General
What's MOVE?
MOVE is the family name for two related Management for Optimized Virtual Environments (MOVE) products. Virtual Machines (VMs) running on server-class systems that contain virtualization software, including VMware ESX
or Citrix XenServer
, need an antivirus application running on each VM on a hypervisor
(A hypervisor is a general term that describes virtualization software such as VMware ESX, Citrix XenServer,
and Microsoft Hyper-V
When you run an antivirus application on each VM on a hypervisor, there's high usage of resources such as disk, CPU, and memory. It results in a reduced VM density per hypervisor. MOVE AV solves this issue by offloading all On-Access Scans (OASs) to a dedicated VM that runs VirusScan Enterprise (VSE). There's no need to install a traditional antivirus application such as VSE on each VM. The dedicated VM improves performance and allows an increased VM density per hypervisor.
What's MOVE AV Agentless?
This option allows integration with VMware vShield (vSphere and ESXi) using vShield Endpoint. MOVE AV Agentless provides virus protection for VMs and contains an SVA delivered as an Open Virtualization Format (OVF) package. MOVE AV Agentless supports On-Demand Scans (ODSs) natively. MOVE Agentless systems don't have VSE installed. The MOVE AV Agentless components are listed below:
Component | Description |
SVA | Provides antivirus protection for VMs and communicates with the loadable kernel module on the hypervisor, ePolicy Orchestrator (ePO), and Global Threat Intelligence (GTI) servers. The SVA is the only system directly managed by ePO, but you can install McAfee Agent (MA) and other McAfee products on VMs. VirusScan Enterprise for Linux (VSEL), MA, and MOVE AV Agentless comes preinstalled. |
ePO | Allows you to configure policies to manage MOVE AV Agentless and provides reports on malware discovered in your virtual environment. |
File Quarantine | Remote quarantine system, where quarantined files are stored on an administrator-specified network share. |
GTI | Classifies suspicious files that are found on the file system. When the real-time malware defense detects a suspicious program, it sends a DNS request for analysis. The request is sent to a central database server hosted by Trellix Advanced Research Center. |
Hypervisor (ESXi) | Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating systems. ESXi is an embedded hypervisor for servers that runs directly on server hardware without requiring another underlying operating system. |
VMware vCenter | Console that manages the ESXi servers, which host the guest VMs that require protection. |
vCloud Networking and Security Manager | Manages the vShield components for the SVA and VMware vShield Endpoint, and monitors the health of the SVA. |
VMs | Isolated guest operating system installations in a normal host operating system that support both virtual desktops and virtual servers. |
VMware NSX Manager | Console that allows you to configure, provision, and automate the protection on the endpoints in a data center. |
What's MOVE AV Multi-Platform?
MOVE AV Multi-Platform is for OAS and ODS of end nodes. The MOVE AV Multi-Platform components are listed below:
Component | Description |
SVA Manager | Automatically assigns offload scan servers to MOVE Multi-Platform clients based on configurable parameters. These parameters include Scan Server load, ePO tags, and IP address ranges. |
ePO | Communicates with MA, manages the Multi-Platform configuration, and provides reports on malware discovered in your virtual environment. |
MA | Communicates with ePO, applies policies to each virtual machine, and deploys the MOVE AV Multi-Platform client. |
Hypervisor | Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating system. |
MOVE AV client | Allows virtual machines to interact with the offload scan server (OSS) for file scanning and malware detection. Enforces actions on the client when a threat is detected. |
MOVE AV client extension | Provides policies and controls for configuring and managing the behavior of the MOVE AV client through ePO. |
MOVE AV Offload Scan Server | Provides offloaded scanning support for VMs, which minimizes the performance impact on virtual desktops. |
MOVE AV Offload Scan Server extension | Provides policies and controls for configuring and managing the behavior of the MOVE AV offload server through ePO. |
VSE | Provides antivirus protection for the offload scan server VM and communicates with the GTI servers. |
Data Center Connector for vSphere | Integrates the management and automation feature of ePO to discover and manage your guest VMs. |
What's MOVE Scheduler?
The Scheduler is used with MOVE Multi-Platform clients. Traditional security solutions for virtual environments run as an antivirus application on every VM on the hypervisor. This model results in reduced VM density per hypervisor and causes high disk, CPU, and memory usage. Common tasks such as scanning for viruses can occur on all servers at the same time. These tasks create a significant load on the virtual infrastructure and negatively impact performance.
MOVE Scheduler solves these issues for VSE environments by distributing ODSs across all client VMs. The ODSs are based on parameters such as maximum concurrent scans per hypervisor, maximum concurrent scans per storage and hypervisor CPU usage. These parameters make sure that VMs remain usable during scans.
Move Scheduler 2.x is reaching EOL; what's going to replaces it?
The MOVE Scheduler functionality is now included in MOVE 4.0 and later. For details, see the MOVE Scheduler to MOVE Multi-Platform Migration Guides.
How do I enable debug logging via the command line?
To enable debug logging for both Move Agentless and Multi-Platform via the command line, see KB87799 - How to enable debug logging for MOVE Agentless and Multi-Platform via the command line.
How do I generate a MER file for MOVE AntiVirus
Can MOVE be disabled through policy when managing via ePO?
No. The MOVE software can't be enabled or disabled via ePO policy enforcement. The only option for disabling by policy is disabling OASs or ODSs.
Compatibility What guest platforms does MOVE Multi-Platform support?
For details, see KB74865 - Supported platforms for Management for Optimized Virtual Environments.
Does MOVE Agentless or Multi-Platform support GTI File Reputation?
Yes. GTI File Reputation is configured using the Scan Items policy.
Are there any plans to cover the Linux operating system by MOVE Agentless?
MOVE Agentless supports the Linux operating system only when VMware supports it. MOVE Agentless supports all operating systems supported by VMware Endpoint Security. For a list of operating systems that are supported with the VMware vShield Endpoint Thin Agent that's used with the MOVE products, see the VMware site.
Can MOVE Multi-Platform run in VDI mode with VMware Horizon 6 for non-persistent VMware images that close as a user logs off and goes back to a gold image state?
Yes.
What support is provided for VDI clients?
MOVE Multi-Platform supports VDI and Thick Clients for all host platforms.
Can the MOVE Multi-Platform SVA Manager work in a Microsoft Hyper-V environment?
Yes. You must convert the SVA Manager when you import the (
) package to the Hyper-V server. An (
) package is a TAR archive file with the OVF directory inside.
NOTE: Hyper-V is supported only with MOVE Multi-Platform clients.
Does MOVE Multi-Platform support Acropolis Hypervisor (AHV)?
Yes. MOVE Multi-Platform is agnostic on the hypervisor. It works seamlessly.
NOTE: AHV is the new name for a Kernel-based Virtual Machine (KVM).
How do you check the MOVE-AV-AL_SVM_Pkg_4.5.1.227.zip package into the ePO 5.3.2 Master Repository?
The MOVE 4.5.x SVM package isn't meant to be checked in to the ePO Master Repository. Check it into the SVM Repository. The SVM Repository is on the MOVE
Deployment Page under General, Configuration Settings.
support the use of a multi-tenant database?
No. Use of a multi-tenant database isn't supported.
Install, Upgrade, or Migrate – MOVE Agentless Can I provide the same NSX Manager name while registering the NSX Manager details about the MOVE
Deployment configuration page?
No. It isn't supported.
Is it possible to selectively install the MOVE Agentless vShield driver on a single client via an SVA deployment?
No. It isn't possible to selectively install the vShield driver on the clients with an SVA deployment. By default, installation is tried on all VMs.
Can ePO be used to update the MOVE Agentless SVA automatically with updates and hotfixes?
ePO can be used to apply product hotfixes and updates.
How many SVAs need to be deployed for any given number of data centers?
For a MOVE Agentless solution, one SVA per host is needed regardless of the size of the data center. In a MOVE Agentless deployment, it isn't possible to set up a secondary SVA for failover. The inability to set up a secondary SVA for failover is a VMware limitation.
Is it possible to migrate the MOVE Agentless SVA to another host?
No. It's never a good idea to migrate the SVA from one host to another. The reason is because the SVA is registered to a hypervisor; it protects only VMs on that hypervisor.
Is it possible to upgrade the SVA via ePO?
Yes. It's possible from MOVE Agentless 4.x.x.
What user permissions are needed to successfully install the MOVE Agentless vShield driver?
All domains that are part of protected VMs have to be added to the ePO LDAP server registration page. The user must have domain administrator rights for the vShield driver to be installed successfully on the VM clients. The reason is because ePO must access these client VMs remotely to install the endpoint driver. Only domain administrators have the permission to do so.
Is MOVE AV Agentless supported on Linux hosts?
MOVE AV Agentless 4.5.1 is supported on Linux hosts. NSX 6.3 is needed for MOVE AV Agentless 4.5.1 to work properly.
How is a manual deployment of MOVE AV Agentless with vCNS performed?
Manual deployment of MOVE AV Agentless with vCNS occurs from the respective vCenter and can't be done directly from ESXi.
Install, Upgrade, or Migrate – MOVE Multi-Platform Does the upgrade of the MOVE Multi-Platform clients and servers require a system restart?
No.
What host platforms does MOVE Multi-Platform support?
MOVE Multi-Platform is a Hypervisor agnostic solution.
Are clients protected during an SVA Manager upgrade?
Yes. A client and Multi-Platform OSS can function using an earlier SVA Manager until the upgrade is completed. The clients are already connected to an OSS. The clients continue to connect to an SVA Manager when there's no OSS assigned.
When migrating a Virtual Guest system to another hypervisor because of operational needs, which OSS is responsible for scanning the migrated Virtual Guest? Also, do I need to point the migrated Virtual Guest manually to the local OSS running on the other Hypervisor, or is it assigned automatically based on ePO Policy or Hypervisor Integration?
The clients are always automatically protected wherever you migrate them, so long as the clients can communicate with the OSS.
Should I convert the .vmdk file (part of SVA Manager appliance) into a .vhd file using the Microsoft Virtual Machine Converter software, or are the files provided?
The MOVE Multi-Platform Product Guide, under the "Requirements for SVA Manager" section states that to deploy on a Hyper-V, convert the .vmdk file, which is part of the SVA Manager appliance, into a .vhd file. Then, attach the .vhd file as a hard disk to the new VM in Hyper-V. To convert .vmdk to .vhd, you can use the Microsoft Virtual Machine Converter software. The SVA Manager package is bundled with the required files. Customers only need to deploy the package.
Can the default MOVE Multi-Platform installation directory be changed?
No. The default installation folder (
C:\Program Files or C:\Program Files (x86)
) can't be changed when deployed via ePO.
What's the standard recommendation for the MOVE Multi-Platform setup?
The recommended design is to have the scan servers on the same subnet and as close to the VMs as possible (fewest network hops). There's also no problem with a dual-homed configuration.
Is a mixed environment supported (backward compatibility) with the SVA Manager and the OSS or clients while upgrading?
This support is given only for a short period where a customer is upgrading. It's recommended to have all products upgraded to the same version as soon as possible.
Can I upgrade the SVA Manager operating system if the operating system prompts me to upgrade?
No. When you see the message "New Release 'Version' available," ignore it, because updates are incorporated automatically with new releases of the SVA Manager appliance.
CAUTION: Trying to upgrade the operating system using this method might result in the SVA Manager appliance entering a broken state.
Can a MOVE Multi-Platform OSS handle a scan request from an earlier MOVE client installation?
Yes. Backward compatibility and protection are maintained during upgrades. But, it's recommended that you get the clients upgraded to the later MOVE Multi-Platform versions as quickly as possible. The upgrade helps them benefit from the new features and optimizations offered in the latest release.
How is a manual deployment of MOVE AV Multi-Platform SVM Manager performed?
Manual deployment of MOVE AV Multi-Platform SVM Manager occurs from the respective vCenter and can't be done directly from ESXi.
Configuration Why is the Agentless Policy per Virtual Machine (PPVM) enable or disable option no longer available after an upgrade to MOVE AV 4.0?
This option in MOVE AV Agentless 4.0 is now enabled by default and can't be disabled.
optimizes and consolidates legacy products into an integrated, efficient new platform. A new MOVE AntiVirus
4.0.0. Sometimes, they're merged with other MOVE AntiVirus
file from /opt/McAfee/move/etc
NOTE: The OSS can generally be assigned to 200–400 workstation endpoints, depending on the load of the endpoints. The limiting factor is the number of concurrent scan requests that the clients trigger.
High availability file share servers require more OSS resources than workstation endpoints do, resulting in a lower OSS ratio.
IMPORTANT: In large-scale MOVE Multi-Platform deployments, use the MOVE SVA Manager to assign an IP address of the MOVE Multi-Platform OSS server to the requesting MOVE Multi-Platform clients. In this configuration, all OSS servers register themselves with the SVA Manager. The SVA Manager keeps a pool of active OSS servers and assigns a server to a requesting client from this pool. With this architecture, the SVA Manager must always be available to the MOVE Multi-Platform clients.
How does MOVE Agentless SVA establish a connection with the VMware vShield Manager?
The MOVE SVA uses API calls to communicate directly.
Is it possible to configure MOVE Agentless SVA Manager to failover for Disaster Recovery?
No. Technical Support can't help you with setup or configuration of a MOVE Agentless SVA Manager in an Active: Passive cluster solution because it's an unsupported configuration.
NOTE: Contact the vendor (VMware, Citrix, or Hyper-V) for support if the MOVE Agentless SVA Manager is configured in this manner.
Is there a script to reconfigure the SVA manager with new ePO information?
Yes. The sva-config.sh script is located at
How do you unmanage an SVM Manager from ePO?
Use the command
./maconfig -provision -unmanaged
Can I access the SVM Manager via SSH?
Yes, but SSH is disabled by default. To enable SSH, start the SVA configuration utility
and toggle the Disable SSH setting accordingly (yes or no).
Functionality – MOVE Agentless and Multi-Platform Does MOVE support the use of the ePO option to retain policy and client task settings?
No. MOVE doesn't support the use of this option. Technical Support recommends using the default settings.
Can MOVE ODS resume a scan from a last scanned file?
No. MOVE ODS doesn't possess the capability of resuming a scan after it has been interrupted.
Where can I find a list of all Event IDs for the MOVE Multi-Platform or MOVE Agentless Client?
All Event IDs are listed in KB77944 - List of Event IDs for MOVE Agentless and Multi-Platform.
Is there an Agentless or Multi-Platform list of Event IDs?
For details, see KB77944 - List of Event IDs for MOVE Agentless and Multi-Platform.
What happens if a VM node doesn't have a supported version of VMware tools installed; is it reported in ePO?
No. ePO can't report any VM client details running outdated versions of VMware tools.
Can systems in the cloud be imported in ePO?
Yes. The Data Center Connector for vSphere helps you discover and import your virtual infrastructure in the ePO System Tree. The administrator can also view and query their virtualization properties, protection status, and security compliance using several dashboards and queries.
Are there any troubleshooting tools for MOVE?
Yes. For further details, see the MOVE Product Guides. This tool is used on the SVA Manager from the command line interface (CLI).
Can MOVE SVA Manager 4.5 communicate with MOVE Client 4.0 and MOVE SVM 4.0?
Yes. MOVE SVA Manager 4.5 can communicate with MOVE Client 4.0 and MOVE SVM 4.0.
Is it possible to remotely access logs of an SVA?
No. Logs must be retrieved locally on the client.
Is a local database that contains previously scanned files or hashes retained on the MOVE 4.0 client when the client is rebooted?
Yes. There are two clean caches that contain the files and hashes. One is on the client and one is on the OSS (SVM) system. The cache is retained on the client even after a reboot. During the service restart, the cache is written to the disk. Then, it's imported back into the memory after the service completes the restart. By default, the client cache entries are valid for 24 hours.
When a MOVE client requests a file scan, are files locked down until the scan is complete? Or, is execution allowed and blocking applied after scan completion?
Until any scan is complete, the files remain in an action-denied state. If the scan times out (45 seconds by default) and scanning isn't complete, a Deferred Scan is initiated on the files. If scanning fails, access to the file is maintained; but, it's not cached.
How do I enable debug logging for MOVE extensions through ePO?
For details, see KB88727 - How to enable debug logging for the MOVE Extension.
What happens to a MOVE client when its lease expires and it tries to re-request an SVM?
After the lease time expires, the client requests to get an SVM through the SVM Manager while remaining connected to the old SVM. The result is that the request fails because the SVM Manager is Unavailable. The client continues to remain protected by the old SVM. Running the
status command displays SVM Manager in Connecting state.
If the SVM Manager is unavailable, when will a MOVE client retry requesting an SVM assignment from the SVM Manager?
As long as the policy is configured to do so, the client continues to request an SVM from the last SVM Manager that it successfully connects to. These requests occur regardless of the state the SVM Manager is in.
What's the frequency of communication between a connected SVM and the SVM Manager?
An SVM heartbeat message is sent to the SVM Manager every second.
Why does the client status still show Enabled when OAS is Disabled?
This status is an ambiguity that's corrected in MOVE 4.6. When both OAS and ODS are Disabled, the Protection Status of the client is Disabled.
How can I tell which clients are protected by MOVE AV Agentless or MOVE AV Multi-Platform from the ePO System Tree?
Add the '
Agentless Anti Malware Protection Status
' and Status columns to the ePO System Tree.
NOTE: Make sure that the Data Center Connector extension is installed in the ePO console.
Does MOVE AV detect threats that have been loaded into memory?
No. MOVE AV Multi-Platform and MOVE AV Agentless don't detect threats that have been loaded into memory.
Functionality – MOVE Agentless specific
Is it possible to configure a second SVA or SVM Manager to act as a fallback to the primary?
There's no built-in high availability scenario for the SVM Manager. See the high availability configuration information from your platform vendor.
Is it possible to find the 'AV Status' for a guest directly from vCenter to know in real time when the status of a VM becomes 'not protected'?
No. The status can't be seen from the vCenter. The status is only available via ePO using the cloud connector ePO extension.
Why are there two IP addresses displayed in the SVA Manager?
One of the IP addresses is needed for internal communication, which is private between the SVA and MOVE Agentless clients. This IP address is used by VMware Endpoint Security (
With MOVE Agentless, is it possible to deploy the SVM via a script like it was possible in previous versions of MOVE Agentless?
No. This feature is no longer supported.
Does MOVE Agentless support the ability to use TIE?
No. The VMware NSX Manager doesn't currently support the ability to use TIE in the VMware ENS solution.
What's the total character limit for Excluded Paths under Path Exclusions and Process Exclusions?
For MOVE Agentless, the maximum Path Exclusion is 260 characters.
How is the scanning of large files handled by MOVE Agentless?
Regardless of file size, the complete file is transferred for scanning.
Can the scan diagnostics tool be directed at a single MOVE Agentless client?
No. The scan diagnostic task only shows the statistics for all protected VMs; it's not possible to analyze a single or specific client.
Does MOVE Agentless scan running processes?
No. It doesn't scan running processes; but, when a running process opens a file, the file gets scanned.
Are there no Low-Risk Processes with MOVE Agentless because of a lack of support in the vShield Endpoint?
Yes. It's a VMware Endpoint limitation.
If MOVE Agentless can't exclude processes, what's the best practice to exclude, for example, backup processes?
Because MOVE Agentless doesn't support process exclusions as a result of the vShield limitation, there's no way to exclude backup processes.
Can MOVE Agentless scan Network drives like MOVE Multi-Platform?
This feature has been added to MOVE AV Agentless 4.0 and later versions. Previous versions of MOVE AV Agentless don't possess this ability.
Which source repositories does the security update use to pull updates?
MOVE Agentless SVM installs all security updates directly from the Ubuntu repositories. For details, see the Repositories/Ubuntu documentation.
How often does the security AutoUpdate run?
MOVE Agentless SVM checks for security updates once per day.
Is it possible to check for security updates manually?
Yes. To check for security updates, run the command sudo unattended-upgrade --debug --dry-run
Is it possible to run the security AutoUpdate manually?
Yes. Run the following command to manually install the security updates: sudo unattended-upgrade -d
Is there a tool to help customers migrate VSE path exclusion policies to MOVE Agentless?
No. VSE exclusions aren't compatible with MOVE Agentless and that's why there's no option to import them.
Is it possible to create path exclusions for MOVE Agentless?
Yes.
NOTE: Wildcards are supported, but environment variables aren't supported.
How many clients can be supported in a VDI environment with a single Agentless SVA with default settings?
This number depends on the load on the client VMs. Under normal load conditions, 200 clients per SVA are the standard recommendation. Under extreme load conditions, SVA supports fewer clients.
Can a Targeted On-Demand Scan (TODS) be run on clients with the same name but different UUIDs?
No. Client names must be unique to make sure that a TODS runs successfully.
Why does MOVE Agentless 4.5.x send policy setting deletion events back to ePO every hour?
When PPVM is enabled, MOVE Agentless aggregates all policies into an aggregated policy object. The policy object is deleted after policy assignment occurs. Each time the aggregated policy object is deleted, it's reported back to ePO and logged in the Audit logs. This behavior is considered to be normal.
Functionality – MOVE Multi-Platform specific
When an SVM Manager failure occurs, is the client's default behavior to continue to work with their current SVAs?
Clients talk to the SVM already assigned to it. If new clients are added, the clients don't receive an SVM because the client is unable to reach the SVM manager.
Which hypervisor supports the MOVE AV Multi-Platform SVM Auto Scale feature?
VMware ESX is the only hypervisor for which the new MOVE AV Multi-Platform 4.0 Auto Scale feature is implemented.
What are the maximum concurrent scans for ODS and TODS?
The maximum concurrent scans for ODS and TODS are 2. Any more increases the load on the OSS or Hypervisor, with the potential to result in an increased OAS time or decreased response time.
What's the
file found on Multi-Platform clients?
This file is created when a user disables the AV protection. The cached entries on the client side are dumped into this file and are loaded back into the memory when the user re-enables the protection. The file resides in the installation directory.
What happens when the Primary OSS fails?
The primary OSS remains in standby after it recovers from failure, and the secondary OSS remains the active OSS.
Under what circumstance is the client cache file not populated?
When the file is smaller than the size mentioned in the 'Scan result cache' client policy, the file is transferred completely to the OSS. Otherwise, only relevant bytes requested by the scan engine during the scan are sent.
What happens after a deferred scan times out?
The file is allowed access and a fail-open happens.
Do primary and secondary OSSs maintain a connection with each other for status monitoring and failover?
No. The endpoints themselves maintain a connection to both OSSs to monitor the status and perform a failover. The failover occurs if the MOVE agent can't reach the primary OSS; it then tries to reach the secondary OSS.
How is the scan load on the OSS handled?
When the primary and secondary OSSs are configured via ePO, there's no awareness of overload on the OSS. If an SVA Manager is used to assign the clients to an OSS, the SVA Manager takes care of monitoring the load on the OSS.
What happens to the files sent for scanning to the OSS?
The files will be deleted after the scan is completed.
Does MOVE AV Multi-Platform scan running processes?
No. It doesn't scan running processes; but, when a running process opens a file, the file gets scanned.
Why do scan timeouts occur?
The antivirus products have an intentional cut-off time when the scan of a particular file must stop, and the scan time-out feature is intended to prevent a denial-of-service.
For details, see KB55869 - Explanation of why scan time-outs occur.
How are the clients protected when the OSS isn't available?
Currently, the file is fail-opened if the scan server is unavailable. There's a socket connection established between the client and server. When the server goes down, the client doesn't send the file, and no network traffic is generated.
mvadm disable
. The cache file gets saved to the installation directory named
. On the Multi-Platform Server, run the command
mvadm cache save
Is a system authentication needed during a scan file transfer?
No. There's no authentication undertaken from a Multi-Platform client when a file is sent for scanning to the OSS.
Can wildcards be used when configuring the process exclusion list in MOVE Multi-Platform?
No. Process exclusion in MOVE Multi-Platform doesn't support the use of wildcards.
Can an on-demand scan be performed on a network drive?
MOVE Multi-Platform supports network scanning of files with OASs. ODSs can't be performed on network drives. The reason is because MOVE Multi-Platform is a service that runs under the system account. It doesn't see network drives mapped to individual users logged on during the ODS.
What's the impact of enabling Network File Scanning?
MOVE Multi-Platform network scanning essentially comes with double the network impact. This impact is because it must first transfer the file from the network to the local system, and then transfer the file to the SVA for scanning. Thus, essentially, the file is transferred over the network twice.
IMPORTANT: If you're concerned about performance, don't use network scanning, even for traditional VSE. Instead, scan the file at its source. If it's dirty, you're denied access and no data is transferred over the network. If it's clean, the file is transferred. You use less network bandwidth, and the user sees better performance.
NOTE: The virtual machine must be restarted after enabling the network scanning policy.
C:\Program Files (x86)\McAfee\MOVE AV Server\mvserver.log
NOTE: They're available only after enabling DEBUG logging.
How is the scanning of large files handled by MOVE AV Multi-Platform?
When a large file is opened on the same client for a second time, it's scanned again only if the file is changed. A file copy is always considered as a file change and is always sent for scanning.
What On-Demand events are generated?
When an ODS starts, an event is sent to the ePO server, which provides details of the VM. The complete details are also available in the OSS server logs after DEBUG logging is enabled.
Are both scans on read or write needed?
Yes. Disabling scan on read isn't advised as a large group of malware can infect files using the On-read method.
What factors affect a MOVE AV Multi-Platform TODS?
Several factors need to be considered. For details, see KB88056 - Factors that affect a MOVE Multi-Platform 4.x Targeted on-demand scan.
MOVE AV Multi-Platform
offer over traditional endpoint security?
The advantages are covered in the MOVE AntiVirus 4.X Performance Advantages Solution Brief.
Can the scan diagnostics tool be directed at a single MOVE AV Multi-Platform client?
No. The scan diagnostic task only shows the statistics for all protected VMs; it's not possible to analyze a single or specific client.
NOTE: For the scan diagnostic tool to collect data successfully, file activities must be triggered on the client system.
What's the function of the MOVE AV Multi-Platform OSS?
OSS is an application built on a Windows platform, which performs the heavy scanning work load with VSE.
Does MOVE 4.0 Support Endpoint Security (ENS) Threat Prevention 10.x?
No. Currently only VSE 8.8 is supported on the OSS.
How is the MOVE AV Multi-Platform OSS workload calculated?
The OSS load percentage is calculated as follows:
(Number of endpoints connected to OSS / Max. number of endpoints that can be connected to OSS) × 100.
NOTE: The number of clients that an OSS can handle optimally depends on the load on the client VMs. With higher load conditions, more OSS is needed.
How does the MOVE AV Multi-Platform OSS avoid scanning the same file?
This avoidance of duplicate scanning is achieved by the OSS global cache. The cache avoids scanning the same file from requests that come from different MOVE AV Multi-Platform clients. If the file is scanned and found clean, it's added to the server cache file and not scanned again. The location of the file is
C:\Program Files (x86)\McAfee\MOVE AV Server\evt_cache
NOTE: The flushing of the cache is, by default, set to occur at a predefined time. This value is configurable.
What account does MOVE Multi-Platform OSS use when scanning VMs?
The OSS only scans the file; it's the client system that blocks access or deletes the file.
Why are files stored under User directories (such as Desktop, My Documents) not scanned with MOVE Multi-Platform when the folder is redirected using Distributed File System (DFS)?
As long as the DFS folder is set up as a network share, MOVE Multi-Platform scans it.
Is there a way to calculate the number of VMs that a MOVE Multi-Platform OSS can handle?
No. But, it's possible via the MOVE Multi-Platform SVA Manager to control the number of clients connecting to the OSS. See section "Configuring client load per SVM (Multi-Platform)" from any of the
4.6 or later Product Guides.
How does a client associate (stick) with a Multi-Platform OSS scanner?
An OSS needs to be assigned to a client via the SVA Manager first. Only after that protection becomes available to a client, it starts sending scan requests to the OSS.
Does MOVE Multi-Platform support the same Low-Risk process Exclusions as available in VSE?
Yes. MOVE Multi-Platform uses the same technical functionality as VSE does regarding the Low-Risk process exclusions.
Is there a tool to help customers migrate VSE path exclusion policies to MOVE Multi-Platform?
Yes. See section "Using the Import option" in the relevant Multi-Platform product guide. These exclusions are seamlessly imported via an XML file. There's also an option to purge the existing exclusions before an import takes place.
Are the SVA and SVM the same device in the MOVE Multi-Platform architecture? If not, how do they differ?
They're not the same. The SVM is an OSS that handles the scanning. The SVA is an SVA Manager that handles load balancing for SVM.
Is it possible to identify which SVM isn't connected to the SVM manager?
If the SVM is connected to the SVM Manager and disconnected later, run the MOVE
SVM Manager: SVM Registration Events report.
commands via the ePO interface. Without the password, users or local admins can't access the
command interface to change the integrity level and can't access the service restart.
How much disk space is used or needed when deploying the MOVE Multi-Platform SVM Manager 4.5?
The SVM Manager is an OVF, so the hard drive comes bundled. By default, the SVM Manager 4.5 has a 16 GB hard disk bundled with it.
What's the function of the SVA Manager?
The SVA Manager is a Virtual Appliance used to match up an endpoint with its OSS. This function requires almost no traffic to occur and only happens when the endpoint needs a new scanner assigned. After it has one, it stays with it. Most customers need only a single SVA Manager for their whole Enterprise. If the SVA Manager goes offline, the relationships between OSS and clients are unaffected. ePO directly manages the SVA.
What happens when a MOVE Multi-Platform SVA Manager becomes unavailable?
Any client that has an OSS IP address continues to use it while the SVA Manager is offline. Under this condition, when the client can't reach an OSS for any reason, it fails to open and allow access.
Is there any way for the policies to notify the administrator when the number of Multi-Platform connected endpoints is reached?
Yes. The maximum number of connected endpoints depends on the load settings subscribed. The load settings are in the OSS General policy under Client loads. The settings can be made for Heavy (150 clients), Medium (250 clients), Low (300 clients), and Custom loads (user-defined). The Threshold for OSS Capacity option on the Events tab is used to establish a percentage threshold (for example, 90%). The threshold forces any event at or above the value set to be sent to ePO. When the threshold is met or exceeded, an alert is generated. This alert helps the ePO administrator determine if there's a need to provision any additional OSS in the current environment.
Why is the SVM 4.5.0.268 not connecting to the SVM Manager 4.5?
With the release of MOVE AV Multi-Platform 4.5.0.257, TLS 1.2 is used for secure communication. For an SVM to communicate with the SVM Manager, all MOVE AV Multi-Platform components must be upgraded to the latest hotfix.
NOTE: All SVM or client hotfixes released after MOVE 4.5.0.257 can communicate with SVM Manager 4.5.0.257 and later (because of the TLS 1.2 change mentioned).
How does a change in the TIE reputation get handled when the endpoint already has the file hash in its local cache?
Reputation changes are received at SVM through the DXL fabric. The SVM cache is updated with the new reputation and is propagated to each client. Clients only have the Known Trusted TIE reputation cached for any file. If the reputation is changed from Known Trusted to another reputation level, the cache is updated. The entry is removed and then actions based on the configuration set in the policy (on the next access of the file) are undertaken.
Are customers expected to update or maintain MA on the MOVE AV Multi-Platform SVM client and SVM Manager or are updates released via a new OVF?
MOVE supports upgrades of MA on MOVE SVM and SVM Manager.
Do client-side log entries similar to Cache Hit, Not Scanning indicate that the file isn't scanned again because it's found in the Scan Cache?
Yes, these log entries mean that the file isn't scanned again because it's present in the cache. After a file is scanned and considered clean, it's added to the scan cache on the client side. If it's changed or the cache entry expires, the file is then rescanned.
file is an archive file, open it in
and check the file header. You can also use a free tool, such as Exeinfo, to determine the file type.
What causes Event ID 36993 (OSS average scan time threshold hit) and Event ID 36994 (OSS average scan time threshold restored) to repeatedly occur in MOVE AV Multi-Platform 4.0 SVM?
These events are triggered when the average scan time of the SVM is more than the configured value. By default, this value is 5 minutes.
When the primary SVM goes down and VMs automatically connect to the secondary SVM, do the VMs automatically revert to the primary SVM when it recovers?
No. Even though the primary SVM recovers, the VMs remain connected to the secondary SVM until it goes down.
Does MOVE AV Multi-Platform support encrypted channel communication between the client and SVM Manager?
No.
Does MOVE AV Multi-Platform support encrypted channel communication between the SVM and SVM Manager?
Yes.
Back to top