McAfee MOVE AV Agentless Security Virtual Machine (SVM)
McAfee Security Virtual Appliance (SVA)
VMware (Virtual Machine environments)
Summary
This article is a consolidated list of common questions and answers. It is intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
January 28, 2021
Updated the FAQ for number of clients taking the load.
November 23, 2020
Updated FAQ "Can MOVE AV Multi-Platform co-exist with McAfee AV products or other antimalware products?"
September 24, 2020
New FAQ added to the Compatibility section:
Is MOVE Multi-Platform compatible with Windows Defender?
May 15, 2020
Updated to remove End of Life product reference.
March 4, 2020
Added an Endpoint Security note to the Compatibility section for "Can MOVE AV Multi-Platform co-exist with VSE or other antimalware products?"
Contents
Click to expand the section you want to view:
What is MOVE?
MOVE is the family name for two related Management for Optimized Virtual Environments (MOVE) products. Virtual Machines (VMs) running on server-class systems that contain virtualization software, including VMware ESX or Citrix XenServer, need an antivirus application running on each VM on a hypervisor. (Hypervisor is a general term that describes virtualization software such as VMware ESX, Citrix XenServer, and Microsoft Hyper-V.)
When you run an antivirus application on each VM on a hypervisor, there is high use of resources such as disk, CPU, and memory. It results in a reduced VM density per hypervisor. MOVE AV solves this issue by offloading all On-Access Scanning (OAS) to a dedicated VM that runs VirusScan Enterprise (VSE). There is no need to install a traditional antivirus application such as VSE on each VM. The dedicated VM improves performance and allows an increased VM density per hypervisor.
What is MOVE AV Agentless?
This option allows integration with VMware vShield (vSphere and ESXi) using vShield Endpoint. MOVE AV Agentless provides virus protection for VMs and contains a Security Virtual Appliance (SVA) delivered as an Open Virtualization Format (OVF) package. MOVE AV Agentless supports ODS natively. MOVE Agentless systems would not have VSE installed. The MOVE AV Agentless components are:
Component
Description
Security Virtual Appliance (SVA)
Provides antivirus protection for VMs and communicates with the loadable kernel module on the hypervisor, ePolicy Orchestrator (ePO), and the Global Threat Intelligence (GTI) servers.
The SVA is the only system directly managed by ePO, but you can install McAfee Agent and other McAfee products on VMs. VirusScan Enterprise for Linux, McAfee Agent, and MOVE AV Agentless comes preinstalled.
ePO
Allows you to configure policies to manage MOVE AV Agentless and provides reports on malware discovered in your virtual environment.
File Quarantine
Remote quarantine system, where quarantined files are stored on an administrator-specified network share.
Global Threat Intelligence (GTI)
Classifies suspicious files that are found on the file system. When the real-time malware defense detects a suspicious program, it sends a DNS request for analysis. The request is sent to a central database server hosted by McAfee Labs.
Hypervisor (ESXi)
Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating systems. ESXi is an embedded hypervisor for servers that runs directly on server hardware without requiring another underlying operating system.
VMware vCenter
Console that manages the ESXi servers, which host the guest VMs that require protection.
vCloud Networking and Security Manager
Manages the vShield components for the SVA and VMware vShield Endpoint, and monitors the health of the SVA.
Virtual Machines (VMs)
Isolated guest operating system installations in a normal host operating system that support both virtual desktops and virtual servers.
VMware NSX Manager
Console that allows you to configure, provision, and automate the protection on the endpoints in a data center.
What is MOVE AV Multi-Platform?
MOVE AV Multi-Platform is for On-Access and On-Demand Scanning of end nodes. The MOVE AV Multi-Platform components are:
Component
Description
SVA Manager
Automatically assigns offload scan servers to MOVE Multi-Platform clients based on configurable parameters. These parameters include Scan Server load, ePO tags, and IP address ranges.
ePolicy Orchestrator (ePO)
Communicates with the McAfee Agent, manages the Multi-Platform configuration, and provides reports on Malware discovered in your virtual environment.
McAfee Agent
Communicates with ePO, applies policies to each virtual machine, and deploys the MOVE AV Multi-Platform client.
Hypervisor
Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating system.
MOVE AV client
Allows virtual machines to interact with the offload scan server (OSS) for file scanning and malware detection. Enforces actions on the client when a threat is detected.
MOVE AV client extension
Provides policies and controls for configuring and managing the behavior of the MOVE AV client through ePO.
MOVE AV Offload Scan Server
Provides offloaded scanning support for virtual machines, which minimizes the performance impact on virtual desktops.
MOVE AV Offload Scan Server extension
Provides policies and controls for configuring and managing the behavior of the MOVE AV offload server through ePO.
VirusScan Enterprise
Provides antivirus protection for the offload scan server VM and communicates with the GTI servers.
Data Center Connector for vSphere
Integrates the management and automation feature of ePO to discover and manage your guest VMs.
What is MOVE Scheduler?
The Scheduler is used with MOVE Multi-Platform clients. Traditional security solutions for virtual environments, run as an antivirus application on every VM on the hypervisor. This model results in reduced VM density per hypervisor and causes high disk, CPU, and memory use. Common tasks such as scanning for viruses can occur on all servers at the same time. These tasks create a significant load on the virtual infrastructure and negatively impact performance.
MOVE Scheduler solves these issues for VSE environments by distributing on-demand scans across all client VMs. The on-demand scans are based on parameters such as maximum concurrent scans per hypervisor, maximum concurrent scans per storage and hypervisor CPU use. These parameters make sure that VMs remain usable during scans.
Move Scheduler 2.x is reaching EOL, what replaces it?
MOVE Scheduler functionality is now included in MOVE 4.0 and later. For details, see the MOVE Scheduler to MOVE Multi-Platform Migration Guides.
Can MOVE be disabled through policy when managing via ePO?
No. The MOVE software can't be enabled or disabled via ePO policy enforcement. The only option for disabling by policy is disabling OAS or ODS.
What has changed in MOVE AV 4.0?
MOVE AV Multi-Platform: Offload Scan Server (OSS) has changed to Security Virtual Machine (SVM) Security Virtual Appliance Manager (SVA Manager) has changed to Security Virtual Machine Manager (SVM Manager).
MOVE AV Agentless: Security Virtual Appliance (SVA) has changed to Security Virtual Machine (SVM)
On-Demand Scans/On-Access Scans: There are now two separate policies, one for the on-access scanner (OAS) and one for the on-demand scanner (ODS).
Multi-Platform 4.0 SVM Auto Scale feature: You can define the SVM auto scale settings so that the SVM deployment starts automatically depending on the number of clients connecting to the SVM for protection.
What is new in MOVE AV 4.5?
The new features and enhancements in MOVE AntiVirus 4.5.0 include:
New Multi-Platform features:
New Windows platform support for Windows Server 2016 (64-bit) for McAfee MOVE AntiVirus SVM and client systems
Support for SHA-256 for Threat Intelligence Exchange (TIE) integration
Support for TIE 2.0.0
Support for Advanced Threat Defense (ATD) 3.8.0 and vATD 3.1.0
Upgraded operating system for MOVE SVM Manager Ubuntu 16.04
Transport Driver Interface (TDI) to Winsock Kernel migration
Integration with Cloud Workload Discovery (CWD) for remediation
New Agentless features:
Targeted on-demand scan
Upgraded operating system for MOVE SVM Manager Ubuntu 16.04
How long is the trial period for MOVE and if less than 90 days, is it possible to get a 90-day trial license?
The trial length is 90 days and extensions are not granted. But that does not mean that the product ceases to work. MOVE functions normally after the 90-day trial has been exceeded. A reminder notification appears and remains until the MOVE license extension is installed. At that point, the trial version is converted to a fully licensed version.
Can MOVE AV Multi-Platform co-exist with McAfee AV products or other antimalware products?
No. Two antimalware products can't be installed on a system at the same time.
The following products prevent MOVE AV Multi-Platform from being installed:
Endpoint Security. NOTE: You can't install Endpoint Security modules on a client system when MOVE AV Multi-platform is installed.
MVISION Endpoint
VirusScan Enterprise
Is the MOVE AV Multi-Platform 4.0 client, and SVM compatible with the MOVE AV Multi-Platform 4.5 SVM Manager?
Yes. The MOVE AV Multi-Platform 4.5 SVM Manager can be used with the MOVE AV Multi-Platform 4.0 Client and SVM.
Does MOVE Agentless/Multi-Platform support GTI File Reputation?
Yes. GTI File Reputation is configured using the Scan Items policy.
Are there any plans to cover the Linux operating system by MOVE Agentless?
MOVE Agentless supports the Linux operating system only when VMware supports it. MOVE Agentless supports all operating systems supported by VMware Endpoint Security. For a list of operating systems that are supported with the VMware vShield Endpoint Thin Agent that is used with the MOVE products, see: https://kb.VMWare.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1036847.
Can MOVE Multi-Platform run in Virtual Desktop Infrastructure (VDI) mode with VMware Horizon 6, for non-persistent VMware images that close as a user logs off and goes back to a gold image state?
Yes.
What support is provided for VDI clients?
MOVE Multi-Platform supports VDI and Thick Clients for all host platforms.
Can the MOVE Multi-Platform SVA Manager work in a Microsoft Hyper-V environment?
Yes. You must convert the SVA Manager when you import the (.ova) package to the Hyper-V server. An (.ova) package is a TAR archive file with the OVF directory inside.
NOTE: Hyper-V is supported only with MOVE Multi-Platform clients.
Is MOVE Agentless certified with VMware NSX?
Yes. Certification is provided in MOVE Agentless 4.x.x with NSX. For details, see the following VMware* compatibility matrix links.
Do I need to purchase the NSX Manager because VMware is stopping support for vCloud Networking and Security (vCNS)?
No. If you have vSphere Essential Plus or later, the NSX manager is free. It can only be used to manage endpoint antivirus policies though.
For more details about vCNS, see the VMware FAQ article 2110078: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2110078
Does MOVE Multi-Platform support AHV (Acropolis Hypervisor)?
Yes. MOVE Multi-Platform is agnostic on the hypervisor. It works seamlessly.
NOTE: AHV is the new name for Kernel-based Virtual Machine (KVM).
How do you check the MOVE-AV-AL_SVM_Pkg_4.5.1.227.zip package into the ePO 5.3.2 Master Repository?
The MOVE 4.5.x SVM package is not meant to be checked in to the ePO Master Repository. Check it into the SVM Repository. The SVM Repository is on the MOVE AntiVirus Deployment Page under General, Configuration Settings.
Does Datacenter Connector support the use of a multi-tenant database?
No. Use of a multi-tenant database is not supported.
Is MOVE Multi-Platform compatible with Windows Defender?
Windows Server 2019
A MOVE Client installation does not uninstall Windows Defender. This issue is known and expected with MOVE client versions 4.8.1 and earlier.
Windows Server 2016, Windows 10 and 8
The MOVE client installation does uninstall Windows Defender. NOTE: After the MOVE installation is complete, you must restart the computer to fully uninstall Windows Defender. For details, see the Microsoft Document,
Can I provide the same NSX Manager name while registering NSX Manager details about the MOVE AntiVirus Deployment configuration page?
No. It is not supported.
Is it possible to selectively install the MOVE Agentless vShield driver on a single client via an SVA deployment?
No. It is not possible to selectively install the vShield driver on the clients with an SVA deployment. By default, installation is tried on all VMs.
Can ePO be used to update the MOVE Agentless SVA automatically with updates and hotfixes?
ePO can be used to apply product hotfixes and updates.
How many SVAs need to be deployed for any given number of data centers?
For a MOVE Agentless solution, one SVA per host is needed regardless of the size of the data center. In a MOVE Agentless deployment, it is not possible to set up a secondary SVA for failover. The inability to set up a secondary SVA for failover is a VMware limitation.
Is it possible to migrate the MOVE Agentless SVA to another host?
No. It is never a good idea to migrate the SVA from one host to another. The reason is because the SVA is registered to a hypervisor; it protects only VMs on that hypervisor.
Is it possible to upgrade the SVA via ePO?
Yes. It is possible from MOVE Agentless 4.x.x.
What user permissions are needed to successfully install the MOVE Agentless vShield driver?
All domains that are part of protected VMs have to be added to the ePO LDAP server registration page. The user must have domain administrator rights to have the vShield driver be installed successfully on the VM clients. The reason is because ePO must access these client VMs remotely to install the endpoint driver. Only domain administrators have the permission to do so.
For MOVE Agentless, what are the software requirements for vCloud Networking and Security Manager?
To use the MOVE Agentless software, all VMware vCNS software components must be installed for this antivirus solution to work. The components include:
vShield Manager
vShield Endpoint plug-in for ESXi Host
vShield Endpoint Thin Agent for VM Guest
NOTE: Although VMware NSX (optional) is not part of the VMware vCNS security solution, it does make deployment and setup much easier for customers.
How long does the evaluation license last?
The evaluation license lasts for 90 days before notifications are triggered.
Is MOVE AV Agentless supported on Linux hosts?
MOVE AV Agentless 4.5.1 is supported on Linux hosts. NSX 6.3 is needed for MOVE AV Agentless 4.5.1 to work properly.
How is a manual deployment of MOVE AV Agentless with vCNS performed?
Manual deployment of MOVE AV Agentless with vCNS occurs from the respective vCenter and can't be done directly from ESXi.
Does the upgrade of the MOVE Multi-Platform clients and servers require a system restart?
No.
What host platforms does MOVE Multi-Platform support?
MOVE Multi-Platform is a Hypervisor agnostic solution.
Are clients protected during an SVA Manager upgrade?
Yes. A client and Multi-Platform OSS can function using an earlier SVA Manager until the upgrade is completed. The clients are already connected to an OSS. The clients continue to connect to an SVA Manager when there is no OSS assigned.
When migrating a Virtual Guest system to another hypervisor because of operational needs, which OSS is responsible for scanning the migrated Virtual Guest? Also, do I need to point the migrated Virtual Guest manually to the local OSS running on the other Hypervisor, or is it assigned automatically based on ePO Policy/Hypervisor Integration?
The clients are always automatically protected wherever you migrate them, so long as the clients can communicate with the OSS.
Must I convert the .vmdk file (part of SVA Manager appliance) into a .vhd file using the Microsoft Virtual Machine Converter software, or are the files provided?
The MOVE Multi-Platform Product Guide, under the "Requirements for SVA Manager" section states that: To deploy on a Hyper-V, convert the .vmdk file, which part of SVA Manager appliance, into a .vhd file. Then, attach .vhd file as a hard disk to the new VM in Hyper-V. To convert .vmdk to .vhd, you can use the Microsoft Virtual Machine Converter software. The SVA Manager package is bundled with the required files. Customers only need to deploy the package.
Can the default MOVE Multi-Platform installation directory be changed?
No. The default installation folder (C:\Program Files or C:\Program Files (x86)) can’t be changed when deployed via ePO.
What is the standard recommendation for MOVE Multi-Platform setup?
The recommended design is to have the scan servers on the same subnet and as close to the Virtual Machines as possible (fewest network hops). There is also no problem with a dual-homed configuration.
Is a mixed environment supported (backward compatibility) with the SVA Manager and the OSS/clients while upgrading?
This support is given only for a short period where a customer is upgrading. It is recommended to have all products upgraded to the same version as soon as possible.
Can I upgrade the SVA Manager operating system if the operating system prompts me to upgrade?
No. When you see the message "New Release 'Version' available," ignore it, because updates are incorporated automatically with new releases of the SVA Manager appliance.
CAUTION: Trying to upgrade the operating system using this method might result in the SVA Manager appliance entering a broken state.
Can a MOVE Multi-Platform OSS handle a scan request from an earlier MOVE client installation?
Yes. Backward compatibility and protection are maintained during upgrades. But, it is recommended you get the clients upgraded to the later MOVE Multi-Platform versions as quickly as possible. The upgrade helps them to benefit from the new features and optimizations offered in the latest release.
How is a manual deployment of MOVE AV Multi-Platform SVM Manager performed?
Manual deployment of MOVE AV Multi-Platform SVM Manager occurs from the respective vCenter and can't be done directly from ESXi.
What is the correct procedure to upgrade MOVE AV Multi-Platform?
Upgrade the MOVE AV Multi-Platform components in the following order:
Check in the product extension to ePO.
Upgrade the Offload Scan Server.
Upgrade all MOVE AV Multi-Platform clients.
What does the MOVE-AV_Meta_Package_Ext.zip file contain?
With the release of MOVE AV 4.6, the following MOVE components have been placed in the MOVE-AV_Meta_Package_Ext.zip file:
McAfee MOVE AntiVirus Common
McAfee MOVE AntiVirus
McAfee MOVE AntiVirus License
vSphere Connector
McAfee Data Center Control
Multi-Platform client package
Multi-Platform SVM package
Multi-Platform SVM Manager Debian package
Product Help extension
Why is the Agentless Policy per Virtual Machine (PPVM) enable or disable option no longer available after an upgrade to MOVE AV 4.0?
This option in MOVE AV Agentless 4.0 is now enabled by default and can't be disabled.
(Automatic migration only) If you enabled PPVM in a previous version, all PPVM assignments, and policies are merged.
This version of McAfee MOVE AntiVirus optimizes and consolidates legacy products into an integrated, efficient new platform. A new MOVE AntiVirus Common extension centralizes the shared protection features so that they are easily accessible by all product modules. As a result, some of the policy settings have changed.
The Migration Assistant makes sure that the settings in your legacy policies are moved to the correct policies in McAfee MOVE AntiVirus 4.0.0. Sometimes, they are merged with other McAfee MOVE AntiVirus settings. At other times, new default settings are applied to support updated technologies.
How do I make sure that the Agentless PPVM policies are that being applied successfully?
Do the following:
Edit the OAS/ODS policy.
Run the policy collector from the ePO MOVE AntiVirus Deployment page.
Enforce the policy.
At the SVM, open the oaspolicyaggr.xml or odspolicyaggr.xml file from /opt/McAfee/move/etc folder. Based on what policy was changed, verify that the setting was applied correctly.
Does each VMware host require a Multi-Platform OSS, depending on the number of VMs on each host?
One OSS under a given host can service clients that reside under other hosts, provided the virtual networking infrastructure is configured accordingly.
NOTE: The OSS can generally be assigned to 200–400 workstation endpoints, depending on the load of the endpoints. The limiting factor is the number of concurrent scan requests that the clients trigger.
High availability file share servers require more OSS resources than workstation endpoints do, resulting in a lower OSS ratio.
IMPORTANT: In large-scale MOVE Multi-Platform deployments, use the MOVE SVA Manager to assign an IP address of the MOVE Multi-Platform OSS server to the requesting MOVE Multi-Platform clients. In this configuration, all OSS servers register themselves with the SVA Manager. The SVA Manager keeps a pool of active OSS servers and assigns a server to a requesting client from this pool. With this architecture, the SVA Manager must always be available to the MOVE Multi-Platform clients.
How does MOVE Agentless SVA establish a connection to the VMware vShield Manager?
The MOVE SVA uses API calls to communicate directly.
Is it possible to configure MOVE Agentless SVA Manager to failover for Disaster Recovery?
No. Technical Support can't help you with setup or configuration of a MOVE Agentless SVA Manager in an Active: Passive cluster solution because it is an unsupported configuration.
NOTE: Contact the vendor (VMware, Citrix, or Hyper-V) for support if the MOVE Agentless SVA Manager is configured in this manner.
What are the ports for communication with the MOVE Multi-Platform SVA Manager?
By default, the following ports are opened through the firewall installed on the MOVE Multi-Platform SVA appliance. Make sure that the firewall settings in your environment are configured to allow communication to these ports:
8080 - For communication between MOVE Multi-Platform SVA Manager and the client.
8081 - For communication between McAfee Agent and ePO.
8443 - For communication between MOVE Multi-Platform SVA Manager and the OSS.
Does MOVE support a dual stack network?
No. MOVE is not supported in a dual stack network (IPv6 is not supported).
Is there a script to reconfigure the SVA manager with new ePO information?
Yes. The script is: sudo /home/svaadmin/.sva-config
How do you unmanage an SVM Manager from ePO?
Use the following command: ./maconfig -provision -unmanaged
Can I access the SVM Manager via SSH?
Yes, but SSH is disabled by default. To enable SSH, start the SVA configuration utility ~$ sudo /home/savadmin/.sva-config and toggle the Disable SSH setting accordingly (yes or no).
How do you disable deferred scan notifications during an On-Access Scan (OAS) in MOVE AV Multi-Platform?
To disable the deferred scan notifications:
Open the Action Center from the client computer.
Click All Settings.
Select Notifications & Actions in the left pane.
Disable notifications.
Does MOVE support the use of the ePO option to retain policy and client task settings?
No. MOVE does not support the use of this option. Technical Support recommends using the default settings.
Can MOVE On Demand Scan (ODS) resume a scan from a last scanned file?
No. MOVE ODS does not possess the capability of resuming a scan after it has been interrupted.
Where can I find a list of all Event IDs for the MOVE Multi-Platform or MOVE Agentless Client?
What happens if a VM node does not have a supported version of VMware tools installed; is it reported in ePO?
No. ePO can't report any VM client details running outdated versions of VMware tools.
Can systems in the cloud be imported in ePO?
Yes. The Data Center Connector for vSphere helps you discover and import your virtual infrastructure in the ePO System Tree. The administrator can also view and query their virtualization properties, protection status, and security compliance using several dashboards and queries.
Are there any troubleshooting tools for MOVE?
Yes. For further details, see the MOVE Product Guides. This tool is used on the SVA Manager from the command line interface (CLI).
Can MOVE SVA Manager 4.5 communicate with MOVE Client 4.0 and MOVE SVM 4.0?
Yes. MOVE SVA Manager 4.5 can communicate with the MOVE Client 4.0 and MOVE SVM 4.0.
Is it possible to remotely access logs of an SVA?
No. Logs must be retrieved locally on the client.
Is a local database that contains previously scanned files and or hashes, retained on the MOVE 4.0 client when the client is rebooted?
Yes. There are two clean caches that contain the files and hashes. One is on the client and one is on the OSS (SVM) system. The cache is retained on the client even after a reboot. During the service restart, the cache is written to the disk. Then, it is imported back into memory after the service has completed the restart. By default, the client cache entries are valid for 24 hours.
The OSS cache is purged (not retained) during the following actions:
DAT update
Service restart
GTI level change
System restart
Engine update
Does MOVE SVM send the client a list of all known hashes when the client connects or reconnects?
No. The client is not sent all known hashes.
When a MOVE client requests a file scan, are files locked down until the scan has completed? Or, is execution allowed and blocking applied after scan completion?
Until any scan is complete, the files remain in an action denied state. If the scan times out (45 seconds by default) and scanning is not complete, a Deferred Scan is initiated on the files. If scanning fails, access to the file is maintained; but, it is not cached.
What happens to a MOVE client when its lease expires and it tries to re-request an SVM?
After the lease time expires, the client will request to get an SVM through the SVM Manager while remaining connected to the old SVM. The result is that the request fails because the SVM Manager is Unavailable. The client continues to remain protected by the old SVM. Running the mvadm status command displays SVM Manager in Connecting state.
If the SVM Manager is unavailable, when will a MOVE client retry requesting an SVM assignment from the SVM Manager?
As long as policy is configured to do so, the client continues to request an SVM from the last SVM Manager it successfully connected to. These requests occur regardless of the state the SVM Manager is in.
What is the frequency of communication between a connected SVM and the SVM Manager?
SVM heartbeat message is sent to SVM Manager every second.
Why does the client status still show Enabled when OAS has been Disabled?
This status is an ambiguity that has been corrected in MOVE 4.6. When both OAS and ODS are Disabled, the Protection Status of the client is Disabled.
How can I tell which clients are protected by MOVE AV Agentless or MOVE AV Multi-Platform from the ePO System Tree?
Add the 'Agentless Anti Malware Protection Status' and Status columns to the ePO System Tree.
NOTE: Make sure that the Data Center Connector extension is installed in the ePO console.
Does MOVE AV detect threats that have been loaded into memory?
No. MOVE AV Multi-Platform and MOVE AV Agentless do not detect threats that have been loaded into memory.
Is it possible to configure a second SVA/SVM Manager to act as a fallback to the primary?
There is no built-in high availability scenario for the SVM Manager. See the high availability configuration information from your platform vendor.
Is it possible to find the 'AV Status' for a guest directly from vCenter to know in real time when the status of a VM becomes 'not protected'?
No. The status can’t be seen from the vCenter. The status is only available via ePO using the cloud connector ePO extension.
Why are there two IP addresses displayed in the SVA Manager?
One of the IP addresses is needed for the internal communication which is private between the SVA and the MOVE Agentless clients. This IP address is used by VMware Endpoint Security (EPSec).
With MOVE Agentless, is it possible to deploy the SVM via a script like it was possible previous versions of MOVE Agentless?
No. This feature is no longer supported.
Does MOVE Agentless support the ability to use TIE?
No. The VMware NSX Manager does not currently support the ability to use TIE in the VMware Endpoint Security solution.
Under what conditions is the NSX Threat Found tag available in the vCenter?
The user can see the tag in the vCenter when the policy option Action is set to Deny access to files.
The user is not able to see the tag when the Action is set to either:
Delete files automatically and quarantine.
Delete files automatically.
Here the VM is tagged and removed immediately as the threat is deleted. The process is fast.
What is the total character limit for Excluded Paths under Path Exclusions and Process Exclusions?
For MOVE Agentless, the maximum Path Exclusion is 260 characters.
How is the scanning of large files handled by MOVE Agentless?
Regardless of file size, the complete file is transferred for scanning.
Can the scan diagnostics tool be directed at a single MOVE Agentless client?
No. The scan diagnostic task only shows the statistics for all protected VMs; it is not possible to analyze a single/specific client.
Does MOVE Agentless scan running processes?
No. It does not scan running processes, but when a running process opens a file, the file gets scanned.
Are there no Low-Risk Processes with MOVE Agentless because of a lack of support in the vShield Endpoint?
Yes. It is a VMware Endpoint limitation.
If MOVE Agentless can't exclude processes, what is the best practice to exclude, for example, backup processes?
Because MOVE Agentless does not support process exclusions as a result of the vShield limitation, there is no way to exclude backup processes.
Can MOVE Agentless scan Network drives like MOVE Multi-Platform?
This feature has been added to MOVE AV Agentless 4.0 and later versions. Previous versions of MOVE AV Agentless do not possess this ability.
Which source repositories does the security update use to pull updates?
MOVE Agentless SVM installs all security updates directly from the Ubuntu repositories.
How often does the security AutoUpdate run?
MOVE Agentless SVM checks for security updates once per day.
Is it possible to check for security updates manually?
Yes. To check for security updates, run the following command: sudo unattended-upgrade --debug --dry-run
Is it possible to run the security AutoUpdate manually?
Yes. Run the following command to manually install the security updates: sudo unattended-upgrade -d
Is there a tool to help customers migrate VSE path exclusion policies to MOVE Agentless?
No. VSE exclusions are not compatible with MOVE Agentless and that is why there is no option to import them.
Is it possible to create path exclusions for MOVE Agentless?
Yes.
NOTE: Wildcards are supported, but environment variables are not supported.
How many clients can be supported in a VDI environment with a single Agentless SVA, with default settings?
This number depends on the load on the client VMs. Under normal load conditions, 200 clients per SVA are the standard recommendation. Under extreme load conditions, SVA supports fewer clients.
What are the benefits of installing the Data Center Connector regarding MOVE Agentless?
The following reporting benefits apply:
Deployment of SVM to vCNS environment.
Deployment of SVM to NSX environment.
Protection status of VMs.
Can a user put the ESX host in maintenance mode without performing a manual shutdown of the SVA appliance first?
There are two scenarios to consider:
For an NSX Manager environment, the NSX manager takes care of turning off and turning on the MOVE SVA and Guest Introspection. It does so while entering and exiting the maintenance mode respectively.
For a vCNS environment, the auto shutdown is not available and the user has to shut down the MOVE SVA manually before entering the host into maintenance mode.
How do I remove tasks that are stuck on the MOVE Job Status/Deployment status page of ePO?
To clean up any stale job entries from the database for SVM deployment/upgrade cases, run the SQL query delete from [dbo].[DC_AL_JOB_STATUS] where JOB_STATUS = 'QUEUED';
Can a Targeted On Demand Scan (TODS) be run on clients with the same name, but different UUIDs?
No. Client names must be unique to make sure that a TODS runs successfully.
Why does MOVE Agentless 4.5.x send policy setting deletion events back to ePO every hour?
When PPVM is enabled, MOVE Agentless aggregates all policies into an aggregated policy object. The policy object is deleted after policy assignment occurs. Each time the aggregated policy object is deleted it is reported back to ePO and logged in the Audit logs. This behavior is considered normal.
When an SVM Manager failure occurs, is the clients default behavior to continue to work with their current SVAs?
Clients talk to the SVM already assigned to it. If new clients are added, the clients do not receive an SVM because the client is unable to reach SVM manager.
Which hypervisor supports the MOVE AV Multi-Platform SVM Auto Scale feature?
VMware ESX is the only hypervisor for which the new MOVE AV Multi-Platform 4.0 Auto Scale feature, is implemented.
What is the total character limit for both Excluded Paths and Processes under Path Exclusions and Process Exclusions?
For MOVE Multi-Platform, the maximum number of characters are:
Path Exclusion: 260 characters
Process Exclusion: 100 Characters
Is a Client protected while the SVA Manager is unavailable?
Yes.
What are the maximum concurrent scans for on-demand scan (ODS) and Targeted on-demand scan (TODS)?
The maximum concurrent scans for ODS and TODS are 2. Any more increases the load on the OSS/Hypervisor, with the potential to result in an increased OAS time or decreased response time.
What is the mvagent.cache file found on Multi-Platform clients?
This file is created when a user disables the AV protection. The cached entries on the client side are dumped into this file and are loaded back to memory when the user re-enables the protection. The file resides in the installation directory.
What happens when the Primary OSS fails?
The primary OSS will remain in standby after it recovers from failure, and the secondary OSS remains the active OSS.
Under what circumstance is the client cache file not populated?
When the file is smaller than the size mentioned in the 'Scan result cache' client policy, the file is transferred completely to the OSS. Otherwise, only relevant bytes requested by the McAfee scan engine, during the scan, are sent.
What happens after a deferred scan times out?
The file is allowed access and a fail-open happens.
Do primary and secondary OSS maintain a connection to each other for status monitoring and failover?
No. The endpoints themselves maintain a connection to both OSSs to monitor the status and perform a failover. The failover occurs if the MOVE agent can’t reach the primary; it then tries the secondary.
How is the scan load on the OSS handled?
When the primary and secondary are configured via ePO, there is no awareness of overload on the OSS. If an SVA Manager is used to assign the clients to an OSS, the SVA Manager takes care of monitoring the load on the OSS.
What happens to the files sent for scanning to the OSS?
The files will be deleted after the scan is completed.
Does MOVE AV Multi-Platform scan running processes?
No. It does not scan running processes, but when a running process opens a file, the file gets scanned.
Why do scan timeouts occur?
The McAfee antivirus products have an intentional cut-off time when the scan of a particular file must stop, and the scan time-out feature is intended to prevent a denial-of-service.
For details, see KB55869 - Explanation of why scan time-outs occur.
How are the clients protected when the OSS is not available?
Currently, the file is fail-opened if the scan server is unavailable. There is a socket connection established between the client and server. When the server goes down, the client does not send the file, and no network traffic is generated.
Can quarantined files be restored?
There is a Restore from quarantine client task available from ePO.
The client-side command-line options are as follows:
mvadm.exe q - Lists lists the currently quarantined files.
mvadm.exe q restore <detected as> - Restores all files of the detection type specified in the "detected as" parameter. Make sure that either the protection is disabled, or the file is excluded from scanning. The actions prevent the restored file from being detected again.
Is it possible to transfer scan cache into a file?
Yes. On the Multi-Platform client, run the command mvadm disable. The cache file gets saved to the installation directory named mvagent.cache. On the Multi-Platform Server, run the command mvadm cache save <filename>.
Is a system authentication needed during a scan file transfer?
No. There is no authentication undertaken from a Multi-Platform client when a file is sent for scanning to the OSS.
Can wildcards be used when configuring the process exclusion list in MOVE Multi-Platform?
No. Process exclusion in MOVE Multi-Platform does not support the use of wildcards.
Can an on-demand scan be performed on a network drive?
MOVE Multi-Platform supports network scanning of files with OAS. On-demand Scans can't be performed on network drives. The reason is, because MOVE Multi-Platform is a service that runs under the system account. It does not see network drives mapped to individuals users logged on during the on-demand scan.
What is the impact of enabling Network File Scanning?
MOVE Multi-Platform network scanning essentially comes with double the network impact. This impact is because it must first transfer the file from the network to the local system, then transfer the file to the SVA for scanning. Thus, essentially, the file is being transferred over the network twice.
IMPORTANT: When you are concerned about performance, do not use network scanning, even for traditional VSE. Instead, scan the file at its source. If it is dirty, you are denied access and no data is transferred over the network. If it is clean, the file is transferred. You use less network bandwidth, and the user sees better performance.
NOTE:The virtual machine must be restarted after enabling the network scanning policy.
Where are the OSS log files located?
Under the OSS installation directory C:\Program Files (x86)\McAfee\MOVE AV Server\mvserver.log. NOTE: They are available only after enabling DEBUG logging.
How is the scanning of large files handled by MOVE AV Multi-Platform?
When a large file is opened on the same client for a second time, it is scanned again only if the file has been changed. A file copy is always considered as a file change and is always sent for scanning.
What On-Demand events are generated?
When an on-demand scan starts, an event is sent to the ePO server, which gives details of the Virtual Machine. The complete details are also available in the OSS server logs after DEBUG logging has been enabled.
Are both scans on read/write needed?
Yes. Disabling scan on read is not advised as a large group of Malware can infect files using the On-read method.
How does the Certificate Revocation check option for MOVE AV Multi-Platform 4.5 OAS work?
This option is used for the Windows Publisher Trust feature. The parameters defined allow you to set how the revocation workflow occurs.
When none is selected, the certificate revocation check is not called.
When for end Certificate locally is selected, a check is made to determine whether the end certificate of the file is valid or has been revoked. The check is made from the Windows CRL that Windows maintains locally (local cache) and not over the network.
When full certificate chain locally is selected, a check is made of the complete certificate chain. A particular digitally signed file is checked against the local CRL (local cache) maintained by Windows and not over the network.
When for end certificate locally and by getting CRL from issuing CA is selected, a check is made against the local CRL list maintained by Windows (local cache). A check is also made against the issuing CA’s CRL over the network.
What advantages does MOVE AV Multi-Platform offer over traditional endpoint security?
The advantages are covered in the following publicly available document:
Can the scan diagnostics tool be directed at a single MOVE AV Multi-Platform client?
No. The scan diagnostic task only shows the statistics for all protected VMs; it is not possible to analyze a single or specific client.
NOTE: For the scan diagnostic tool to collect data successfully, file activities must be triggered on the client system.
What is the function of the MOVE AV Multi-Platform Offload Scan Server (OSS)?
OSS is an application built on a Windows platform, which performs the heavy scanning work load with VirusScan Enterprise.
Does MOVE 4.0 Support Endpoint Security Threat Prevention (ENS) 10.x?
No. Currently only VSE 8.8 is supported on the OSS.
How is the MOVE AV Multi-Platform OSS workload calculated?
The OSS load percentage is calculated as follows:
(Number of endpoints connected to OSS / Max number of endpoints which can be connected to OSS) multiplied by 100.
NOTE: The number of clients that an OSS can handle optimally depends on the load on the client VMs. With higher load conditions, more OSS is needed.
How does the MOVE AV Multi-Platform OSS avoid scanning the same file?
This avoidance of duplicate scanning is achieved by the OSS global cache. The cache avoids scanning the same file from requests that come from different MOVE AV Multi-Platform clients. If the file is scanned and found clean, it is added to the server cache file and not scanned again. The location of the file is: C:\Program Files (x86)\McAfee\MOVE AV Server\evt_cache.
When VM accesses a file and places it in Multi-Platform OSS global cache, how long does it remain in the cache?
By default it is retained for one day. This cache is not persistent; the following reasons lead to the cache being flushed:
DAT updates.
Enabling scanning archives.
Increasing the GTI sensitivity.
Enabling potentially unwanted program scanning.
If the file was not accessed for 24 hours, the hash is removed from cache.
NOTE: The flushing of the cache is, by default, set to occur at a predefined time. This value is configurable.
What are the key features of using the Multi-Platform OSS global cache?
The following benefits are achieved using this technology:
Independent client and offload scan server cache size. This feature allows the shared server cache to be larger and improves the hit rate of the shared cache.
OSS’s cache is no longer pulled to the clients, which avoids cache poisoning.
Temporary cache of large file scans results, which improves subsequent large file access performance.
Client cache persists across system restart, improving boot time and overall performance.
Staggered cache expiration, which reduces the performance impact of configuration changes and DAT updates.
Scan results for network and removable drives are no longer cached, improving security.
Client uses a connection pool, which allows predictable scalability and removes risk of a single client saturating the MOVE OSS
Is it possible to repopulate the Multi-Platform OSS global cache after a DAT update? (For importing after one server scans a golden image)
Yes. Run an on-demand scan on the golden image. The on-demand scan repopulates the cache. After the cache is populated, provision the VMs from this golden image.
What account does MOVE Multi-Platform OSS use when scanning VMs?
The OSS only scans the file; it is the client system that blocks access or deletes the file.
Why are files stored under User directories (such as Desktop, My Documents) not scanned with MOVE Multi-Platform when the folder is redirected using Distributed File System (DFS)?
As long as the DFS folder is set up as a network share, MOVE Multi-Platform scans it.
Is there a way to calculate the number of VMs that a MOVE Multi-Platform OSS can handle?
No. But, it is possible via the MOVE Multi-Platform SVA Manager to control the number of clients connecting to OSS. See the section “Configuring client load per SVM (Multi-Platform)” from any of the MOVE Multi-Platform 4.6 or later Product Guides.
How does a client associate (stick) with a Multi-Platform OSS scanner?
An OSS needs to be assigned to a client via the SVA Manager first. Only after that protection becomes available to a client, it will then start sending scan requests to the OSS.
Does MOVE Multi-Platform support the same Low-Risk process Exclusions as available in VSE?
Yes. MOVE Multi-Platform uses the same technical functionality as VSE does regarding the Low-Risk process exclusions.
Is there a tool to help customers migrate VSE pathexclusion policies to MOVE Multi-Platform?
Yes. See the section "Using the Import option" in the relevant Multi-Platform product guide. These exclusions are seamlessly imported via an XML file. There is also an option to purge the existing exclusions before an import takes place.
Is the SVA and SVM the same device in the MOVE Multi-Platform architecture? If not, how do they differ?
They are not the same. The SVM is an OSS that handles the scanning. The SVA is an SVA Manager that handles load balancing for SVM.
Is it possible to tell which SVM is not connected to the SVM manager?
If the SVM is connected to the SVM Manager and disconnected later, run the MOVE AntiVirus SVM Manager: SVM Registration Events report.
Does MOVE Multi-Platform architecture require an SVA or an SVM?
This requirement depends on the load.
If the number of clients is small, there is no need for an SVA Manager.
If the number of clients is large, it as advantageous to implement load balancing of the SVM using an SVA Manager.
Is it possible to prevent a local administrator from stopping the MOVE Multi-Platform Services?
Yes. A new password-protected CLI allows the ePO administrator to configure a password for mvadm commands via the ePO interface. Without the password, users or local admins can't access the mvadm command interface to change the integrity level and can't access the service restart.
How much disk space is used/needed when deploying the MOVE Multi-Platform SVM Manager 4.5?
The SVM Manager is an OVF, so the hard drive comes bundled. By default, the SVM Manager 4.5 has a 16-GB hard disk bundled with it.
What is the function of the SVA Manager?
The SVA Manager is a Virtual Appliance used to match up an endpoint with its OSS. This function requires almost no traffic to occur and only happens when the endpoint needs a new scanner assigned. After it has one, it stays with it. Most customers need only a single SVA Manager for their whole enterprise. If the SVA Manager goes offline, the relationships between OSS and clients are unaffected. ePO directly manages the SVA.
What happens when a MOVE Multi-Platform SVA Manager becomes unavailable?
Any client that has an OSS IP address continues to use it while the SVA Manager is offline. Under this condition, when the client can't reach an OSS for any reason, it fails to open and allow access.
Is there any way for the policies to notify the administrator when the number of Multi-Platform connected endpoints is reached?
Yes. The maximum number of connected endpoints depends on the load settings subscribed. The load settings are in the OSS General policy under Client loads. The settings can be made for Heavy load (150 clients), Medium (250 clients), Low (300 clients), and Custom (user-defined). The Threshold for OSS Capacity option on the Events tab is used to establish a percentage threshold (example 90%). The threshold forces any event at or above the value set to be sent to ePO. When the threshold is met or exceeded, an alert is generated. This alert helps the ePO administrator determine if there is a need to provision any additional OSS in the current environment.
Why is the SVM 4.5.0.268 not connecting to the SVM Manager 4.5?
With the release of MOVE AV Multi-Platform 4.5.0.257, TLS 1.2 is used for secure communication. For an SVM to communicate with the SVM Manager, all MOVE AV Multi-Platform components must be upgraded to the latest hotfix.
NOTE: All SVM/client hotfixes released after MOVE 4.5.0.257 can communicate with SVM Manager 4.5.0.257 and later (because of the TLS 1.2 change mentioned).
How does a change in the TIE reputation get handled when the endpoint already has the file hash in its local cache?
Reputation changes are received at SVM through the DXL fabric. The SVM cache is updated with the new reputation and it is propagated to each client. Clients have only the Known Trusted TIE reputation cached for any file. If it is changed from Known Trusted to another reputation level, it updates the cache. The entry is removed and then actions based on the configuration set in the policy (on the next access of the file) are undertaken.
Are customers expected to update/maintain McAfee Agent on the MOVE AV Multi-Platform SVM client and SVM Manager or are updates release via a new OVF?
MOVE supports upgrades of McAfee Agent on MOVE SVM and SVM Manager.
Do log client-side log entries similar to Cache Hit, Not Scanning indicate that the file was not scanned again because it is found in the Scan Cache?
Yes, these log entries mean that the file was not scanned again because it is present in the cache. After a file is scanned and considered clean, it is added to the scan cache on the client side. If it is changed or the cache entry expires, the file is then rescanned.
If a file must be sent to MOVE AV Multi-Platform to be scanned, is it sent encrypted or unencrypted?
In MOVE AV Multi-Platform, there are two ways files are transferred to the scanning appliance (SVM):
If the file size is smaller than the default threshold (40 MB), the complete file is sent to the SVM unencrypted.
If the file size is larger than the default threshold, the file is sent in chunks (offset of the file) when requested by the SVM, and then scanned.
MOVE AV Multi-Platform keeps hitting .TMP files and handling them as an archive. How can I tell if a .TMP file is an archive or not?
To determine if a .TMP file is an archive file, open it in Notepad or Ultraedit, and check the file header. You can also use a free tool, such as Exeinfo, to determine the filetype.
What causes Event ID 36993 (OSS average scan time threshold hit) and Event ID 36994 (OSS average scan time threshold restored) to repeatedly occur in MOVE AV Multi-Platform 4.0 SVM?
These events are triggered when the average scan time of the SVM is more than the configured value. By default, this value is 5 minutes.
When the primary SVM goes down and VMs automatically connect to the secondary SVM, do the VMs automatically revert to the primary SVM when it recovers?
No. Even though the primary SVM has recovered, the VMs remain connected to the secondary SVM until it goes down.
Can Deferred scan notifications during OAS be disabled in MOVE AV Multi-Platform 4.6?
Yes. Follow the steps below to disable the deferred scan notifications:
Open the Action Center from the client computer.
Click All Settings.
Select Notifications & Actions from the left pane.
Disable notifications.
Does MOVE AV Multi-Platform support encrypted channel communication between the client and SVM?
No.
Does MOVE AV Multi-Platform support encrypted channel communication between the client and SVM Manager?
No.
Does MOVE AV Multi-Platform support encrypted channel communication between the SVM and SVM Manager?
Yes.
EOL period—The time frame that runs from the day McAfee Enterprise announces product discontinuation, until the last date that McAfee Enterprise formally supports the product. In general, after the EOL period is announced, no enhancements are made.
EOL date—The last day that the product is supported, according to the terms of the McAfee Enterprise standard support offering.
