and
port as:
Servername:port
For example to use port 33433 on the Example server, you would enter
Example:33433.,
6. Click Upload Certificate, and locate the security certificate for the proxy.
Once you have located the certificate, click Open to upload the certificate.
Note: The default location for the certificate on the proxy is C:\Program
Files\CA\TotalDefense\ManagementServer\WebServices\CertFile.
7. You can copy this file to the machine on which you view the Management
Console or map a drive to the proxy so you can select the certificate directly.
8. .
9. Select a value for the Time Interval for Endpoint Synchronization, the time
the Management Console waits until attempting to synchronize with the
endpoints.
10. Click Add.
The server is added to the proxy server list.

Click Discard to remove any changes you made while staying on this page.
Click Cancel to return to the Management Proxy Server page without adding
a proxy.

Configure Management Proxy Servers
You can configure the time interval a proxy server waits till polling the associated
endpoints. You can also specify any proxy server database configuration options
such as the database access criteria or if the proxy server access an Active
Directory Server for the proxy's directory information.
When selecting an Active Directory Server, you should select a server that has
the shortest path to the proxy for network optimization purposes.
To configure a proxy server

2. Select the server to configure and click Configure.

The Configure Proxy Settings page opens.
3. In the Time Interval for Endpoint Synchronization, specify the interval

between synchronizations with the Master Management Server.
4. In the Proxy Server Database Configuration pane, enter the following

information:
Server Name
The name of the server where the proxy software resides.

If you plan to use the default port of 44346, you only need to enter the
server name.
If you are not using the default port, you must enter the server name
and port as:
Servername:port
For example to use port 33433 on the Example server, you would enter
Example:33433.
Database Instance
The name of the database instance on the server used by the proxy.
User Name
The user name associated with the database. The user you assign must
have administrative access to the Microsoft SQL Server database the
proxy server uses.
Password
The password associated with the user name.

Active Directory
5. In the Configure Preferred Active Directory Server, select the Active

Directory Server you want your proxy to use for its directory information. If
you have multiple machines with Active Directory Servers, use the Change
Server drop-down to select a different machine. When selecting an Active
Directory Server, you should select a server that has the shortest path to the
proxy for network optimization purposes.
6. Click Apply.
The proxy's configuration is updated.
Click Discard to remove any changes you made, but stay on this page. Click
Cancel to stop the process and return to the Management Proxy Server page.
Active Directory
This section contains procedures related to Active Directory.
Using Active Directory Servers
You can configure the Management Server to use your organization's existing
Active Directory implementation.
To view Active Directory servers, click Configure, then click Environment, and
Directory Services.
The Active Directory Configuration page displays the available Active Directory
servers and lists the following information about each available directory:
Server Name
The name of the Active Directory server.
Server Port
The port used to contact the Active Directory server.
Active Directory Tree Name

The names of the Active Directory trees in use.
Authentication
The type of authentication used when communicating with this Active

Directory server.

Active Directory
Use SSL
Whether the Active Directory server uses the Secure Sockets Layer protocol.
User Name
Lists the user name used to connect to the Active Directory server. This user
name must have the Schema Administrator privilege on the Active Directory
server.
On this page, the available buttons are:
Add
Click this button to add a new Active Directory server.

Edit
Select an Active Directory server and click this button to edit this server.
Delete
Select an Active Directory server and click this button to delete this server.
Show/Hide Alternate Servers

Click this button to open the pane displaying the alternate Active Directory
server list.
Add Active Directory Servers
You can add a new Active Directory server, as necessary. You must have the
access information for that server, including the user name and password used
to connect with that server.
The following conditions apply when using Active Directory on Windows 2000:
■ The password policy must specify reversible encryption for the Domain. If
this setting is changed, the user that is being used to connect must also
change his or her password after the password policy has changed for the
setting to take effect.
example,

Use: travis\jdoe
Do not use: jdoe

■ Subauthentication must be enabled (the default setting).

Active Directory
The following conditions apply when using Active Directory on Windows 2003
and later:
example,

Use: travis\jdoe
Do not use: jdoe

■ The user name is case sensitive and must match the name in the Active
Directory database. The name of the Domain is not case sensitive.
To add a new Active Directory server


Management Server.
2. Click Directory Services.
The Active Directory Configuration page opens, populated with the available
Active Directory servers.
3. Click Add.
The Add a New Active Directory Server page opens.
4. Enter the name of the Active Directory server in the Server Name field.
The contents of the Server Port field, indicating the port used to contact this
server, and the Active Directory Tree Name field, indicating the Active
Directory tree name used by this server, are determined automatically.
5. Select one of the Authentication Method options to specify whether to use an

anonymous connection or a secure one:
■ Anonymous Connection: No credentials are needed or used when
contacting this Active Directory server.
■ Secured Connection: The Management Console uses the user name and
password you provide when connecting to the Active Directory server.
You can also enable SSL protocol.
6. Enable the Use SSL option to use the Secure Sockets Layer protocol.
This option is only enabled if you select Secured Connection for the
Authentication Method.

Active Directory
7. Enter the user name and password used to access the Active Directory
server in the appropriate fields.
This option is only enabled if you select Secured Connection for the
Authentication Method.
The new Active Directory server is added to the list.
Manage Active Directory Servers
You can edit or delete Active Directory servers from the Active Directory
Configuration page. You can also show or hide the Alternate Active Directory
Server pane.
To edit an Active Directory server

Management Server.
3. Select the Active Directory server to edit and click Edit.

The Edit Active Directory Server page opens. This page is the same as the
Add Active Directory Server page.
4. Edit the server information as needed.

5. Click OK to save your changes.
To delete an Active Directory server

Management Server.
3. Select the Active Directory server to delete and click Delete.

4. Click Yes to confirm the deletion.

The Active Directory server is deleted.

Server Databases
To show or hide the alternative Active Directory server pane


Management Server.
Active directory servers.
3. Click Show/Hide Alternate Servers.
The alternate Active Directory Server pane is hidden or shown.
Server Databases
The CA Total Defense product includes multiple databases. The Management
Server and Endpoint Discovery feature share a common database. The Events
Server uses a different database.
From the Management Server page, you can modify the connection string for the
Management Server and Endpoint Discovery if you need to relocate a database
after installation. You can use the Event Server Database, Connections page to
modify the connection string for the Event Server.
You must periodically perform maintenance on the Event Server database. Use
the options found under Event Server, Maintenance to schedule maintenance on
a regular basis or to perform immediate maintenance. Additionally, you can
review the maintenance history for the Event Server database.
The Event Server database includes archive options that allow you to save
events. Use these options to specify when and under what condition the Events
database is archived. You can also view the archive history and the archived
databases.

Server Databases
Configure Management Server Databases
The Management Server page lets you configure the Management server
settings and specify the Discovery server access information. You can also set
the Topology and Certificate Distribution password from this page.
To configure the Management Server database

Management Server.
2. Expand Server Databases.

3. Click Management Server.
The Management Server page opens, displaying the various configurations

for the differing servers.
4. Enter the following information:

Server Name
Enter the name used by the Management server.

Database Instance
Enter the database instance name used by the Management server.
User Name
Enter the user name used to access the Management server's database.
Password
Enter the password associated with that user name.
5. Click Apply.
Your changes are saved and applied.
To configure the Discovery Database access information

Management Server.

Note: Do not include curly braces, { or }, in the Login name field, as they are
not supported.

Server Databases
4. Enter the user name and password to use to access the Discovery database.
5. Click Apply.
To specify the Topology and Certificate Distribution password

Management Server.

4. In the Topology and Certificate Distribution Password field, enter the

necessary password.
5. Click Apply.
To discard any changes you make to the fields on this page, click the appropriate
Discard button.
Event Server
Events collected by the Management Console are stored in the Event Database.
This database is stored on a server. This server may be part of the Management
Console, or may be a separate machine depending on your setup. When
managing the Event server, you can configure the Database options, perform
maintenance on the server, and view the archive settings and history for the
Event server.

Server Databases
Set Database Storage Connection
The Storage Connection page lets you specify the Microsoft SQL Server,
authentication information, and instance name for the Event Server. You can
also specify the user name and password credentials.
To set the storage configuration options

Management Server.

3. Click Event Server.
The Event Server option expands, displaying the various subsections you
can select.
4. Click Database.
The Database option expands, letting you select Connection or Preferences.
5. Click Connection.
The Storage Connection page opens, displaying the configuration for the
connection.
6. Enter the following information:

Server
Enter the name used by the server.

User Name
Enter the user name used to access the server.
Password
Enter the password associated with that user name.
Instance
Enter the database instance name used by the server.

7. Click Apply.
To test the connection to the Storage database, click Test Connection.

Server Databases
Set Storage Preferences
The Storage Preference page lets you specify how much detail for each event is
saved. The more information saved, the more space is required for the event
database.
To set the storage preference

Management Server.

can select.
4. Click Database.
The Database option expands, letting you select Connection or Preferences.
5. Click Preferences.
The Storage Preference page opens, displaying the storage option.
6. Using the Storage Type drop-down menu, select one of the following
options:
Normal (Light)
Select this option to store only the minimal number of event fields. This
option should suffice for most reporting and event viewing needs.
Comprehensive (Full)
Select this option to capture all event information generated by the

Management Console. This option requires more storage space, but
provides more detailed information.
7. Click Apply.

Server Databases
Maintain the Event Server
You must maintain the Event Server to ensure that it does not run out of room to
store incoming events. The Run Now page lets you perform immediate
maintenance on your Event database if, for example, your database has
exceeded its size limitations.
To perform immediate maintenance

Management Server.
can select.
The Maintenance option expands, providing the Run Now, Schedule, or

History features.
5. Click Run Now.
The Run Now page opens, displaying the maintenance options.
6. Select one of the following options to specify the records to remove:

Delete All Database records
Select this option to delete all records stored in the database.

User Name
Select this option and enter a number of days to delete any records older
than the specified number of days.
7. (Optional) Limit the time the record purge operation runs by selecting Limit
Run Time and specifying the maximum length of time, in hours and minutes,
you want the purge to run.
8. Click Go.
9. Click Yes.
The selected records are deleted, clearing storage space for new events.

Server Databases
Schedule Event Server Maintenance
The Scheduled Maintenance page lets you specify when routine maintenance
occurs on the Event database. You can also specify the parameters for the
routine maintenance.
You must maintain the Event Server to ensure the server does not run out of
room to store incoming events. By performing scheduled maintenance, you
lower the risk of needing to perform immediate maintenance of the database.
To schedule maintenance

Management Server.

can select.
The Maintenance option expands, providing the Run Now, Schedule, or
History features.
5. Click Schedule.
The Schedule Maintenance page opens, displaying the scheduling options.
6. Enable Scheduled Maintenance.

You must enable this option to run scheduled maintenance.
7. Select one of the following options to specify the records to remove:

Delete All Database records
Select this option to delete all records stored in the database.
Delete records older than

Select this option and enter a number of days to delete any records older
than the specified number of days.
8. (Optional) Limit the time the record purge operation runs by selecting Limit
Run Time and specifying the maximum length of time, in hours and minutes,
you want the purge to run.

Server Databases
9. Select one of the options in the Scheduler pane to specify when the
maintenance occurs:
One time only

Perform the maintenance only once at the time you specify. You must
provide the time zone, start time, and date for this maintenance.
Daily
Perform daily maintenance at the time you specify. You must provide the
time zone, start time, and date for this maintenance, and specify
whether the task is performed every day, only on weekdays, or at a
specified interval.
Weekly
Perform weekly maintenance. You must provide the time zone and start
time for this maintenance, specify how often the maintenance is
performed, and identify the days of the week on which to perform the
maintenance.
Monthly
Perform monthly maintenance monthly. You must provide the time zone
and start time for this maintenance. You must also specify when this
maintenance occurs by either specifying a specific date each month or,
for a more flexible option, specifying a day each month, such as the first
Monday of every month, on which the maintenance is performed. You
can also specify the months in which maintenance is performed.
10. Click Apply.
Your changes are saved and the maintenance is scheduled.
If you no longer want to perform scheduled maintenance, open the Scheduled

Maintenance page and unselect Scheduled Maintenance.

Server Databases
View Event Server History
The Maintenance History page lets you view when maintenance was performed
on the Event database. You can also clear history, if necessary.
To view the Maintenance history

Management Server.

can select.
The Maintenance option expands, providing the Run Now, Schedule, and
History features.
5. Click History.
The Maintenance History page opens, displaying the maintenance history.
The Maintenance History page displays the following information:
Initiated By
The user who last ran the server maintenance.
Type
The type of maintenance performed.
Description
A brief description of the maintenance.
Start Time
The time the maintenance was started.
End Time
The time the maintenance ended.
Status
The status of the maintenance attempt.
Records Deleted
The total number of records purged.

Details
Additional information about the maintenance.

Server Databases
You can also clear the history from this page.
To clear the Maintenance history

Management Server.

can select.
The Maintenance option expands, providing the Run Now, Schedule, and
History features.
5. Click History.
The Maintenance History page opens, displaying the maintenance history.
6. Click Clear History.

You are prompted to confirm this action.
7. Click Yes
The history is cleared.
Archive the Event Server
The Archiving page lets you specify when, and under what conditions, the event
database is archived.
Archiving the event database lets you save space on the event server without
deleting past events. The archives still take up space, but not as much as the full
records.
To schedule when archiving of the event database occurs

Management Server.
can select.

Server Databases
4. Click Archiving.
The Archiving option expands, providing the Archiving, History, and
Databases options.
5. Select the Archiving item.

The Archiving page opens, displaying the conditional and scheduling options.
6. Enable the Conditional option to archive the event database when the
database exceeds a specified size limit.
If you enable this option, you must specify the size limitation.
7. Enable the Scheduled option to specify when to run the archiving operation.
You must enable this option to set a schedule for archiving.
8. Select one of the following options to specify when the archiving occurs:
One time only

Perform archiving only once at the time you specify. You must provide
the time zone, start time, and date for this archiving.
Daily
Perform daily archiving at the time you specify. You must provide the
time zone, start time, and date for this archiving, and specify if the task
is performed every day, only on weekdays, or at specified intervals.
Weekly
Perform weekly archiving. You must provide the time zone and start time
for this archiving, specify how often the archiving is performed, and
identify the days of the week on which to perform the archiving.
Monthly
Perform monthly archiving. You must provide the time zone and start
time for this archiving. You must also specify when this archiving occurs
by either specifying a specific date each month or, for a more flexible
option, specifying a particular day, such as the first Monday of each
month, on which the archiving occurs. You can also specify the months
during which archiving is performed.
9. Click Apply.
Your changes are saved and the archiving is scheduled.
If you no longer want to perform scheduled archiving, open the Archiving page,
disable the Conditional and Scheduled options, and click Apply.

Server Databases
View Archive History
The Archiving History page lets you view when archiving was performed on the
Event database. You can also clear the history, if necessary.
To view the Archiving history

Management Server.

can select.
4. Click Archiving.
Databases features.
5. Click History.
The Archiving History page opens, displaying the archiving history.
The Archiving History page displays the following information:
Initiated By
The user who last ran the database archiving.
Type
The type of archiving performed.
Created on
The date on which the data stored in the archive was first created.
Archived on
The time the archive was started.
Database
The name of the database that was archived.
Details
Additional information about the archiving that occurred.

Server Databases
You can also clear the history from this page.
To clear the archiving history

Management Server.

can select.
4. Click Archiving.

Databases features.
5. Click History.
The Archiving History page opens, displaying the archiving history.
6. Click Clear History.

You are prompted to confirm this action.
7. Click Yes
The history is cleared.
View Archived Databases
The Archived Databases page displays the archived copies of the event database
that were created and lists when the archive was created, when it was last
updated, and which database was archived.
To view the archived databases

Management Server.

can select.

User Roles
4. Click Archiving.
Databases features.
5. Click Databases.
The Archived Databases page opens, displaying the archived databases.
The Archived Databases page displays the following information:
Created on
The date on which the information in the archive was first created.
Archived on
The date on which the archive was created.
Database
The name of the database archived.
User Roles
This section contains procedures related to User Roles.
Manage User Roles
User Roles lets you specify which users have which privileges or permissions in
the Total Defense product. You manage user roles using the User Roles page.
The User Roles page lists the users and the roles they have been assigned. Each
role grants certain permission to that user.
When adding users, you may add them individually or you may add a user group
defined on a domain. Any user in a user group inherits the same roles as the user
group, and show up in the user list with the inherited roles included.
Note: The Administrator or User Manager can modify the role assignments for
any user. However these users may not remove their own ability to manage
roles.
To view the user roles, in the Navigation Pane, click User Roles under Configure.

User Roles
The User Roles page displays the assigned user roles, and displays the following
information:
Name
Lists the user accounts and user groups. Expand a user group to shows all
users within that group.
Domain
Lists the domain of the user account.
Global Roles
Lists the global roles assigned to the specific user.

Partition Assignments
Lists the partition specific roles assigned to the selected user. The partition
roles displayed are either assigned to the user directly or inherited from a
user group or global role.
Additionally, if you move your mouse over one of the User Role icons, a pop-up
lists the domain and user name of the user, the role, if the role is assigned
directly to the user, and if the role is inherited from a group.
The User Roles page includes the following buttons:
Add
Allows you to add new users who do not have assigned roles.
Remove All Roles From User
Removes all roles from the selected user.
Details
Displays detailed user role information for the selected user.
Legend
Displays the User Roles legend, indicating which icon matches which user
role.
The User Roles page lets you filter the view using the following drop-down
menus:
View By Roles
Displays only users that are assigned to the selected role.

Partition
In the case of partition-specific roles, displays only users assigned to the role
in the selected partition.

User Roles
To filter the list of user roles

1. Expand the Filter by clicking the double arrow icon.
2. Use one or both on the following options:

User Name
Displays only users that match the specified name. You can also enter
only part of the name to find all the users matching the string you enter.
Domain
Displays only those users from the specified domain. You can also enter
only part of the name to find all the users with a domain matching the
string you enter.
As you enter characters into either of the filter fields, the display
immediately shows the users that match the characters you entered. For
example, if you enter "a" in User Name, then only users with "a" in their
name are shown. If you enter "ab," only users with "ab" are shown.
In addition to filtering the user list, you can use the list to add or remove roles
from users. You can add or remove user roles from an existing user or user
group. You cannot, however, remove a user from a user group or add new users
or groups to the list. For this, you have to use the Add Users page accessed by
clicking the Add button.
To add or remove roles

Click the icon of the role to add or remove. You can select a partition or global
role.
The role is added or removed from the user. If the role was inherited from a
group, a pop-up appears, informing you of the inheritance. To change a role
that is inherited from a group, you must either change the group's roles or
remove the user from the group.
View the User Role Details
The Role Assignment Details page provides detailed information about the roles
assigned to a selected user.
To view the user roles
1. Click Configure, User Roles.

The User Roles page opens.
2. Select a user and click Details.

The Role Assignment Details page for the selected user opens and displays
the role information.

User Roles
The Role Assignment Details page provides the following information:

Role
Lists the roles assigned to the user.

Scope
Lists if the role applies only to a particular partition or all partitions.
Type
Lists how the role was assigned to the user. Some roles may be inherited
from user groups, others are assigned directly.
Click Done to close the page.
Add or Remove Users from User Roles
The list of users to whom you can assign user roles is drawn from the local users
on the Management Server and the set of domain users. From the Add Users
page you can add a user or a user group to the selected user role. You may also
add users to a user role on the User Roles page, but you may not add user
groups.
To add users or user groups to a user role
1. In the Navigation Pane, click Configure, User Roles.

2. Select a User Role using the View by Roles drop-down menu.

Note: You must select a specific user role before you can add users to that
role. You cannot add a user to all roles at once. The Add button is inactive
until you select a user role.
3. (Optional) If you are assigning a partition-specific role, select the partition

from the Partition drop-down menu.
4. Click Add.
The Add Users page opens.
5. In the Name field under Available Users, enter the name of the user.
You can also enter a partial name or use wild cards to find a selection of
users.
6. In the Domain field, select the domain where the user is located or where
you want to search.
Selecting the name of the Management Server in this drop-down menu

searches the Local User group on the server.

User Roles
7. Click Go.
The Management Console searches for users that match the criteria you
selected. All matching users are added to the user list.
8. Select the user or user group to add to the role and click the arrow to move
the user to the Assigned Users list for the role.
9. Continue adding users as needed.

10. Click Apply to save the changes.
To discard the changes click Discard. When finished, or to exit the page
without making any changes, click Close.
You can also use this page to remove a user or user group from the CA Total
Defense user list.
To remove users or user groups from the user list
1. In the Navigation Pane, click Configure, User Roles.

2. Select a User Role that is assigned to the user you want to remove, using the
View by Roles drop-down menu.
3. Click Add.
The Add User page opens.
4. In the Assigned Users table, select the user or group to remove from the
role, and click the arrow to remove the user or group from the role.
5. Click Apply to save the changes.
To discard the changes click Discard. When finished, or to exit the page
without making any changes, click Close.


Rolling back signatures lets you return to a previously-known working state as of
a specified signature date. After you have rolled back the signatures and any
conflicts have been resolved, you must resume normal signature updates. Once
you resume the updates, each endpoint collects any pending updates at the
scheduled times.
To roll back signatures

Management Server.
3. Select Roll back signatures to, and click the calendar icon to select the date
to which to roll back.
4. Click Apply.
no pending actions blocking the rollback, the signature rolls back to the
version to the date you specified.
After all conflicts any resolved, you must resume the signature updates.
To resume signature updates

Management Server.

3. Select Resume signature updates and Apply.

You are prompted to confirm that you want to resume signature updates.
4. Click Yes.
no pending actions blocking this action, the signature updates resume.

Appendix B: Command Line Scanner
Command Line Parameters

On the Client, you can access the scanner from a DOS command prompt. The
executable program is:
caamscanner.exe
This executable is located in the r12 Client install directory.
You can use the following parameters with this command:

/quickscan
Performs an Anti-malware quick scan.
/fullscan
Performs an Anti-malware full scan.
/customscan
Performs a scan on a list of provided paths, including all files and subfolders
found in that location. The syntax for this parameter is:
/customscan PathName
Where the PathName is the location of the folder to scan.
All command line parameters use the currently defined Anti-Malware policy for
any additional scan settings.
The command line scan writes output to a log text file, caamdebuglog.log,
located at:
On Windows XP and Windows 2000:
%ALLUSERSPROFILE%\Application Data\CA\TDClient\AM
On Windows Vista and Windows 7:
ProgramData\CA\TDClient\AM
Appendix B: Command Line Scanner 583

Appendix C: Database Migrations
Migrate the Management Server Database (see page 585)

Migrate the Events, Notifications, and Reports Databases (see page 586)
Migrate the Management Server Database

During installation, the Management Server lets you set up a Total Defense
database on your existing Microsoft SQL Server 2005 or SQL Server Express
database or, if you do not have a database server already set up in your
environment, the server setup installs Microsoft SQL Server Express locally.
If you later deploy the full version of Microsoft SQL Server 2005, you can move
your Total Defense database to your new SQL Server installation without loss of
data.
Note: You can also use this procedure to copy the Total Defense database to
another database.
To migrate your database

1. Stop the Management Server to ensure that all connections to the database
have been disconnected.
2. From the Start, Programs menu, select Microsoft SQL Server 2005, and
select SQL Server Management Studio Express.
Microsoft SQL Server Management Studio appears.
3. Log in and expand the Databases tree node.
4. Right-click the itmdb item and select Tasks, and then select Back Up from
the pop-up menu.
The Backup dialog appears.
5. Ensure that the Backup type is set to Full, make a note of the path in the
Destination field, and click OK.
The backup begins. You are prompted when the backup is complete.
6. Copy the backup file you created, itmdb.bak, to the new database server.
7. Launch the SQL Server Management Studio on the new database server and
log in.

Migrate the Events, Notifications, and Reports Databases
8. Right-click the Database tree node and select Restore Database from the
pop-up menu.
The Restore dialog appears.
9. Enter itmdb in the To database field in the Destination for restore section of
the Restore dialog.
10. Select the From device option in the Source for restore section, and select
the itmdb.bak file you copied from the SQL Express server.
11. Ensure that the full database is selected in the list of backup sets to restore
and click OK to restore the database.
The database is restored and you are prompted when the restore operation
is complete.
Important! When the database has been restored, you must point the
Management Server to the new database to complete the migration.
Alternatively, you can create a backup by executing the following simplified

query, without setting any advance options:
BACKUP DATABASE itmdb TO DISK = 'c:\ITMBackups\itmdb.Bak'

You can manually migrate your CA Total Defense databases to a different SQL
Server. You must migrate all of the databases used by CA Total Defense at the
same time:
■ Events database
■ Notifications database
■ Reports database
You can migrate your databases to a new SQL Server database or you can import
your existing databases to a new location.
Note: You must ensure that your new SQL Server database is properly
configured to work with CA Total Defense. Before you migrate, review the
pre-installation tasks outlined in the CA Total Defense Quick Install Guide to
ensure that you have properly configured your database.
To migrate your Events databases
1. Log in to the CA Total Defense r12 Management Console.
2. In the Configure section, under Environment, select Server Databases,

Event Server, Database, and select Connection.
3. Note the names of the Events, Reports, and Notifications databases listed in
the Database names section.

4. Locate EventTool.exe in any folder where CA Total Defense is installed and

execute it using the following parameters to create the appropriate new
databases.
■ To create the new Events database, enter:
EventTool.exe - createeventsdb sqlServerHost sqlServerInstance UserName
UserPassword NewDatabaseName Language
■ To create the new Reports database, enter:

EventTool.exe - createreportdb sqlServerHost sqlServerInstance UserName
UserPassword NewDatabaseName Language
■ To create the new Notifications database, enter:

EventTool.exe - createnotificationdb sqlServerHost sqlServerInstance
UserName UserPassword NewDatabaseName Language
where
■ NewDatabaseName is the name of the appropriate database you noted

in the Connection dialog.
■ Language is one of the following language codes:
– de - German
– en - English
– es - Spanish
– fr - French
– it - Italian
– ja - Japanese
– ko - Korean
– pt - Brazilian Portuguese
– zh - Simplified Chinese
– zh - Traditional Chinese
For example, to create an Events database using localhost as the Host name,
SQLEXPRESS as the SQL Server instance, Admin as the user name, Pass123
as the password, EventsDB as the new database name, and English as the
language, enter the following:
EventTool.exe -createeventsdb localhost SQLEXPRESS Admin Pass123 EventsDB en
Important! Parameters must be entered in the order given. Unneeded

parameters should be passed as an empty string “”.

5. If you are importing full databases to a new location, open SQL Server
Management Studio, log in to the new SQL Server, and perform the following
procedure.
Note: If you are migrating to a new SQL Server database, skip this step.
a. Right-click any of the databases and select Tasks, and then select Import
Data from the pop-up menu.
The SQL Server Import and Export Wizard opens. Follow the prompts to
complete the wizard:
b. Enter information about the old database on the old SQL Server in the
Data Source details, and click Next.
c. Enter information about your new database in the Destination fields, and
click Next.
d. Select Copy data from one or more tables or views, and click Next.
e. In the Select Source Tables and Views dialog, select all tables and click
Edit Mappings.
f. In the Transfer Settings dialog, ensure that the Drop and recreate new
destination tables option is not selected, select the Delete rows in
existing destination tables option and the Enable identity insert options,
and click OK.
g. Click Next in the SQL Server Import and Export Wizard, select the Run
immediately option and click Finish.
6. Log in to the CA Total Defense r12 Management Console.
7. In the Configure section, under Environment, select Server Databases,

Event Server, Database, and select Connection.
8. Configure your new server connection settings and test the connection using
the Test Connection button.
9. Click Apply to apply your server connection settings.
Note: When you have moved to the new SQL Server, Archived databases on the
original database location are no longer accessible.

Appendix D: Troubleshooting
Certificate Creation Error (see page 589)

Microsoft SQL Server Connection (see page 589)
Management Console Connection (see page 590)
Active Directory Server Configuration (see page 591)
Discovery or Remote Deployment Issue (see page 591)
Log Shows “Service creation failed with retCode [50029]” (see page 591)
Endpoint Discovery Does Not Start (see page 592)
Endpoint Discovery Failed to Locate Endpoints (see page 592)
Endpoint Discovery Runs for a Prolonged Time (see page 593)
An Endpoint is Listed without an IP Address (see page 593)
Turn on Management Server Logging (see page 594)
Generate a Diagnostic Report (see page 594)
Diagnose a Report Failure (see page 595)
Certificate Creation Error

If you receive the error message "Certificate creation failed" during installation,
contact Support with details of the problem.
Microsoft SQL Server Connection

During installation, you can choose to install Microsoft SQL Server Express, or
you can connect to an existing installation of Microsoft SQL Server through the
Total Defense installer.
If you are already using Microsoft SQL Server and plan to use it with CA Total
Defense, verify that the following items are configured before you install CA Total
Defense:
■ You are using Windows and SQL authentication (mixed mode authentication)
■ You have enabled the TCP/IP protocol and assigned the port
■ You are using a user with the sysadmin role

Management Console Connection
■ You have enabled the Microsoft .NET Framework (CLR) integration in

Microsoft SQL Server
■ The firewall (if any) allows incoming access
■ The SQL Server Browser service is running
If you choose to install Microsoft SQL Server Express during installation, these
items are installed with all necessary settings configured.
Database Connectivity
Use the following command to test your database connection:

sqlcmd –S database_server\instance_name –U database_user –P database_password
You can omit instance_name to connect to the default instance.
For example, on the local machine:

■ If you enter localhost, you connect to the default instance on the local
machine
■ If you enter localhost\data, you connect to the data instance on the local
machine
If your database server name is test.ca.com:

■ If you enter test.ca.com, you connect to the default instance on test.ca.com
■ If you enter test.ca.com\data, you connect to the data instance on
test.ca.com
If everything is correct, sqlcmd produces a ‘1>’ prompt. The exit command

returns to the command prompt.
If anything is incorrect, sqlcmd prints an error.
Management Console Connection

To successfully connect to the Total Defense or CA Total Defense for Unified
Network Control Management Console, verify the following:
■ Microsoft IIS Server is properly installed
■ Microsoft .NET support is enabled on the IIS Server.
■ If you have installed CA Total Defense for Unified Network Control, see the
UNC documentation for post-installation instructions on manually enrolling
the required certificates

Active Directory Server Configuration
Active Directory Server Configuration

If your Active Directory Server is on Windows 2000, contact CA for additional
support.
If your Active Directory Server is on Windows 2003 or above, ensure the

following if your Management Server is NOT part of the domain:
■ The user credentials you supply in the configuration dialog are not for a
Domain Administrator. Due to Microsoft Security limitations, you cannot use
Domain Administrator credentials.
■ You use the fully qualified domain name when you specify the server. An IP
address or partial host name will not succeed, even if correct.
■ You specify both the domain name and the user name (for example,
mydomain\myuser).
■ You use the correct case when entering the user name. User names are
case-sensitive.
Discovery or Remote Deployment Issue

To avoid difficulty in running Endpoint Discovery or Remote Deployment jobs,
ensure that the account credentials for Endpoint Discovery and Remote
Deployment are in a domain environment in the form of DOMAIN\user.
For example, in a domain called LAB.LOCAL, the credentials should look like
LAB\Administrator.
Log Shows “Service creation failed with retCode [50029]”

The Endpoint Discovery installation failed and the discoveryInstall.log shows
“Service creation failed with retCode [50029]”.
Error 50029 signifies that an invalid user name was entered during installation.
During installation, the user name must be supplied in one of the following
formats:
■ If the user name is a domain user, specify the user as:
domain\UserName
■ If the user name is part of an built-in domain, specify the user as:
.\UserName or LocalMachine\UserName

Endpoint Discovery Does Not Start
Endpoint Discovery Does Not Start

The CA Total Defense and Endpoint Discovery installations successfully
completed, however Endpoint Discovery does not start after clicking Start Full
Discovery. The Endpoint Discovery service is not started.
The user specified for Endpoint Discovery is granted “logon as a service”

privileges during the product installation. However, the privilege can be revoked
after reboot or during periodic policy updates if the server is controlled by a
Group Policy. The user account specified during installation for Endpoint
Discovery must be listed in the policies which apply to the server where Endpoint
Discovery is installed and expected to run. In using Group Policies, the settings
must be set at the domain controller level to grant “logon as a service”
permission to the user account.
Endpoint Discovery Failed to Locate Endpoints

Endpoint Discovery failed to discover any endpoints.
The SMB scan engine and DNS scan engine results form the basis for the search
performed by the rest of the scan engines. However, if these scans fail to find
any endpoints, the subsequent scan engines cannot run.
For the SMB scan engine to work, the following services must be started by the
operating system at system boot-up on the machine from which Endpoint
Discovery is launched:
■ Server service
■ Workstation service
For the DNS scan engine, the DNS zone transfer must be enabled to receive a list
of hosts and IP addresses. The Zone transfer needs to be manually configured on
DNS server.

Endpoint Discovery Runs for a Prolonged Time
Endpoint Discovery Runs for a Prolonged Time

The Endpoint Discovery service runs for an extended period of time and does
end.
Check the following list for reasons why Endpoint Discovery is prolonged:
■ The maximum number of scan threads is set too low while the network to
discover is extremely large. If possible, try to increase the maximum number
of scan threads.
■ You have the Active Fingerprinting engine enabled, port scan mode is
enabled, and the maximum port value is set high with the max scan thread
set too low. Try increasing the max scan thread number, or set the known
ports to configure and specify the known ports.
■ You have the Active Fingerprinting engine enabled, port scan mode is
enabled, the max scan thread is set too low and the specified preferred ports
are not actually open ports across the network, or you did not specify any
preferred ports. Make sure the preferred ports are configured properly and
that the ports are open across your network.
■ You have the ICMP, TCP or Active Fingerprinting timeouts set to a high value
and the max scan threads is too low. Try increasing the max scan threads or
choose a lower value for timeouts.
The discovery service logs created in “<Discovery_installation_path>/logs”

contain the SCAN engine summary, which can provide a fair idea of the Endpoint
Discovery's progress in such cases.
An Endpoint is Listed without an IP Address

The Unmanaged Endpoints list contains endpoints without an IP address.
The Endpoint Discovery SMB engine attempts to get all primary domains on the
network and determine the hosts in each domain using the SMB protocol. The
result is a list of hostnames and their operating system. Endpoint Discovery then
tries to resolve the hostname to an IP address using the DNS server (as
"nslookup" does). Some hostnames are not resolved to an IP address. In this
case, the Unmanaged Endpoints list only displays the hostname and operating
system.

Turn on Management Server Logging
Turn on Management Server Logging

The following procedure turns on logs and places them in a cab file so that you
can send them to CA Technical Support.
To turn on logging on the Management Server
1. Run the following utility:

C:\ProgramFiles\CA\TotalDefense\ManagementServer\WebServices\bin\En
ableLogs.exe.
2. Select all categories for Total Defense Logging and click Apply.
There is no need to recycle anything.
3. Click Collect Logs to create a cab file.
The name of the cab file is displayed.

4. Send the file to CA Technical Support using your normal problem reporting
method.
Generate a Diagnostic Report

If a report generates correctly but appears to contain incorrect data, you can
generate a Diagnostic report. This allows you to check the SQL query or other
data to locate the problem.
The EventReporterServer.exe.config file contains the following entry:
<add key="DiagnosticMode" value= "0"/>
Change this value to any number besides 0 to generate a Diagnostic report (even
if there is no error).
Note: You must restart the Report Service for this change to take effect.

Diagnose a Report Failure
Diagnose a Report Failure

Whenever a report fails to generate, the Reports Server creates a Diagnostic
report in HTML. You can view this data from the Management Console by going
to Monitor, Reports, Generate Reports, View Report. Select the failed report,
right-click and select View Selected Report Diagnostics.
This report contains three layers of information that can help diagnose the
problem:
First layer: General Information
This section contains several general items such as the name of the report,
report ID, database connection string, the account that implemented the
report, its layout, language, time zone, the physical location (known as the
drop folder), and which .NET object implemented the report.
Note: The most important item in this section is the database connection
string. Most report failures occur because of an improper configuration of the
SQL Server or network access issues to the SQL Server.
Second Layer: Exception Details

The second layer includes the exception stack, which can diagnose the
problem as an engine or SQL Server issue, or SQL query issue.
Third Layer: The SQL Query

The third layer contains the actual SQL query that generates the report. This
layer may not appear, as most failures happen before the query is executed.

CA Total Defense r12 Admin Guide

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CA Total Defense r12 Admin Guide

Загружено:

Авторское право:

Доступные форматы

CA Total Defense

The manufacturer of this Documentation is CA.

Chapter 2: Monitoring Your Network's Health 27

Chapter 3: Maintaining Your Environment 47

Chapter 4: Configuring Your Environment 67

Appendix A: Procedures 101

Appendix B: Command Line Scanner 583

Appendix C: Database Migrations 585

Appendix D: Troubleshooting 589

Types of Protection (see page 13)

Detects, analyzes and provides remediation for an entire range of

The Proactive Protection policies include the following types of protection:

Protects against malicious or accidental access to specific files, folders, and

Groupware policies include the following types of protection:

Microsoft Exchange Real-Time Scans and Scheduled Scans

Microsoft SharePoint Real-Time Scans and Scheduled Scans

CA Gateway Security provides gateway protection using SMTP/HTTP filtering and

For information about CA Gateway Security, refer to the product documentation

CA Total Defense for Unified Network Control

Once a device achieves compliance, CA Total Defense for Unified Network

The Phone Home feature enables an endpoint to contact a designated

Phone Home contains an automatic optimization feature that minimizes the

The default CA-recommended Phone Home policy automatically contains the

Best Practice Tip! In large organizations that use proxy servers, CA

Create Phone Home Policies (see page 225)

Internet Information Services (IIS)

Management Server TDR12 HTTP: 8008

Event Sever TDR12EventServer HTTP: 8218

Redistribution Server TDR12RS TCP/IP: 42511

Component Description in Port

Certificates TDR12Certs TCP/IP: 8118 for Distribution

2. Double-click Computer Management.

The following screen-shot shows the CA Total Defense IIS services:

Data Flow between Endpoints and Servers

Data Flow Using Proxies

The Management Console

Management Console Navigation

Provides access to features such as User Management, Endpoint Discovery,

The following screenshot shows the navigation pane:

Filter and Find Tools

Ease of Use Features

■ Click column headings to sort the data in either ascending or descending

■ Drag and drop installation packages to assign them to specific managed or

Open the Management Console

1. Click Start, Programs, CA, Total Defense, Endpoint Protection, Management

2. Enter your user name and password.

To open the console from any system using a web browser

<servername> is the name or IP address of the computer hosting the

CA Portal is required if you specified an alternate port number during

Install the CA Security Certificate

■ Information not yet reported to the Management Server

Chapter 2: Monitoring Your Network's Health 27

Refresh Dashboard Content (see page 104)

Create Custom Dashboards (see page 106)

The Dashboard and Partitions

Note: This information only applies to your implementation of CA Total Defense

Policy and Partition Tree Concepts (see page 47)

The Dashboard and User Roles

Chapter 2: Monitoring Your Network's Health 29

Predefined Reports (see page 32)

To schedule report generation at regular intervals:

View Reports (see page 115)

Report Viewing Methods