FAQs For Management For Optimized Virtual Environments
FAQs For Management For Optimized Virtual Environments
8
Essentials
Environment
McAfee Management for Optimized Virtual Environments (MOVE)
McAfee MOVE AntiVirus (AV) Agentless 4.x, 3.6.1
McAfee MOVE AV Multi-Platform 4.x, 3.6.1
Summary
This article is a consolidated list of common questions and answers. It is intended for users who are new to the
product, but can be of use to all users.
February 25, Added one FAQ to the Functionality – MOVE Agentless and Multi-Platform section: Does MOVE support the
2019 use of the ePO option to retain policy and client task settings?
Added one FAQ to the Install, Upgrade, or Migrate – MOVE Agentless section: Can I provide the same NSX
February 19,
Manager name while registering NSX Manager details on the MOVE AntiVirus Deployment configuration
2019
page?
July 13, Added one FAQ to Functionality - MOVE Multi-Platform specific: Does MOVE AV Multi-Platform support
2018 encrypted channel communication between the SVM and SVM Manager?
March 5,
Deleted one FAQ from the Functionality section and made it a separate article.
2018
March 2,
Created collapsible sections.
2018
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
General
What is MOVE?
MOVE is the family name for two related Management for Optimized Virtual Environments (MOVE) products. Virtual
Machines (VMs) running on server-class systems that contain virtualization software, including VMware ESX or Citrix
XenServer, need an anti-virus application running on each VM on a hypervisor. (Hypervisor is a general term that
describes virtualization software such as VMware ESX, Citrix XenServer, and Microsoft Hyper-V.)
Running an anti-virus application on each VM on a hypervisor causes high usage of resources such as disk, CPU,
and memory, which results in a reduced VM density per hypervisor. MOVE AV solves this issue by offloading all On-
Access Scanning (OAS) to a dedicated VM that runs VirusScan Enterprise (VSE). There is no need to install a
traditional anti-virus application such as VSE on each VM. The dedicated VM improves performance and allows an
increased VM density per hypervisor.
Component Description
Provides anti-virus protection for VMs and communicates with the loadable kernel module on the
hypervisor, ePolicy Orchestrator (ePO), and the GTI servers.
Security Virtual
The SVA is the only system directly managed by ePO, but you can install McAfee Agent and other McAfee
Appliance (SVA)
products on VMs. VirusScan Enterprise for Linux, McAfee Agent, and MOVE AV Agentless comes
preinstalled.
Allows you to configure policies to manage MOVE AV Agentless and provides reports on malware
ePO
discovered in your virtual environment.
File Quarantine Remote quarantine system, where quarantined files are stored on an administrator-specified network share.
Global Threat Classifies suspicious files that are found on the file system. When the real-time malware defense detects a
Intelligence (GTI) suspicious program, it sends a DNS request for analysis to a central database server hosted by McAfee Labs.
Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual
operating platform that manages the execution of the guest operating systems. ESXi is an embedded
Hypervisor (ESXi)
hypervisor for servers that runs directly on server hardware without requiring another underlying operating
system.
VMware vCenter Console that manages the ESXi servers, which host the guest VMs that require protection.
vCloud Networking
Manages the vShield components for the SVA and VMware vShield Endpoint, and monitors the health of
and Security
the SVA.
Manager
Virtual Machines Isolated guest operating system installations in a normal host operating system that support both virtual
(VMs) desktops and virtual servers.
VMware NSX Console that allows you to configure, provision, and automate the protection on the endpoints in a data
Manager center.
Component Description
Automatically assigns offload scan servers to MOVE Multi-Platform clients based on configurable
SVA Manager
parameters like Scan Server load, ePO tags, and IP address ranges.
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
Communicates with the McAfee Agent, manages the Multi-Platform configuration, and provides
ePolicy Orchestrator (ePO)
reports on Malware discovered in your virtual environment.
Communicates with ePO, applies policies to each virtual machine, and deploys the MOVE AV Multi-
McAfee Agent
Platform client.
Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual
Hypervisor
operating platform that manages the execution of the guest operating system.
Allows virtual machines to interact with the offload scan server (OSS) for file scanning and malware
MOVE AV client
detection. Enforces actions on the client when a threat is detected.
Provides policies and controls for configuring and managing the behavior of the MOVE AV client
MOVE AV client extension
through ePO.
MOVE AV Offload Scan Provides offloaded scanning support for virtual machines, which minimizes the performance impact
Server on virtual desktops.
MOVE AV Offload Scan Provides policies and controls for configuring and managing the behavior of the MOVE AV offload
Server extension server through ePO.
Provides anti-virus protection for the offload scan server VM and communicates with the GTI
VirusScan Enterprise
servers.
How do I generate a MER file for MOVE AntiVirus Multi-Platform SVA Manager?
See KB83779 for instructions on how to generate a MER file for MOVE AntiVirus Multi-Platform SVA Manager.
• MOVE AV Multi-Platform: Offload Scan Server (OSS) has changed to Security Virtual
Machine (SVM) Security Virtual Appliance Manager (SVA Manager) has changed to Security
Virtual Machine Manager (SVM Manager).
• MOVE AV Agentless: Security Virtual Appliance (SVA) has changed to Security Virtual
Machine (SVM)
• On-Demand Scans/On-Access Scans - In MOVE AV 4.0, there are now two separate policies,
one for the on-access scanner (OAS) and one for the on-demand scanner (ODS).
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
• New Multi-Platform 4.0 SVM Auto Scale feature has been added. Define the SVM auto scale
settings, so that the SVM deployment starts automatically depending on the number of clients
connecting to the SVM for protection.
How long is the trial period for MOVE and if less than 90 days, is it possible to get a 90-day trial license?
The trial length is 90 days and extensions are not granted, but that does not mean that the product ceases to work.
MOVE functions normally after the 90-day trial has been exceeded. A reminder notification appears and remains until
the MOVE license extension is installed. At that point, the trial version is converted to a fully licensed version.
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
Compatibility
What guest platforms does MOVE Multi-Platform support?
For a complete list of supported guest platforms, see KB74865.
Are MOVE AV Multi-Platform 4.0 clients and SVM compatible with the MOVE AV Multi-Platform 4.5 SVM
Manager?
Yes. The MOVE AV Multi-Platform 4.5 SVM Manager can be used with the MOVE AV Multi-Platform 4.0 Client and
SVM.
Are there any plans to cover the Linux operating system (OS) by MOVE Agentless?
MOVE Agentless supports the Linux OS only when VMware supports it. MOVE Agentless supports all operating
systems supported by VMware Endpoint Security. For a list of operating systems that are supported with the VMware
vShield Endpoint Thin Agent that is used with the MOVE products,
see: https://kb.VMWare.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&exte
rnalId=1036847.
Can MOVE Multi-Platform run in Virtual Desktop Infrastructure (VDI) mode with VMware Horizon 6, for non-
persistent VMware images that close as a user logs off and goes back to a gold image state?
Yes.
Can the MOVE Multi-Platform SVA Manager work in a Microsoft Hyper-V environment?
Yes. You must convert the SVA Manager when you import the (.ova) package to the Hyper-V server. An (.ova)
package is a tar archive file with the OVF directory inside.
Do I need to purchase the NSX Manager because VMware is stopping support for vCloud Networking and
Security (vCNS)?
No. If you have vSphere Essential Plus or later, the NSX manager is free. It can only be used to manage endpoint
anti-virus policies though.
For additional details about vCNS, see the VMware FAQ article
2110078: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&
externalId=2110078
NOTE: AHV is the new name for Kernel-based Virtual Machine (KVM).
How do you check the MOVE-AV-AL_SVM_Pkg_4.5.1.227.zip package into the ePO 5.3.2 Master Repository?
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
The MOVE 4.5.x SVM package is not meant to be checked in to the ePO Master Repository. Check it into the SVM
Repository. The SVM Repository is on the MOVE AntiVirus Deployment Page under General, Configuration Settings.
Is it possible to selectively install the MOVE Agentless vShield driver on a single client via an SVA
deployment?
No. It is not possible to selectively install the vShield driver on the clients with an SVA deployment. By default,
installation is tried on all VMs.
Is it possible to upgrade from MOVE Multi-Platform 2.6.2 directly to MOVE Multi-Platform 4.5?
No. You must upgrade MOVE Multi-Platform 2.6.2 to MOVE Multi-Platform 3.6.1, and then you can upgrade to MOVE
Multi-Platform 4.5.
Can ePO be used to update the MOVE Agentless SVA automatically with updates and hotfixes?
ePO can be used to apply product hotfixes and updates.
What are the minimum cloud account rights required for MOVE Agentless SVA deployment?
For details, see the MOVE Agentless 3.6.1 Product Guide (PD26121).
How many SVAs need to be deployed for any given number of data centers?
For a MOVE Agentless solution, one SVA per host is required regardless of the size of the data center. In a MOVE
Agentless deployment, it is not possible to set up a secondary SVA for failover. The inability to set up a secondary
SVA for failover is a VMware limitation.
What user permissions are required to successfully install the MOVE Agentless vShield driver?
All domains that are part of protected VMs have to be added to the ePO LDAP server registration page. The
user must have domain admin rights to have the vShield driver be installed successfully on the VM clients. The
reason is because ePO has to access these client VMs remotely to install the endpoint driver and only domain
administrators have the permission to do so.
For MOVE Agentless, what are the software requirements for vCloud Networking and Security Manager?
To use the MOVE Agentless software, all VMware vCNS software components must be installed for this anti-virus
solution to work. The components include:
• vShield Manager
• vShield Endpoint plug-in for ESXi Host
• vShield Endpoint Thin Agent for VM Guest
NOTE: Although VMware NSX (optional) is not part of the VMware vCNS security solution, it
does make deployment and setup much easier for customers.
When migrating a Virtual Guest system to another hypervisor because of operational needs, which OSS is
responsible for scanning the migrated Virtual Guest? Also, do I need to point the migrated Virtual
Guest manually to the local OSS running on the other Hypervisor, or is it assigned automatically based on
ePO Policy/Hypervisor Integration?
The clients are always automatically protected wherever you migrate them, so long as the clients can communicate
with the OSS.
Must I convert the .vmdk file (part of SVA Manager appliance) into a .vhd file using the Microsoft Virtual
Machine Converter software, or are the files provided?
The MOVE Multi-Platform Product Guide, under the "Requirements for SVA Manager" section states that: To deploy
on a Hyper-V, convert the .vmdk file (part of SVA Manager appliance), into a .vhd file and then attach .vhd file as a
hard disk to the new VM in Hyper-V. To convert .vmdk to .vhd, you can use the Microsoft Virtual Machine Converter
software. The SVA Manager package is bundled with the required files. Customers only need to deploy the package.
Can I upgrade directly from MOVE Multi-Platform 3.6.0 to the 3.6.1 hotfix?
Yes. All MOVE Multi-Platform hotfixes include all previous resolved 3.6.0 and 3.6.1 hotfix issues.
Is a mixed environment supported (backward compatibility) with the SVA Manager and the OSS/clients while
upgrading?
This support is given only for a short period where a customer is upgrading (for example from 3.5 to 3.6.1). It is
recommended to have all products upgraded to the same version as soon as possible.
Can I upgrade the SVA Manager operating system if the operating system prompts me to upgrade?
No. When you see the message "New Release 'Version' available," this message must be ignored, because updates
are incorporated automatically with new releases of the SVA Manager appliance.
CAUTION: Trying to upgrade the operating system using this method might result in the SVA Manager appliance
entering a broken state.
Will a MOVE Multi-Platform OSS handle scan requests from an earlier MOVE client installation?
Yes. Backward compatibility and protection are maintained during upgrades. It is recommended you get the clients
upgraded to the later MOVE Multi-Platform versions as quickly as possible to benefit from the new features and
optimizations offered in the latest release.
Configuration
Why is the Agentless Policy per Virtual Machine (PPVM) enable or disable option no longer available after an
upgrade to MOVE AV 4.0?
This option in MOVE AV Agentless 4.0 is now enabled by default and cannot be disabled.
Key related point taken from the MOVE AV Migration Guide (PD26580):
• (Automatic migration only) If you enabled PPVM in 3.6.1, all PPVM assignments and policies
are merged.
• This version of McAfee MOVE AntiVirus optimizes and consolidates legacy products into an
integrated, efficient new platform. A new MOVE AntiVirus Common extension centralizes the
shared protection features so that they are easily accessible by all product modules. As a
result, some of the policy settings have changed.
• The Migration Assistant ensures that the settings in your legacy policies are moved to the
correct policies in McAfee MOVE AntiVirus 4.0.0. Sometimes, they are merged with other
McAfee MOVE AntiVirus settings, and in others, new default settings are applied to support
updated technologies.
How do I ensure that the Agentless PPVM policies are that being applied successfully?
Do the following:
Does each VMware host require a Multi-Platform OSS, depending on the number of VMs on each host?
One OSS under a given host can service clients that reside under other hosts, provided the virtual networking
infrastructure is configured accordingly.
NOTE: The OSS can generally be assigned to 200–400 workstation endpoints, depending on the load of the
endpoints. The limiting factor is the number of concurrent scan requests that the clients trigger.
High availability file share servers require more OSS resources than workstation endpoints do, resulting in a lower
OSS ratio.
IMPORTANT: In large-scale MOVE Multi-Platform deployments, use the MOVE SVA Manager to assign an IP
address of the MOVE Multi-Platform OSS server to the requesting MOVE Multi-Platform clients. In this configuration,
all OSS servers register themselves with the SVA Manager, which keeps a pool of active OSS servers and assigns a
server to a requesting client from this pool. With this architecture, the SVA Manager must always be available to the
MOVE Multi-Platform clients. To achieve this availability, the SVA Manager needs to be configured for high
availability. See the document PD25344 to configure your standalone MOVE SVA Manager Virtual Appliance for
high availability failover cluster.
How does MOVE Agentless SVA establish a connection to the VMware vShield Manager?
The MOVE SVA uses API calls to communicate directly.
Is it possible to configure MOVE Agentless SVA Manager to failover for Disaster Recovery?
No. Technical Support cannot help you with setup or configuration of a MOVE Agentless SVA Manager in an Active:
Passive cluster solution because it is an unsupported configuration.
NOTE: Contact the vendor (VMware, Citrix, or Hyper-V) for support if the MOVE Agentless SVA Manager is
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
configured in this manner.
What are the ports for communication with the MOVE Multi-Platform SVA Manager?
By default, the following ports are opened through the firewall installed on the MOVE Multi-Platform SVA appliance.
Ensure that the firewall settings in your environment are configured to allow communication to these ports:
• 8080 - For communication between MOVE Multi-Platform SVA Manager and the client.
• 8081 - For communication between McAfee Agent and ePO.
• 8443 - For communication between MOVE Multi-Platform SVA Manager and the OSS.
Is there a script to reconfigure the SVA manager with new ePO information?
Yes. The script is: sudo /home/svaadmin/.sva-config
How do you disable deferred scan notifications during an On-Access Scan (OAS) in MOVE AV Multi-
Platform?
Follow these steps to disable the deferred scan notifications:
Can MOVE On Demand Scan (ODS) resume a scan from a last scanned file?
No. MOVE ODS does not possess the capability of resuming a scan after it has been interrupted.
Where can I find a list of all Event IDs for the MOVE Multi-Platform or MOVE Agentless Client?
What happens if a VM node does not have a supported version of VMware tools installed; is it reported in
ePO?
No. ePO cannot report any VM client details running outdated versions of VMware tools.
Can MOVE SVA Manager 4.5 communicate with MOVE Client 4.0 and MOVE SVM 4.0?
Yes. MOVE SVA Manager 4.5 can communicate with the MOVE Client 4.0 and MOVE SVM 4.0.
Is a local database that contains previously scanned files and or hashes retained on the MOVE 4.0 client
when the client is rebooted?
Yes. There are two clean caches that contain the files and hashes. One is on the client and one is on the OSS (SVM)
system. The cache is retained on the client even after a reboot. During the service restart, the cache is written to the
disk and then imported back into memory after the service has completed the restart. By default, the client cache
entries are valid for 24 hours.
The OSS cache is purged (not retained) during the following actions:
• DAT update
• Service restart
• GTI level change
• System restart
• Engine update
Does MOVE SVM send the client a list of all known hashes when the client connects or reconnects?
No. The client is not sent all known hashes.
When a MOVE client requests a file scan, are files locked down until the scan has completed or is execution
allowed and blocking applied after scan completion?
Until any scan is complete, the files remain in an action denied state. If the scan times out (45 seconds by default)
and scanning is not complete, a Deferred Scan is initiated on the files. If scanning fails, access to the file is
maintained; but, it is not cached.
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
How do I enable debug logging for MOVE extensions through ePO?
See KB88727 for instructions on how to enable debug logging for MOVE in ePO.
What happens to a MOVE client when its lease expires and it tries to re-request an SVM?
After the lease time expires, the client will request to get an SVM through the SVM Manager while remaining
connected to the old SVM. The result is that the request fails because the SVM Manager is Unavailable. The client
continues to remain protected by the old SVM. Running the mvadm status command displays SVM Manager in
Connecting state.
If the SVM Manager is unavailable, when will a MOVE client retry requesting an SVM assignment from the
SVM Manager?
As long as policy is configured to do so, the client continues to request an SVM from the last SVM Manager it
successfully connected to. These requests occur regardless of the state the SVM Manager is in.
What is the frequency of communication between a connected SVM and the SVM Manager?
SVM heartbeat message is sent to SVM Manager every second.
Why does the client status still show Enabled when OAS has been Disabled?
This status is an ambiguity that has been corrected in MOVE 4.6. When both OAS and ODS are Disabled, the
Protection Status of the client is Disabled.
How can I tell which clients are protected by MOVE AV Agentless or MOVE AV Multi-Platform from the ePO
System Tree?
Add the Agentless Anti Malware Protection Status and Status columns to the ePO System Tree.
NOTE: Ensure that the Data Center Connector extension is installed in the ePO console.
Does MOVE AV detect threats that have been loaded into memory?
No. MOVE AV Multi-Platform and MOVE AV Agentless do not detect threats that have been loaded into memory.
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
Is it possible to find the 'AV Status' for a guest directly from vCenter to know in real time when the status of a
VM becomes 'not protected'?
No. The status cannot be seen from the vCenter. The status is only available via ePO using the cloud connector ePO
extension.
With MOVE Agentless, is it possible to deploy the SVM via a script like it was possible previous versions of
MOVE Agentless?
No. This feature is no longer supported.
Here the VM is tagged and removed immediately as the threat is deleted. The process is fast.
What is the total character limit for Excluded Paths under Path Exclusions and Process Exclusions?
For MOVE Agentless, the maximum Path Exclusion is 260 characters.
Can the scan diagnostics tool be directed at a single MOVE Agentless client?
No. The scan diagnostic task only shows the statistics for all protected VMs; it is not possible to analyze a
single/specific client.
If MOVE Agentless cannot exclude processes, what is the best practice to exclude, for example, backup
processes?
Because MOVE Agentless does not support process exclusions as a result of the vShield limitation, there is no way
to exclude backup processes.
NOTE: As a best practice, always scan the data as close to the data source as possible; network anti-virus scanning
is the last choice with the lowest performance.
What new SVM security update features were added in MOVE Agentless 3.6.1?
MOVE Agentless 3.6.1 automatically updates the SVM with security updates.
Which source repositories does the security update use to pull updates?
MOVE Agentless 3.6.1 SVM installs all security updates directly from the Ubuntu repositories.
Is there a tool to help customers migrate VSE path exclusion policies to MOVE Agentless?
No. VSE exclusions are not compatible with MOVE Agentless and that is why there is no option to import them.
NOTE: Wildcards are supported, but environment variables are not supported.
How many clients can be supported in a VDI environment with a single Agentless SVA, with default
settings?
This number depends on the load on the client VMs. Under normal load conditions, 200 clients per SVA is the
standard recommendation. Under extreme load conditions, SVA supports fewer clients.
What are the benefits of installing the Data Center Connector regarding MOVE Agentless?
The following reporting benefits apply:
Can a user put the ESX host in maintenance mode without performing a manual shutdown of the SVA
appliance first?
There are two scenarios to consider:
• For an NSX Manager environment, the NSX manager takes care of turning off and turning on
the MOVE SVA and Guest Introspection while entering and exiting the maintenance mode
respectively.
• For a vCNS environment, the auto shutdown is not available and the user has to shut down the
MOVE SVA manually before entering the host into maintenance mode.
How do I remove tasks that are stuck on the MOVE Job Status/Deployment status page of ePO?
To clean up any stale job entries from the database for SVM deployment/upgrade cases, run the SQL query delete
from [dbo].[DC_AL_JOB_STATUS] where JOB_STATUS = 'QUEUED';
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
Can a Targeted On Demand Scan (TODS) be run on clients with the same name, but different UUIDs?
No. Client names must be unique to ensure that a TODS runs successfully.
Why does MOVE Agentless 4.5.x send policy setting deletion events back to ePO every hour?
If PPVM is enabled, MOVE Agentless aggregates all policies into an aggregated policy object. This policy object is
deleted after policy assignment occurs. Each time the aggregated policy object is deleted it is reported back to ePO
and logged in the Audit logs. This behavior is considered normal.
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
Which hypervisor supports the MOVE AV Multi-Platform SVM Auto Scale feature?
VMware ESX is the only hypervisor for which the new MOVE AV Multi-Platform 4.0 Auto Scale feature, is
implemented.
What is the total character limit for both Excluded Paths and Processes under Path Exclusions and Process
Exclusions?
For MOVE Multi-Platform, the maximum number of characters are:
How many maximum nested archives can MOVE Multi-Platform 3.6.1 scan?
MOVE Multi-Platform depends on the scan engine. Because the engine’s default value is 15, the level of
compression would be 15.
What are the maximum concurrent scans for On-Demand Scan (ODS) and Targeted On-Demand Scan
(TODS)?
The maximum concurrent scans for ODS and TODS is 2. Any more increases the load on the OSS/Hypervisor, with
the potential to result in an increased OAS time or decreased response time.
Do primary and secondary OSS maintain a connection to each other for status monitoring and failover?
No. The endpoints themselves maintain a connection to both OSSs to monitor the status and perform a failover. The
failover occurs if the MOVE agent can’t reach the primary; it then tries the secondary.
How are the clients protected when the OSS is not available?
Currently, the file is fail-opened if the scan server is unavailable. There is a socket connection established between
the client and server. When the server goes down, the client does not send the file, and no network traffic is
generated.
Can wildcards be used when configuring the process exclusion list in MOVE Multi-Platform?
No. Process exclusion in MOVE Multi-Platform does not support the use of wildcards.
IMPORTANT: When you are concerned about performance, do not use network scanning, even for traditional VSE.
Instead, scan the file at its source; if it is dirty you are denied access and no data is transferred over the network. If it
is clean, the file is transferred. You use less network bandwidth, and the user sees better performance.
NOTE: The virtual machine must be restarted after enabling the network scanning policy.
What advantages does MOVE AV Multi-Platform offer over traditional endpoint security?
The advantages are covered in the following publicly available document:
http://www.mcafee.com/us/resources/solution-briefs/sb-move-av-4-performance-
advantages.pdf
Can the scan diagnostics tool be directed at a single MOVE AV Multi-Platform client?
No. The scan diagnostic task only shows the statistics for all protected VMs; it is not possible to
analyze a single or specific client.
NOTE: For the scan diagnostic tool to collect data successfully, file activities must be triggered on the
client system.
What is the function of the MOVE AV Multi-Platform Offload Scan Server (OSS)?
OSS is an application built on a Windows platform, which performs the heavy scanning work load with
VirusScan Enterprise.
Does MOVE 4.0 Support Endpoint Security Threat Prevention (ENS) 10.x?
No. Currently only VSE 8.8 is supported on the OSS.
NOTE: The number of clients that an OSS can handle optimally depends on the load on the client VMs. With higher
load conditions, a greater number of OSS is required.
How does the MOVE AV Multi-Platform OSS avoid scanning the same file?
This avoidance of duplicate scanning is achieved by the OSS global cache, which avoids scanning the same file from
requests that come from different MOVE AV Multi-Platform clients. After the file has been scanned and it is found to
be a clean file, it will be added to the server cache file and not scanned again. The location of the file is: C:\Program
Files (x86)\McAfee\MOVE AV Server\evt_cache.
When VM accesses a file and places it in Multi-Platform OSS global cache, how long does it remain in the
cache?
By default it is retained for one day. This cache is not persistent; the following reasons lead to the cache being
flushed:
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
• DAT updates.
• Enabling scanning archives.
• Increasing the GTI sensitivity.
• Enabling PUP scanning.
• If the file was not accessed for 24 hours, the hash is removed from cache.
NOTE: The flushing of the cache is, by default, set to occur at a predefined time. This value is configurable.
What are the key features of using the Multi-Platform OSS global cache?
The following benefits are achieved using this technology:
• Independent client and offload scan server cache size, which allows the shared server cache to
be larger and improves the hit rate of the shared cache.
• OSS’s cache is no longer pulled to the clients, which avoids cache poisoning.
• Temporary cache of large file scans results, which improves subsequent large file access
performance.
• Client cache persists across system restart, improving boot time and overall performance.
• Staggered cache expiration, which reduces the performance impact of configuration changes
and DAT updates.
• Greatly improved client cache look-up algorithm, which significantly improves client’s cache
performance.
• Scan results for network and removable drives are no longer cached, improving security.
• Client uses a connection pool, which allows predictable scalability and removes risk of a single
client saturating the MOVE OSS
Is it possible to repopulate the Multi-Platform OSS global cache after a DAT update? (For importing after one
server scans a golden image)
Yes. Run an on-demand scan on the golden image. The on-demand scan repopulates the cache. After the cache is
populated, provision the VMs from this golden image.
What account does MOVE Multi-Platform OSS use when scanning VMs?
The OSS only scans the file; it is the client system that blocks access or deletes the file.
Why are files stored under User directories (such as Desktop, My Documents) not scanned with MOVE Multi-
Platform when the folder is redirected using Distributed File System (DFS)?
As long as the DFS folder is set up as a network share, MOVE Multi-Platform scans it.
Is there a way to calculate the number of VMs that a MOVE Multi-Platform OSS can handle?
No. Although there is no way you can calculate this number, it is possible via the MOVE Multi-Platform SVA Manager
to control the number of clients connecting to OSS. The MOVE Multi-Platform3.6.1 Product Guide states: "An offload
scan server can generally be assigned to 200–400 endpoints, depending on the load of the endpoints."
Does MOVE Multi-Platform support the same Low-Risk process Exclusions as available in VSE?
Yes. MOVE Multi-Platform uses the same technical functionality as VSE does regarding the Low-Risk process
exclusions.
Is there a tool to help customers migrate VSE path exclusion policies to MOVE Multi-Platform?
Yes. See the section "Using the Import option" in the relevant Multi-Platform product guide. These exclusions are
seamlessly imported via an XML file. There is also an option to clear the existing exclusions before an import takes
place.
Is the SVA and SVM the same device in the MOVE Multi-Platform architecture? If not, how do
they differ?
They are not the same. The SVM is an OSS that handles the scanning. The SVA is an SVA Manager
that handles load balancing for SVM.
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
Is it possible to tell which SVM is not connected to the SVM manager?
If the SVM is connected to the SVM Manager and disconnected later, run the MOVE AntiVirus SVM
Manager: SVM Registration Events report.
Is it possible to prevent a local administrator from stopping the MOVE Multi-Platform Services?
Yes. A new password-protected CLI allows the ePO administrator to configure a password for mvadm commands via
the ePO interface. Without the password, users or local admins cannot access the mvadm command interface to
change the integrity level and cannot access the service restart.
Why have the system requirements increased so much from MOVE Multi-Platform 2.6.x (1 GB of RAM) to
MOVE Multi-Platform 3.6.1 (requiring 6 GB)?
MOVE 3.6.1 includes many new features and performance improvements that require the additional resources.
How much disk space is used/needed when deploying the MOVE Multi-Platform SVM Manager 4.5?
The SVM Manager is an OVF, so the hard drive comes bundled. By default, the SVM Manager 4.5 has a 16-GB hard
disk bundled with it.
Is there any way for the policies to notify the administrator when the number of Multi-Platform connected
endpoints is reached?
Yes. The maximum number of connected endpoints depends on the load settings subscribed in the OSS
General policy under Client loads. The settings can be made for Heavy load (150 clients), Medium (200 clients), Low
(250 clients), and Custom (user-defined). The Threshold for OSS Capacity option on the Events tab is used to
establish a percentage threshold (example 90%) that forces any event at or above the value set to be sent to ePO.
When the threshold is met or exceeded, an alert is generated. This alert helps the ePO administrator determine if
there is a need to provision any additional OSS in the current environment.
Why is the SVM 4.5.0.268 not connecting to the SVM Manager 4.5?
With the release of MOVE AV Multi-Platform 4.5.0.257, TLS 1.2 is used for secure communication. For an SVM to
communicate with the SVM Manager, all MOVE AV Multi-Platform components must be upgraded to the latest hotfix.
NOTE: All SVM/client hotfixes released after MOVE 4.5.0.257 can communicate with SVM Manager 4.5.0.257 and
later (because of the TLS 1.2 change mentioned).
How does a change in the TIE reputation get handled when the endpoint already has the file hash in its local
cache?
Reputation changes are received at SVM through the DXL fabric. The SVM cache is updated with the new reputation
and it is propagated to each client. Clients have only the Known Trusted TIE reputation cached for any file. If it is
changed from Known Trusted to another reputation level, it updates the cache. The entry is removed and then
actions based on the configuration set in the policy (on the next access of the file) are undertaken.
Are customers expected to update/maintain McAfee Agent on the MOVE AV Multi-Platform SVM client and
SVM Manager or are updates release via a new OVF?
MOVE supports upgrades of McAfee Agent on MOVE SVM and SVM Manager.
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
Do log client-side log entries similar to Cache Hit, Not Scanning indicate that the file was not scanned again
because it is found in the Scan Cache?
Yes, these log entries mean that the file was not scanned again because it is present in the cache. After a file is
scanned and found to be clean, it is added to the scan cache on the client side. If it is changed or the cache entry
expires, the file is then rescanned.
• If the file size is smaller than the default threshold (40 MB), the complete file is sent to the SVM
unencrypted.
• If the file size is larger than the default threshold, the file is sent in chunks (offset of the file)
when requested by the SVM, and then scanned.
MOVE AV Multi-Platform keeps hitting .TMP files and handling them as an archive. How can I tell if a .TMP file
is an archive or not?
The quickest way to determine if a .TMP file is an archive or not is to open it in Notepad or Ultraedit and check the file
header. You can also use a free tool, such as Exeinfo, to determine the filetype.
What causes Event ID 36993 (OSS average scan time threshold hit) and Event ID 36994 (OSS average scan
time threshold restored) to repeatedly occur in MOVE AV Multi-Platform 4.0 SVM?
These events are triggered when the average scan time of the SVM is more than the configured value. By default,
this value is 5 minutes.
When the primary SVM goes down and VMs automatically connect to the secondary SVM, do the VMs
automatically revert to the primary SVM when it recovers?
No. Even though the primary SVM has recovered, the VMs remain connected to the secondary SVM until it goes
down.
Can Deferred scan notifications during OAS be disabled in MOVE AV Multi-Platform 4.6?
Yes. Follow the steps below to disable the deferred scan notifications:
Does MOVE AV Multi-Platform support encrypted channel communication between the client and SVM?
No.
Does MOVE AV Multi-Platform support encrypted channel communication between the client and SVM
Manager?
No.
Does MOVE AV Multi-Platform support encrypted channel communication between the SVM and SVM
Manager?
Yes.
McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus) 4.8
Essentials
Related Information
End of Life details
For product lifecycle details, see the McAfee Product and Technology Support Lifecycle page
at: http://www.mcafee.com/us/support/support-eol.aspx.
For End of Life (EOL) policy details, see the Corporate Products EOL policy
at: https://www.mcafee.com/enterprise/en-us/assets/misc/support-policy-product-support-eol.pdf.
Definitions:
• EOL period—The time frame that runs from the day McAfee announces product discontinuation, until
the last date that McAfee formally supports the product. In general, after the EOL period is announced,
no enhancements are made.
• EOL date—The last day that the product is supported, according to the terms of the McAfee standard
support offering.
Product Documentation
For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge
Center, and select Product Documentation from the Knowledge Base list.