Page tree
Skip to end of metadata
Go to start of metadata
Discover with BMC Discovery
download

This product can be discovered by any edition of BMC Discovery. Download our free Community Edition to try it out, or [see what else it can discover] !

What is this?
This is a product information page, containing details of the information that BMC Discovery gathers about a product and how it is obtained.
Product Name
VirusScan
Publisher Page
McAfee
Category
Secure Content and Threat Management
Release
TKU 2019-Oct-1
Change History
McAfee VirusScan - Change History
Reports & Attributes
McAfee VirusScan - Reports & Attributes
Publisher Link
McAfee

Product Description

McAfee has branched their VirusScan product into different products, each of them relating to a specific computing environment, whether it's home, small business, or enterprise. We have focused our attention on a product called McAfee VirusScan Enterprise, which focuses its scope on Enterprise Business, and combines virus detection and elimination, intrusion prevention and firewall technology in a single solution for PCs and file servers.

This documentation refers to the model for the Windows version. The Linux version is documented here

Known Versions

  • 6.0
  • 7.0
  • 7.1
  • 8.0
  • 8.5
  • 8.6
  • 8.7
  • 8.8

Software Pattern Summary

Product ComponentOS TypeVersioningPattern Depth
McAfee VirusScanWindowsPackageInstance-based

Platforms Supported by the Pattern

The pattern identifies instances of McAfee VirusScan on the Windows platform.

Identification

Software Instance Triggers

Product ComponentOS TypeTrigger NodeAttributeConditionArgument
McAfee VirusScanWindowsDiscoveredProcesscmdmatches

regex '(?i)\bvstskmgr\.exe$'

or

regex '(?i)\bVirusScan[^\\]*\\scan32\.exe$'

or
regex '(?i)\bmcshield\.exe$'

Simple Identification Mappings

The following processes are identified by the pattern, the identification is performed at two levels - processes listed below are identified through the use of Simple Identifiers and in addition, they are modeled within a full Software Instance for McAfee VirusScan (See McAfee VirusScan#Application Model Produced by Software Pattern for more details about the approach taken to model this product).

There are Simple Identifiers for the following processes:

Component NameOS TypeCommand
Alert ManagerWindows(?i)\bamgrsrvc\.exe$
VirusScan Framework Service(?i)\bframeworkservice\.exe$
VirusScan On-demand Virus Scanner process

(?i)\bVirusScan[^\\]*\\scan32\.exe$

VirusScan Shield (Internet Security On-Access scanner)(?i)\bmcshield\.exe$
VirusScan Updater UI(?i)\bUpdaterUI\.exe$
VirusScan Enterprise Console(?i)\bmcconsol\.exe$
VirusScan Shstat(?i)\bshstat\.exe$
VirusScan Task Manager(?i)\bvstskmgr\.exe$
Error Reporting Service(?i)\btbmon\.exe$
Common Framework Script Engine(?i)\bmcscript_inuse\.exe$
ePolicy Orchestrator Product Manager(?i)\bnaprdmgr\.exe$
ePolicy Orchestrator System Compliance Profiler Microsoft Patch Scan(?i)\bptchscan\.exe$

Versioning

Registry Versioning

The pattern searches for a registry key that has the following path and the following value:

  • Path: HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\Product Name

  • Value has subword "McAfee VirusScan"

Once this key has been found the pattern knows the value of <product code>. It uses this knowledge to obtain version and DAT version from the following two registry keys:

  • Version: HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\Version

  • DAT Version: HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\DATVersion

Package Versioning

Atrium Discovery executes a search for the installed packages and tries to match them against the following regular expression:

  • ^McAfee VirusScan

When it finds a match, it extracts the version for McAfee VirusScan from the package information. Should it match on more than one package, the version information is extracted from the first package.

Application Model Produced by Software Pattern

Software Pattern Model

The pattern triggers on one of three processes, as shown in section McAfee VirusScan#Software Instance Triggers.

SI Depth

The pattern creates an Instance-Based (Deep) Software Instance, as our data shows that there can only be one instance of McAfee VirusScan running on a specific host. The key it uses to identify the Instance is based on process type (McAfee VirusScan) and host key.

Relationship Creation

Prime Processes

This pattern performs a search for all the processes running on the host, and then matches them against a set of regular expressions, listed below:

Pattern NameRegular Expression
McAfee VirusScan(?i)\bvstskmgr\.exe$

(?i)\bVirusScan[^\\]*\\scan32\.exe$

(?i)\bmcshield\.exe$

All of the processes that match one of these regular expressions are then associated, as prime processes, to the Software Instance.

Related Processes

This pattern performs a search for all the processes running on the host, and then matches them against a set of regular expressions, listed below:

Pattern NameRegular Expression
McAfee VirusScan(?i)\bshstat\.exe$
(?i)\bframeworkservice\.exe$
(?i)\bUpdaterUI\.exe$

All of the processes that match one of these regular expressions are then associated, as related processes, to the Software Instance.

Subject Matter Expertise

Testing

We tested the processes related to McAfee VirusScan against record data concerning Windows platforms. This allowed us to verify that the pattern correctly triggers and versions the product with the Package method.

Information Sources

virus/file servers desktops/virusscan enterprise 80i.html McAfee VirusScan Enterprise Official Website provided valuable information as to where McAfee has directed its VirusScan product.

Open Issues

Created by: Edoardo 29 October 2007
Reviewed by: Rebecca 23 November 2007
Updated by: Chris 5 March 2014