As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
This article is a consolidated list of common questions and answers. It's intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
March 7, 2023
Updated config file location in the "Configuration" section.
April 29, 2022
Minor formatting updates; no content changes.
January 4, 2022
Updated the FAQ "Can MOVE AV Multi-Platform co-exist with McAfee Enterprise AV products or other antimalware products?" in the Compatibility section.
Contents
Click to expand the section you want to view:
What's MOVE?
MOVE is the family name for two related Management for Optimized Virtual Environments (MOVE) products. Virtual Machines (VMs) running on server-class systems that contain virtualization software, including VMware ESX or Citrix XenServer, need an antivirus application running on each VM on a hypervisor (A hypervisor is a general term that describes virtualization software such as VMware ESX, Citrix XenServer, and Microsoft Hyper-V).
When you run an antivirus application on each VM on a hypervisor, there's high usage of resources such as disk, CPU, and memory. It results in a reduced VM density per hypervisor. MOVE AV solves this issue by offloading all On-Access Scans (OASs) to a dedicated VM that runs VirusScan Enterprise (VSE). There's no need to install a traditional antivirus application such as VSE on each VM. The dedicated VM improves performance and allows an increased VM density per hypervisor.
What's MOVE AV Agentless?
This option allows integration with VMware vShield (vSphere and ESXi) using vShield Endpoint. MOVE AV Agentless provides virus protection for VMs and contains an SVA delivered as an Open Virtualization Format (OVF) package. MOVE AV Agentless supports On-Demand Scans (ODSs) natively. MOVE Agentless systems don't have VSE installed. The MOVE AV Agentless components are listed below:
Component
Description
SVA
Provides antivirus protection for VMs and communicates with the loadable kernel module on the hypervisor, ePolicy Orchestrator (ePO), and Global Threat Intelligence (GTI) servers.
The SVA is the only system directly managed by ePO, but you can install McAfee Agent (MA) and other McAfee products on VMs. VirusScan Enterprise for Linux (VSEL), MA, and MOVE AV Agentless comes preinstalled.
ePO
Allows you to configure policies to manage MOVE AV Agentless and provides reports on malware discovered in your virtual environment.
File Quarantine
Remote quarantine system, where quarantined files are stored on an administrator-specified network share.
GTI
Classifies suspicious files that are found on the file system. When the real-time malware defense detects a suspicious program, it sends a DNS request for analysis. The request is sent to a central database server hosted by Trellix Advanced Research Center.
Hypervisor (ESXi)
Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating systems. ESXi is an embedded hypervisor for servers that runs directly on server hardware without requiring another underlying operating system.
VMware vCenter
Console that manages the ESXi servers, which host the guest VMs that require protection.
vCloud Networking and Security Manager
Manages the vShield components for the SVA and VMware vShield Endpoint, and monitors the health of the SVA.
VMs
Isolated guest operating system installations in a normal host operating system that support both virtual desktops and virtual servers.
VMware NSX Manager
Console that allows you to configure, provision, and automate the protection on the endpoints in a data center.
What's MOVE AV Multi-Platform?
MOVE AV Multi-Platform is for OAS and ODS of end nodes. The MOVE AV Multi-Platform components are listed below:
Component
Description
SVA Manager
Automatically assigns offload scan servers to MOVE Multi-Platform clients based on configurable parameters. These parameters include Scan Server load, ePO tags, and IP address ranges.
ePO
Communicates with MA, manages the Multi-Platform configuration, and provides reports on malware discovered in your virtual environment.
MA
Communicates with ePO, applies policies to each virtual machine, and deploys the MOVE AV Multi-Platform client.
Hypervisor
Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating system.
MOVE AV client
Allows virtual machines to interact with the offload scan server (OSS) for file scanning and malware detection. Enforces actions on the client when a threat is detected.
MOVE AV client extension
Provides policies and controls for configuring and managing the behavior of the MOVE AV client through ePO.
MOVE AV Offload Scan Server
Provides offloaded scanning support for VMs, which minimizes the performance impact on virtual desktops.
MOVE AV Offload Scan Server extension
Provides policies and controls for configuring and managing the behavior of the MOVE AV offload server through ePO.
VSE
Provides antivirus protection for the offload scan server VM and communicates with the GTI servers.
Data Center Connector for vSphere
Integrates the management and automation feature of ePO to discover and manage your guest VMs.
What's MOVE Scheduler?
The Scheduler is used with MOVE Multi-Platform clients. Traditional security solutions for virtual environments run as an antivirus application on every VM on the hypervisor. This model results in reduced VM density per hypervisor and causes high disk, CPU, and memory usage. Common tasks such as scanning for viruses can occur on all servers at the same time. These tasks create a significant load on the virtual infrastructure and negatively impact performance.
MOVE Scheduler solves these issues for VSE environments by distributing ODSs across all client VMs. The ODSs are based on parameters such as maximum concurrent scans per hypervisor, maximum concurrent scans per storage and hypervisor CPU usage. These parameters make sure that VMs remain usable during scans.
Move Scheduler 2.x is reaching EOL; what's going to replaces it?
The MOVE Scheduler functionality is now included in MOVE 4.0 and later. For details, see the MOVE Scheduler to MOVE Multi-Platform Migration Guides.
Can MOVE be disabled through policy when managing via ePO?
No. The MOVE software can't be enabled or disabled via ePO policy enforcement. The only option for disabling by policy is disabling OASs or ODSs.
What has changed in MOVE AV 4.0?
MOVE AV Multi-Platform: OSS has changed to SVM, and SVA Manager has changed to SVM Manager.
MOVE AV Agentless: SVA has changed to SVM.
ODSs or OASs: There are now two separate policies, one for the on-access scanner and one for the on-demand scanner.
Multi-Platform 4.0 SVM Auto Scale feature: You can define the SVM auto scale settings so that the SVM deployment starts automatically, depending on the number of clients connecting to the SVM for protection.
What's new in MOVE AV 4.5?
The new features and enhancements in MOVE AntiVirus 4.5.0 include the following:
New Multi-Platform features:
New Windows platform support for Windows Server 2016 (64-bit) for MOVE AntiVirus SVM and client systems
Support for SHA-256 for Threat Intelligence Exchange (TIE) integration
Support for TIE 2.0.0
Support for Advanced Threat Defense (ATD) 3.8.0 and vATD 3.1.0
Upgraded operating system for MOVE SVM Manager Ubuntu 16.04
Transport Driver Interface to Winsock Kernel migration
Integration with Cloud Workload Discovery for remediation
New Agentless features:
Targeted ODS
Upgraded operating system for MOVE SVM Manager Ubuntu 16.04
How long is the trial period for MOVE and if it's less than 90 days, is it possible to get a 90-day trial license?
The trial length is 90 days and extensions aren't granted. But, that doesn't mean that the product ceases to work. MOVE functions normally after the 90-day trial is exceeded. A reminder notification appears and remains until the MOVE license extension is installed. At this point, the trial version is converted to a fully licensed version.
Is the MOVE AV Multi-Platform 4.0 client and SVM compatible with the MOVE AV Multi-Platform 4.5 SVM Manager?
Yes. The MOVE AV Multi-Platform 4.5 SVM Manager can be used with the MOVE AV Multi-Platform 4.0 Client and SVM.
Does MOVE Agentless or Multi-Platform support GTI File Reputation?
Yes. GTI File Reputation is configured using the Scan Items policy.
Are there any plans to cover the Linux operating system by MOVE Agentless?
MOVE Agentless supports the Linux operating system only when VMware supports it. MOVE Agentless supports all operating systems supported by VMware Endpoint Security. For a list of operating systems that are supported with the VMware vShield Endpoint Thin Agent that's used with the MOVE products, see the VMware site.
Can MOVE Multi-Platform run in VDI mode with VMware Horizon 6 for non-persistent VMware images that close as a user logs off and goes back to a gold image state?
Yes.
What support is provided for VDI clients?
MOVE Multi-Platform supports VDI and Thick Clients for all host platforms.
Can the MOVE Multi-Platform SVA Manager work in a Microsoft Hyper-V environment?
Yes. You must convert the SVA Manager when you import the (.ova) package to the Hyper-V server. An (.ova) package is a TAR archive file with the OVF directory inside.
NOTE: Hyper-V is supported only with MOVE Multi-Platform clients.
Is MOVE Agentless certified with VMware NSX?
Yes. Certification is provided in MOVE Agentless 4.x.x with NSX. For details, see the following VMware compatibility matrix links.
Do I need to purchase the NSX Manager because VMware is going to stop support for vCloud Networking and Security (vCNS)?
No. If you have vSphere Essential Plus or later, the NSX manager is free. It can only be used to manage endpoint antivirus policies though.
For more details about vCNS, see the VMware FAQ article 2110078.
Does MOVE Multi-Platform support Acropolis Hypervisor (AHV)?
Yes. MOVE Multi-Platform is agnostic on the hypervisor. It works seamlessly.
NOTE: AHV is the new name for a Kernel-based Virtual Machine (KVM).
How do you check the MOVE-AV-AL_SVM_Pkg_4.5.1.227.zip package into the ePO 5.3.2 Master Repository?
The MOVE 4.5.x SVM package isn't meant to be checked in to the ePO Master Repository. Check it into the SVM Repository. The SVM Repository is on the MOVE AntiVirus Deployment Page under General, Configuration Settings.
Does Datacenter Connector support the use of a multi-tenant database?
No. Use of a multi-tenant database isn't supported.
Is MOVE Multi-Platform compatible with Windows Defender?
Windows Server 2019
A MOVE Client installation doesn't uninstall Windows Defender. This issue is known and expected with MOVE client versions 4.8.1 and earlier.
Windows Server 2016, Windows 10 and 8
The MOVE client installation uninstalls Windows Defender.
NOTE: After the MOVE installation is complete, you must restart the computer to fully uninstall Windows Defender. For details, see the Microsoft Document.
Can I provide the same NSX Manager name while registering the NSX Manager details about the MOVE AntiVirus Deployment configuration page?
No. It isn't supported.
Is it possible to selectively install the MOVE Agentless vShield driver on a single client via an SVA deployment?
No. It isn't possible to selectively install the vShield driver on the clients with an SVA deployment. By default, installation is tried on all VMs.
Can ePO be used to update the MOVE Agentless SVA automatically with updates and hotfixes?
ePO can be used to apply product hotfixes and updates.
How many SVAs need to be deployed for any given number of data centers?
For a MOVE Agentless solution, one SVA per host is needed regardless of the size of the data center. In a MOVE Agentless deployment, it isn't possible to set up a secondary SVA for failover. The inability to set up a secondary SVA for failover is a VMware limitation.
Is it possible to migrate the MOVE Agentless SVA to another host?
No. It's never a good idea to migrate the SVA from one host to another. The reason is because the SVA is registered to a hypervisor; it protects only VMs on that hypervisor.
Is it possible to upgrade the SVA via ePO?
Yes. It's possible from MOVE Agentless 4.x.x.
What user permissions are needed to successfully install the MOVE Agentless vShield driver?
All domains that are part of protected VMs have to be added to the ePO LDAP server registration page. The user must have domain administrator rights for the vShield driver to be installed successfully on the VM clients. The reason is because ePO must access these client VMs remotely to install the endpoint driver. Only domain administrators have the permission to do so.
For MOVE Agentless, what are the software requirements for vCNS Manager?
To use the MOVE Agentless software, all VMware vCNS software components must be installed for this antivirus solution to work. The components include the following:
vShield Manager
vShield Endpoint plug-in for ESXi Host
vShield Endpoint Thin Agent for VM Guest
NOTE: Although VMware NSX (optional) isn't part of the VMware vCNS security solution, it makes deployment and setup much easier for customers.
How long does the evaluation license last?
The evaluation license lasts for 90 days before notifications are triggered.
Is MOVE AV Agentless supported on Linux hosts?
MOVE AV Agentless 4.5.1 is supported on Linux hosts. NSX 6.3 is needed for MOVE AV Agentless 4.5.1 to work properly.
How is a manual deployment of MOVE AV Agentless with vCNS performed?
Manual deployment of MOVE AV Agentless with vCNS occurs from the respective vCenter and can't be done directly from ESXi.
Does the upgrade of the MOVE Multi-Platform clients and servers require a system restart?
No.
What host platforms does MOVE Multi-Platform support?
MOVE Multi-Platform is a Hypervisor agnostic solution.
Are clients protected during an SVA Manager upgrade?
Yes. A client and Multi-Platform OSS can function using an earlier SVA Manager until the upgrade is completed. The clients are already connected to an OSS. The clients continue to connect to an SVA Manager when there's no OSS assigned.
When migrating a Virtual Guest system to another hypervisor because of operational needs, which OSS is responsible for scanning the migrated Virtual Guest? Also, do I need to point the migrated Virtual Guest manually to the local OSS running on the other Hypervisor, or is it assigned automatically based on ePO Policy or Hypervisor Integration?
The clients are always automatically protected wherever you migrate them, so long as the clients can communicate with the OSS.
Should I convert the .vmdk file (part of SVA Manager appliance) into a .vhd file using the Microsoft Virtual Machine Converter software, or are the files provided?
The MOVE Multi-Platform Product Guide, under the "Requirements for SVA Manager" section states that to deploy on a Hyper-V, convert the .vmdk file, which is part of the SVA Manager appliance, into a .vhd file. Then, attach the .vhd file as a hard disk to the new VM in Hyper-V. To convert .vmdk to .vhd, you can use the Microsoft Virtual Machine Converter software. The SVA Manager package is bundled with the required files. Customers only need to deploy the package.
Can the default MOVE Multi-Platform installation directory be changed?
No. The default installation folder (C:\Program Files or C:\Program Files (x86)) can't be changed when deployed via ePO.
What's the standard recommendation for the MOVE Multi-Platform setup?
The recommended design is to have the scan servers on the same subnet and as close to the VMs as possible (fewest network hops). There's also no problem with a dual-homed configuration.
Is a mixed environment supported (backward compatibility) with the SVA Manager and the OSS or clients while upgrading?
This support is given only for a short period where a customer is upgrading. It's recommended to have all products upgraded to the same version as soon as possible.
Can I upgrade the SVA Manager operating system if the operating system prompts me to upgrade?
No. When you see the message "New Release 'Version' available," ignore it, because updates are incorporated automatically with new releases of the SVA Manager appliance.
CAUTION: Trying to upgrade the operating system using this method might result in the SVA Manager appliance entering a broken state.
Can a MOVE Multi-Platform OSS handle a scan request from an earlier MOVE client installation?
Yes. Backward compatibility and protection are maintained during upgrades. But, it's recommended that you get the clients upgraded to the later MOVE Multi-Platform versions as quickly as possible. The upgrade helps them benefit from the new features and optimizations offered in the latest release.
How is a manual deployment of MOVE AV Multi-Platform SVM Manager performed?
Manual deployment of MOVE AV Multi-Platform SVM Manager occurs from the respective vCenter and can't be done directly from ESXi.
What's the correct procedure to upgrade MOVE AV Multi-Platform?
Upgrade the MOVE AV Multi-Platform components in the following order:
Check in the product extension to ePO.
Upgrade the Offload Scan Server.
Upgrade all MOVE AV Multi-Platform clients.
What does the MOVE-AV_Meta_Package_Ext.zip file contain?
With the release of MOVE AV 4.6, the following MOVE components have been placed in the MOVE-AV_Meta_Package_Ext.zip file:
MOVE AntiVirus Common
MOVE AntiVirus
MOVE AntiVirus License
vSphere Connector
Data Center Control
Multi-Platform client package
Multi-Platform SVM package
Multi-Platform SVM Manager Debian package
Product Help extension
Why is the Agentless Policy per Virtual Machine (PPVM) enable or disable option no longer available after an upgrade to MOVE AV 4.0?
This option in MOVE AV Agentless 4.0 is now enabled by default and can't be disabled.
(Automatic migration only) If you enable PPVM in a previous version, all PPVM assignments and policies are merged.
This version of MOVE AntiVirus optimizes and consolidates legacy products into an integrated, efficient new platform. A new MOVE AntiVirus Common extension centralizes the shared protection features so that they're easily accessible by all product modules. As a result, some of the policy settings change.
The Migration Assistant makes sure that the settings in your legacy policies are moved to the correct policies in MOVE AntiVirus 4.0.0. Sometimes, they're merged with other MOVE AntiVirus settings. At other times, new default settings are applied to support updated technologies.
How do I make sure that the Agentless PPVM policies are being applied successfully?
Perform the following steps:
Edit the OAS or ODS policy.
Run the policy collector from the ePO MOVE AntiVirus Deployment page.
Enforce the policy.
At the SVM, open the oaspolicyaggr.xml or odspolicyaggr.xml file from /opt/McAfee/move/etc folder. Based on what policy is changed, verify that the setting is applied correctly.
Does each VMware host require a Multi-Platform OSS, depending on the number of VMs on each host?
One OSS under a given host can service clients that reside under other hosts, provided the virtual networking infrastructure is configured accordingly.
NOTE:The OSS can generally be assigned to 200–400 workstation endpoints, depending on the load of the endpoints. The limiting factor is the number of concurrent scan requests that the clients trigger.
High availability file share servers require more OSS resources than workstation endpoints do, resulting in a lower OSS ratio.
IMPORTANT: In large-scale MOVE Multi-Platform deployments, use the MOVE SVA Manager to assign an IP address of the MOVE Multi-Platform OSS server to the requesting MOVE Multi-Platform clients. In this configuration, all OSS servers register themselves with the SVA Manager. The SVA Manager keeps a pool of active OSS servers and assigns a server to a requesting client from this pool. With this architecture, the SVA Manager must always be available to the MOVE Multi-Platform clients.
How does MOVE Agentless SVA establish a connection with the VMware vShield Manager?
The MOVE SVA uses API calls to communicate directly.
Is it possible to configure MOVE Agentless SVA Manager to failover for Disaster Recovery?
No. Technical Support can't help you with setup or configuration of a MOVE Agentless SVA Manager in an Active: Passive cluster solution because it's an unsupported configuration.
NOTE: Contact the vendor (VMware, Citrix, or Hyper-V) for support if the MOVE Agentless SVA Manager is configured in this manner.
What are the ports for communication with the MOVE Multi-Platform SVA Manager?
By default, the following ports are opened through the firewall installed on the MOVE Multi-Platform SVA appliance. Make sure that the firewall settings in your environment are configured to allow communication to the ports below:
8080 - For communication between MOVE Multi-Platform SVA Manager and the client.
8081 - For communication between MA and ePO.
8443 - For communication between MOVE Multi-Platform SVA Manager and the OSS.
Does MOVE support a dual stack network?
No. MOVE isn't supported in a dual stack network (IPv6 isn't supported).
Is there a script to reconfigure the SVA manager with new ePO information?
Yes. The sva-config.sh script is located at /opt/McAfee/movesvamanager/.
How do you unmanage an SVM Manager from ePO?
Use the command ./maconfig -provision -unmanaged
Can I access the SVM Manager via SSH?
Yes, but SSH is disabled by default. To enable SSH, start the SVA configuration utility ~$ at /opt/McAfee/movesvamanager/ and toggle the Disable SSH setting accordingly (yes or no).
How do you disable deferred scan notifications during an OAS in MOVE AV Multi-Platform?
To disable the deferred scan notifications, perform the steps below:
Open the Action Center from the client computer.
Click All Settings.
Select Notifications & Actions in the left pane.
Disable notifications.
Does MOVE support the use of the ePO option to retain policy and client task settings?
No. MOVE doesn't support the use of this option. Technical Support recommends using the default settings.
Can MOVE ODS resume a scan from a last scanned file?
No. MOVE ODS doesn't possess the capability of resuming a scan after it has been interrupted.
What happens if a VM node doesn't have a supported version of VMware tools installed; is it reported in ePO?
No. ePO can't report any VM client details running outdated versions of VMware tools.
Can systems in the cloud be imported in ePO?
Yes. The Data Center Connector for vSphere helps you discover and import your virtual infrastructure in the ePO System Tree. The administrator can also view and query their virtualization properties, protection status, and security compliance using several dashboards and queries.
Are there any troubleshooting tools for MOVE?
Yes. For further details, see the MOVE Product Guides. This tool is used on the SVA Manager from the command line interface (CLI).
Can MOVE SVA Manager 4.5 communicate with MOVE Client 4.0 and MOVE SVM 4.0?
Yes. MOVE SVA Manager 4.5 can communicate with MOVE Client 4.0 and MOVE SVM 4.0.
Is it possible to remotely access logs of an SVA?
No. Logs must be retrieved locally on the client.
Is a local database that contains previously scanned files or hashes retained on the MOVE 4.0 client when the client is rebooted?
Yes. There are two clean caches that contain the files and hashes. One is on the client and one is on the OSS (SVM) system. The cache is retained on the client even after a reboot. During the service restart, the cache is written to the disk. Then, it's imported back into the memory after the service completes the restart. By default, the client cache entries are valid for 24 hours.
The OSS cache is purged (not retained) during the following actions:
DAT update
Service restart
GTI level change
System restart
Engine update
Does MOVE SVM send the client a list of all known hashes when the client connects or reconnects?
No. The client isn't sent all known hashes.
When a MOVE client requests a file scan, are files locked down until the scan is complete? Or, is execution allowed and blocking applied after scan completion?
Until any scan is complete, the files remain in an action-denied state. If the scan times out (45 seconds by default) and scanning isn't complete, a Deferred Scan is initiated on the files. If scanning fails, access to the file is maintained; but, it's not cached.
What happens to a MOVE client when its lease expires and it tries to re-request an SVM?
After the lease time expires, the client requests to get an SVM through the SVM Manager while remaining connected to the old SVM. The result is that the request fails because the SVM Manager is Unavailable. The client continues to remain protected by the old SVM. Running the mvadm status command displays SVM Manager in Connecting state.
If the SVM Manager is unavailable, when will a MOVE client retry requesting an SVM assignment from the SVM Manager?
As long as the policy is configured to do so, the client continues to request an SVM from the last SVM Manager that it successfully connects to. These requests occur regardless of the state the SVM Manager is in.
What's the frequency of communication between a connected SVM and the SVM Manager?
An SVM heartbeat message is sent to the SVM Manager every second.
Why does the client status still show Enabled when OAS is Disabled?
This status is an ambiguity that's corrected in MOVE 4.6. When both OAS and ODS are Disabled, the Protection Status of the client is Disabled.
How can I tell which clients are protected by MOVE AV Agentless or MOVE AV Multi-Platform from the ePO System Tree?
Add the 'Agentless Anti Malware Protection Status' and Status columns to the ePO System Tree.
NOTE: Make sure that the Data Center Connector extension is installed in the ePO console.
Does MOVE AV detect threats that have been loaded into memory?
No. MOVE AV Multi-Platform and MOVE AV Agentless don't detect threats that have been loaded into memory.
Is it possible to configure a second SVA or SVM Manager to act as a fallback to the primary?
There's no built-in high availability scenario for the SVM Manager. See the high availability configuration information from your platform vendor.
Is it possible to find the 'AV Status' for a guest directly from vCenter to know in real time when the status of a VM becomes 'not protected'?
No. The status can't be seen from the vCenter. The status is only available via ePO using the cloud connector ePO extension.
Why are there two IP addresses displayed in the SVA Manager?
One of the IP addresses is needed for internal communication, which is private between the SVA and MOVE Agentless clients. This IP address is used by VMware Endpoint Security (EPSec).
With MOVE Agentless, is it possible to deploy the SVM via a script like it was possible in previous versions of MOVE Agentless?
No. This feature is no longer supported.
Does MOVE Agentless support the ability to use TIE?
No. The VMware NSX Manager doesn't currently support the ability to use TIE in the VMware ENS solution.
Under what conditions is the NSX Threat Found tag available in the vCenter?
The user can see the tag in the vCenter when the policy option Action is set to Deny access to files.
The user can't see the tag when the Action is set to either of the following:
Delete files automatically and quarantine
Delete files automatically
Here, the VM is tagged and removed immediately as the threat is deleted. The process is fast.
What's the total character limit for Excluded Paths under Path Exclusions and Process Exclusions?
For MOVE Agentless, the maximum Path Exclusion is 260 characters.
How is the scanning of large files handled by MOVE Agentless?
Regardless of file size, the complete file is transferred for scanning.
Can the scan diagnostics tool be directed at a single MOVE Agentless client?
No. The scan diagnostic task only shows the statistics for all protected VMs; it's not possible to analyze a single or specific client.
Does MOVE Agentless scan running processes?
No. It doesn't scan running processes; but, when a running process opens a file, the file gets scanned.
Are there no Low-Risk Processes with MOVE Agentless because of a lack of support in the vShield Endpoint?
Yes. It's a VMware Endpoint limitation.
If MOVE Agentless can't exclude processes, what's the best practice to exclude, for example, backup processes?
Because MOVE Agentless doesn't support process exclusions as a result of the vShield limitation, there's no way to exclude backup processes.
Can MOVE Agentless scan Network drives like MOVE Multi-Platform?
This feature has been added to MOVE AV Agentless 4.0 and later versions. Previous versions of MOVE AV Agentless don't possess this ability.
Which source repositories does the security update use to pull updates?
MOVE Agentless SVM installs all security updates directly from the Ubuntu repositories. For details, see the Repositories/Ubuntu documentation.
How often does the security AutoUpdate run?
MOVE Agentless SVM checks for security updates once per day.
Is it possible to check for security updates manually?
Yes. To check for security updates, run the command sudo unattended-upgrade --debug --dry-run<
Is it possible to run the security AutoUpdate manually?
Yes. Run the following command to manually install the security updates: sudo unattended-upgrade -d
Is there a tool to help customers migrate VSE path exclusion policies to MOVE Agentless?
No. VSE exclusions aren't compatible with MOVE Agentless and that's why there's no option to import them.
Is it possible to create path exclusions for MOVE Agentless?
Yes.
NOTE: Wildcards are supported, but environment variables aren't supported.
How many clients can be supported in a VDI environment with a single Agentless SVA with default settings?
This number depends on the load on the client VMs. Under normal load conditions, 200 clients per SVA are the standard recommendation. Under extreme load conditions, SVA supports fewer clients.
What are the benefits of installing the Data Center Connector regarding MOVE Agentless?
The following reporting benefits apply:
Deployment of SVM to vCNS environment.
Deployment of SVM to NSX environment.
Protection status of VMs.
Can a user put the ESX host in maintenance mode without performing a manual shutdown of the SVA appliance first?
There are two scenarios to consider:
For an NSX Manager environment, the NSX manager takes care of turning off and turning on the MOVE SVA and Guest Introspection. It does so while entering and exiting the maintenance mode respectively.
For a vCNS environment, the auto shutdown isn't available and the user has to shut down the MOVE SVA manually before entering the host into maintenance mode.
How do I remove tasks that are stuck on the MOVE Job Status or Deployment status page of ePO?
To clean up any stale job entries from the database for SVM deployment or upgrade cases, run the following SQL query: delete from [dbo].[DC_AL_JOB_STATUS] where JOB_STATUS = 'QUEUED';
Can a Targeted On-Demand Scan (TODS) be run on clients with the same name but different UUIDs?
No. Client names must be unique to make sure that a TODS runs successfully.
Why does MOVE Agentless 4.5.x send policy setting deletion events back to ePO every hour?
When PPVM is enabled, MOVE Agentless aggregates all policies into an aggregated policy object. The policy object is deleted after policy assignment occurs. Each time the aggregated policy object is deleted, it's reported back to ePO and logged in the Audit logs. This behavior is considered to be normal.
When an SVM Manager failure occurs, is the client's default behavior to continue to work with their current SVAs?
Clients talk to the SVM already assigned to it. If new clients are added, the clients don't receive an SVM because the client is unable to reach the SVM manager.
Which hypervisor supports the MOVE AV Multi-Platform SVM Auto Scale feature?
VMware ESX is the only hypervisor for which the new MOVE AV Multi-Platform 4.0 Auto Scale feature is implemented.
What's the total character limit for both Excluded Paths and Processes under Path Exclusions and Process Exclusions?
For MOVE Multi-Platform, the maximum number of characters are as follows:
Path Exclusion: 260 characters
Process Exclusion: 100 Characters
Is a Client protected while the SVA Manager is unavailable?
Yes.
What are the maximum concurrent scans for ODS and TODS?
The maximum concurrent scans for ODS and TODS are 2. Any more increases the load on the OSS or Hypervisor, with the potential to result in an increased OAS time or decreased response time.
What's the mvagent.cache file found on Multi-Platform clients?
This file is created when a user disables the AV protection. The cached entries on the client side are dumped into this file and are loaded back into the memory when the user re-enables the protection. The file resides in the installation directory.
What happens when the Primary OSS fails?
The primary OSS remains in standby after it recovers from failure, and the secondary OSS remains the active OSS.
Under what circumstance is the client cache file not populated?
When the file is smaller than the size mentioned in the 'Scan result cache' client policy, the file is transferred completely to the OSS. Otherwise, only relevant bytes requested by the scan engine during the scan are sent.
What happens after a deferred scan times out?
The file is allowed access and a fail-open happens.
Do primary and secondary OSSs maintain a connection with each other for status monitoring and failover?
No. The endpoints themselves maintain a connection to both OSSs to monitor the status and perform a failover. The failover occurs if the MOVE agent can't reach the primary OSS; it then tries to reach the secondary OSS.
How is the scan load on the OSS handled?
When the primary and secondary OSSs are configured via ePO, there's no awareness of overload on the OSS. If an SVA Manager is used to assign the clients to an OSS, the SVA Manager takes care of monitoring the load on the OSS.
What happens to the files sent for scanning to the OSS?
The files will be deleted after the scan is completed.
Does MOVE AV Multi-Platform scan running processes?
No. It doesn't scan running processes; but, when a running process opens a file, the file gets scanned.
Why do scan timeouts occur?
The antivirus products have an intentional cut-off time when the scan of a particular file must stop, and the scan time-out feature is intended to prevent a denial-of-service.
For details, see KB55869 - Explanation of why scan time-outs occur.
How are the clients protected when the OSS isn't available?
Currently, the file is fail-opened if the scan server is unavailable. There's a socket connection established between the client and server. When the server goes down, the client doesn't send the file, and no network traffic is generated.
Can quarantined files be restored?
There's a Restore from quarantine client task available from ePO. The client-side command-line options are as follows:
mvadm.exe q - Lists the currently quarantined files.
mvadm.exe q restore <detected as> - Restores all files of the detection type specified in the "detected as" parameter. Make sure that either the protection is disabled, or the file is excluded from scanning. The actions prevent the restored file from being detected again.
Is it possible to transfer scan cache into a file?
Yes. On the Multi-Platform client, run the command mvadm disable. The cache file gets saved to the installation directory named mvagent.cache. On the Multi-Platform Server, run the command mvadm cache save <filename>.
Is a system authentication needed during a scan file transfer?
No. There's no authentication undertaken from a Multi-Platform client when a file is sent for scanning to the OSS.
Can wildcards be used when configuring the process exclusion list in MOVE Multi-Platform?
No. Process exclusion in MOVE Multi-Platform doesn't support the use of wildcards.
Can an on-demand scan be performed on a network drive?
MOVE Multi-Platform supports network scanning of files with OASs. ODSs can't be performed on network drives. The reason is because MOVE Multi-Platform is a service that runs under the system account. It doesn't see network drives mapped to individual users logged on during the ODS.
What's the impact of enabling Network File Scanning?
MOVE Multi-Platform network scanning essentially comes with double the network impact. This impact is because it must first transfer the file from the network to the local system, and then transfer the file to the SVA for scanning. Thus, essentially, the file is transferred over the network twice.
IMPORTANT: If you're concerned about performance, don't use network scanning, even for traditional VSE. Instead, scan the file at its source. If it's dirty, you're denied access and no data is transferred over the network. If it's clean, the file is transferred. You use less network bandwidth, and the user sees better performance.
NOTE:The virtual machine must be restarted after enabling the network scanning policy.
Where are the OSS log files located?
Under the OSS installation directory C:\Program Files (x86)\McAfee\MOVE AV Server\mvserver.log.
NOTE: They're available only after enabling DEBUG logging.
How is the scanning of large files handled by MOVE AV Multi-Platform?
When a large file is opened on the same client for a second time, it's scanned again only if the file is changed. A file copy is always considered as a file change and is always sent for scanning.
What On-Demand events are generated?
When an ODS starts, an event is sent to the ePO server, which provides details of the VM. The complete details are also available in the OSS server logs after DEBUG logging is enabled.
Are both scans on read or write needed?
Yes. Disabling scan on read isn't advised as a large group of malware can infect files using the On-read method.
How does the Certificate Revocation check option for MOVE AV Multi-Platform 4.5 OAS work?
This option is used for the Windows Publisher Trust feature. The parameters defined allow you to set how the revocation workflow occurs.
When none is selected, the certificate revocation check isn't called.
When for end Certificate locally is selected, a check is made to determine whether the end certificate of the file is valid or has been revoked. The check is made from the Windows CRL that Windows maintains locally (local cache) and not over the network.
When full certificate chain locally is selected, a check is made of the complete certificate chain. A particular digitally signed file is checked against the local CRL (local cache) maintained by Windows and not over the network.
When for end certificate locally and by getting CRL from issuing CA is selected, a check is made against the local CRL list maintained by Windows (local cache). A check is also made against the issuing CA's CRL over the network.
Can the scan diagnostics tool be directed at a single MOVE AV Multi-Platform client?
No. The scan diagnostic task only shows the statistics for all protected VMs; it's not possible to analyze a single or specific client.
NOTE: For the scan diagnostic tool to collect data successfully, file activities must be triggered on the client system.
What's the function of the MOVE AV Multi-Platform OSS?
OSS is an application built on a Windows platform, which performs the heavy scanning work load with VSE.
Does MOVE 4.0 Support Endpoint Security (ENS) Threat Prevention 10.x?
No. Currently only VSE 8.8 is supported on the OSS.
How is the MOVE AV Multi-Platform OSS workload calculated?
The OSS load percentage is calculated as follows:
(Number of endpoints connected to OSS / Max. number of endpoints that can be connected to OSS) × 100.
NOTE: The number of clients that an OSS can handle optimally depends on the load on the client VMs. With higher load conditions, more OSS is needed.
How does the MOVE AV Multi-Platform OSS avoid scanning the same file?
This avoidance of duplicate scanning is achieved by the OSS global cache. The cache avoids scanning the same file from requests that come from different MOVE AV Multi-Platform clients. If the file is scanned and found clean, it's added to the server cache file and not scanned again. The location of the file is C:\Program Files (x86)\McAfee\MOVE AV Server\evt_cache.
When VM accesses a file and places it in Multi-Platform OSS global cache, how long does it remain in the cache?
By default, it's retained for one day. This cache isn't persistent; the following reasons lead to the cache being flushed:
DAT updates
Enabling scanning archives
Increasing the GTI sensitivity
Enabling potentially unwanted program scanning
If the file isn't accessed for 24 hours, the hash is removed from the cache
NOTE: The flushing of the cache is, by default, set to occur at a predefined time. This value is configurable.
What are the key features of using the Multi-Platform OSS global cache?
The following benefits are achieved using this technology:
Independent client and offload scan server cache size. This feature allows the shared server cache to be larger and improves the hit rate of the shared cache.
OSS's cache is no longer pulled to the clients, which avoids cache poisoning.
Temporary cache of large file scan results, which improves subsequent large file access performance.
Client cache persists across system restart, improving boot time and overall performance.
Staggered cache expiration, which reduces the performance impact of configuration changes and DAT updates.
Greatly improved client cache look-up algorithm, which significantly improves the client's cache performance.
Scan results for network and removable drives are no longer cached, improving security.
Client uses a connection pool, which allows predictable scalability and removes the risk of a single client saturating the MOVE OSS.
Is it possible to repopulate the Multi-Platform OSS global cache after a DAT update (for importing after one server scans a golden image)?
Yes. Run an ODS on the golden image. The ODS then repopulates the cache. After the cache is populated, provision the VMs from this golden image.
What account does MOVE Multi-Platform OSS use when scanning VMs?
The OSS only scans the file; it's the client system that blocks access or deletes the file.
Why are files stored under User directories (such as Desktop, My Documents) not scanned with MOVE Multi-Platform when the folder is redirected using Distributed File System (DFS)?
As long as the DFS folder is set up as a network share, MOVE Multi-Platform scans it.
Is there a way to calculate the number of VMs that a MOVE Multi-Platform OSS can handle?
No. But, it's possible via the MOVE Multi-Platform SVA Manager to control the number of clients connecting to the OSS. See section "Configuring client load per SVM (Multi-Platform)" from any of the MOVE Multi-Platform 4.6 or later Product Guides.
How does a client associate (stick) with a Multi-Platform OSS scanner?
An OSS needs to be assigned to a client via the SVA Manager first. Only after that protection becomes available to a client, it starts sending scan requests to the OSS.
Does MOVE Multi-Platform support the same Low-Risk process Exclusions as available in VSE?
Yes. MOVE Multi-Platform uses the same technical functionality as VSE does regarding the Low-Risk process exclusions.
Is there a tool to help customers migrate VSE pathexclusion policies to MOVE Multi-Platform?
Yes. See section "Using the Import option" in the relevant Multi-Platform product guide. These exclusions are seamlessly imported via an XML file. There's also an option to purge the existing exclusions before an import takes place.
Are the SVA and SVM the same device in the MOVE Multi-Platform architecture? If not, how do they differ?
They're not the same. The SVM is an OSS that handles the scanning. The SVA is an SVA Manager that handles load balancing for SVM.
Is it possible to identify which SVM isn't connected to the SVM manager?
If the SVM is connected to the SVM Manager and disconnected later, run the MOVE AntiVirus SVM Manager: SVM Registration Events report.
Does MOVE Multi-Platform architecture require an SVA or SVM?
This requirement depends on the load:
If the number of clients is small, there's no need for an SVA Manager.
If the number of clients is large, it's advantageous to implement load balancing of the SVM using an SVA Manager.
Is it possible to prevent a local administrator from stopping the MOVE Multi-Platform Services?
Yes. A new password-protected CLI allows the ePO administrator to configure a password for mvadm commands via the ePO interface. Without the password, users or local admins can't access the mvadm command interface to change the integrity level and can't access the service restart.
How much disk space is used or needed when deploying the MOVE Multi-Platform SVM Manager 4.5?
The SVM Manager is an OVF, so the hard drive comes bundled. By default, the SVM Manager 4.5 has a 16 GB hard disk bundled with it.
What's the function of the SVA Manager?
The SVA Manager is a Virtual Appliance used to match up an endpoint with its OSS. This function requires almost no traffic to occur and only happens when the endpoint needs a new scanner assigned. After it has one, it stays with it. Most customers need only a single SVA Manager for their whole Enterprise. If the SVA Manager goes offline, the relationships between OSS and clients are unaffected. ePO directly manages the SVA.
What happens when a MOVE Multi-Platform SVA Manager becomes unavailable?
Any client that has an OSS IP address continues to use it while the SVA Manager is offline. Under this condition, when the client can't reach an OSS for any reason, it fails to open and allow access.
Is there any way for the policies to notify the administrator when the number of Multi-Platform connected endpoints is reached?
Yes. The maximum number of connected endpoints depends on the load settings subscribed. The load settings are in the OSS General policy under Client loads. The settings can be made for Heavy (150 clients), Medium (250 clients), Low (300 clients), and Custom loads (user-defined). The Threshold for OSS Capacity option on the Events tab is used to establish a percentage threshold (for example, 90%). The threshold forces any event at or above the value set to be sent to ePO. When the threshold is met or exceeded, an alert is generated. This alert helps the ePO administrator determine if there's a need to provision any additional OSS in the current environment.
Why is the SVM 4.5.0.268 not connecting to the SVM Manager 4.5?
With the release of MOVE AV Multi-Platform 4.5.0.257, TLS 1.2 is used for secure communication. For an SVM to communicate with the SVM Manager, all MOVE AV Multi-Platform components must be upgraded to the latest hotfix.
NOTE:All SVM or client hotfixes released after MOVE 4.5.0.257 can communicate with SVM Manager 4.5.0.257 and later (because of the TLS 1.2 change mentioned).
How does a change in the TIE reputation get handled when the endpoint already has the file hash in its local cache?
Reputation changes are received at SVM through the DXL fabric. The SVM cache is updated with the new reputation and is propagated to each client. Clients only have the Known Trusted TIE reputation cached for any file. If the reputation is changed from Known Trusted to another reputation level, the cache is updated. The entry is removed and then actions based on the configuration set in the policy (on the next access of the file) are undertaken.
Are customers expected to update or maintain MA on the MOVE AV Multi-Platform SVM client and SVM Manager or are updates released via a new OVF?
MOVE supports upgrades of MA on MOVE SVM and SVM Manager.
Do client-side log entries similar to Cache Hit, Not Scanning indicate that the file isn't scanned again because it's found in the Scan Cache?
Yes, these log entries mean that the file isn't scanned again because it's present in the cache. After a file is scanned and considered clean, it's added to the scan cache on the client side. If it's changed or the cache entry expires, the file is then rescanned.
If a file must be sent to MOVE AV Multi-Platform to be scanned, is it sent in an encrypted or unencrypted format?
In MOVE AV Multi-Platform, there are two ways in which files are transferred to the scanning appliance (SVM):
If the file size is smaller than the default threshold (40 MB), the complete file is sent to the SVM in an unencrypted format.
If the file size is larger than the default threshold, the file is sent in chunks (offset of the file) when requested by the SVM, and then scanned.
MOVE AV Multi-Platform keeps hitting .TMP files and handling them as an archive. How can I tell if a .TMP file is an archive or not?
To determine if a .TMP file is an archive file, open it in Notepad or Ultraedit and check the file header. You can also use a free tool, such as Exeinfo, to determine the file type.
What causes Event ID 36993 (OSS average scan time threshold hit) and Event ID 36994 (OSS average scan time threshold restored) to repeatedly occur in MOVE AV Multi-Platform 4.0 SVM?
These events are triggered when the average scan time of the SVM is more than the configured value. By default, this value is 5 minutes.
When the primary SVM goes down and VMs automatically connect to the secondary SVM, do the VMs automatically revert to the primary SVM when it recovers?
No. Even though the primary SVM recovers, the VMs remain connected to the secondary SVM until it goes down.
Can Deferred scan notifications during OAS be disabled in MOVE AV Multi-Platform 4.6?
Yes. Follow the steps below to disable the deferred scan notifications:
Open the Action Center from the client computer.
Click All Settings.
Select Notifications & Actions from the left pane.
Disable notifications.
Does MOVE AV Multi-Platform support encrypted channel communication between the client and SVM?
No.
Does MOVE AV Multi-Platform support encrypted channel communication between the client and SVM Manager?
No.
Does MOVE AV Multi-Platform support encrypted channel communication between the SVM and SVM Manager?
Yes. Back to top
EOL period—The time frame that runs from the day we announce product discontinuation, until the last date that we formally support the product. In general, after the EOL period is announced, no enhancements are made.
EOL date—The last day that the product is supported, according to the terms of our standard support offering.