Product Guide

McAfee GetClean version 2.0

Introducing GetClean About this guide

2

COPYRIGHT LICENSE INFORMATION Copyright © 2013-2017 McAfee, LLC. YOUR RIGHTS TO COPY AND RUN THIS TOOL ARE DEFINED BY THE MCAFEE SOFTWARE ROYALTY-FREE LICENSE FOUND ON MCAFEE.COM WEBSITE. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH BY THAT AGREEMENT, THEN DO NOT INSTALL THE SOFTWARE OR STOP ALL USE AND UNINSTALL THE SOFTWARE.

TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

Introducing GetClean About this guide

3

Contents

Preface 4 About this guide ................................................................................................................ 4

Audience .................................................................................................................... 4 Conventions ................................................................................................................ 4

Find product documentation ................................................................................................ 4

Introducing GetClean 6 How GetClean works .......................................................................................................... 6

Benefits...................................................................................................................... 6 Features ..................................................................................................................... 6 System requirements ................................................................................................... 7 Understanding the GetClean user interface ..................................................................... 7

How to use GetClean .......................................................................................................... 9 Get ready to participate ............................................................................................... 9 Download GetClean ................................................................................................... 10 Scan directories and submit clean files ......................................................................... 10 Interpreting scan results ............................................................................................ 11 Review scan results and upload clean files .................................................................... 12 Track results ............................................................................................................. 13 Submitting zip files >4GB ........................................................................................... 13

Frequently asked questions 14

Introducing GetClean About this guide

4

Preface

This guide provides the information you need to configure, use, and maintain your McAfee GetClean.

About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience McAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

Customers and Partners — People who use our product.

Security Officers — People who determine sensitive and confidential data, and define the corporate policy that protects the company’s intellectual property.

Reviewers — People who evaluate the product.

Conventions This guide uses the following typographical conventions and icons.

Book title or Emphasis

Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input, Path, or Code

Commands and other text that the user types; the path of a folder or program; a code sample.

Hypertext A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.

Warning/Danger: Critical advice to prevent bodily harm when using a hardware product.

Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

Introducing GetClean Find product documentation

5

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access… Do this…

User documentation 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document.

KnowledgeBase Click Search the KnowledgeBase for answers to your product questions.

Click Browse the KnowledgeBase for articles listed by product and version.

Introducing GetClean How GetClean works

6

Introducing GetClean

McAfee® GetClean is an initiative to collect and upload clean files from software vendors and customers. You can deploy the McAfee GetClean (GetClean henceforth) tool to submit information on your clean file repositories. Samples and metadata can then be uploaded to McAfee.

After processing these samples and metadata, the McAfee Global Threat Intelligence™ database is populated with information about the submitted files. The files then become a part of McAfee test systems where they are scanned before release of any new DAT update.

Contents How GetClean works How to use GetClean Frequently asked questions

How GetClean works GetClean incorporates participating customers’ and partners’ files into the McAfee test environment. Each day, in parallel with the anti-malware DAT update test process, we test each new DAT update against the participating customers’ files.

Before every DAT release, the files that are submitted via GetClean are scanned for false positive detections. McAfee Labs™ researchers investigate any identification. The McAfee Labs Research team will be the final signoff authority for a high quality and error free DAT update.

For participating customers, GetClean significantly reduces the chances of a false positive from McAfee® GTI File Reputation technology on a laptop and server master images and offers an extra degree of protection against DAT based false positives.

Benefits GetClean leverages McAfee Global Threat Intelligence (McAfee GTI) for file reputation lookup so that only files that are unknown to McAfee or falsely classified are reported.

This considerably reduces the cost and complexity of submitting clean files to McAfee as the tool simplifies the entire process, saving time and network bandwidth. Instead of submitting entire COE images, customers can run GetClean on their COE image files or known clean software repositories.

Features GetClean brings to you these features:

Delivered as a single Windows executable file with no installation required

Ability to add, browse, or remove custom directories for a scan

Choice of reviewing results and deciding to submit actual files

Option to submit actual samples or metadata of the files to McAfee Labs for whitelisting

Option to retry file submission to McAfee Labs for whitelisting, if network gets interrupted

Introducing GetClean How GetClean works

7

Supports GTI File Reputation lookups via McAfee GTI proxy

System requirements Make sure to check for these requirements to use GetClean.

Component Requirements

Operating system One of the following Microsoft operating systems:

Microsoft Windows 7, 8, 10, 2008 Server, 2012 Server, 2016 Server, Windows RS2, Windows RS3, RS4, RS5

Web Browser One of the following:

Microsoft Internet Explorer, version 6 or later Mozilla Firefox, version 1.0 or later

Hardware System memory — 1 GB for scanning operations At least 4 GB of available disk space At least an additional 4GB of hard disk space for temporary files Network card (with access to McAfee GTI)

Understanding the GetClean user interface The GetClean user interface is user-friendly and simple.

Introducing GetClean How GetClean works

8

Option Definition

File Enables you to save a report or close GetClean

Save report to file — Saves the scan report as a .txt to a system location.

Close — Closes the GetClean tool.

Help Provides help to use GetClean

Command Line Help — Provides cli commands that can be used to perform various tasks.

McAfee Labs Tools — Navigates to the McAfee free tools downloads site.

About GetClean — Specifies GetClean version details.

Scan Now Scans the specified directories

Stop Stops the current scan process on directories

Preferences Specifies customer details and mode of submitting the clean files

Submission Mode — Specifies if you wish to submit the complete samples(recommended) or only logs to McAfee.

Execution Mode — Specifies whether the .zip file is submitted online to McAfee with or without Auto-retry option. By default, the Submit files to McAfee and Auto-retry failed submission checkboxes are selected. Auto-retry failed submission — If submit process fails due to network interruption, retries automatically to submit files to McAfee with an interval of 120 seconds for two times.

Customer Information — Specifies details like grant number, email address, company, and username.

Save Location — Specifies the location of the clean file on the system. The file is saved in .zip format.

Proxy Settings — Specifies server and port details for the proxy server.

Upload If the Submit files to McAfee checkbox is deselected, Upload enables you to browse to the .zip location and upload the files to McAfee.

Directories to scan Specifies the directories to be scanned. By default, based on the operating systems, few paths are displayed.

Add — Enables to specify a directory to scan. Browse — Enables to navigate to a directory in the system. Remove — Removes a specified directory from scan.

Scanning window Displays the scan in progress and results. During the scan, you can view the file reputation as OK or Unknown. The OK status depicts that GTI whitelists these files.

Introducing GetClean How to use GetClean

9

Option Definition The complete scan results display the false positives, unknown digitally signed files, and unknown files based on GTI File Reputation lookup. The scan results are saved as a zip file on the system and the submitted files become a part of the McAfee Labs test environment for the next DAT update.

How to use GetClean You can scan directories, review scan reports, and submit clean files to McAfee.

Contents Get ready to participate Download GetClean Scan directories and submit clean files Interpret scan results Review scan results and upload clean files Track results

Get ready to participate Make sure to follow these guidelines prior to using GetClean.

GetClean is free and open to only McAfee enterprise customers and partners.

GetClean should only be run on the master COE image(s) that your IT uses to reimage systems or on clean software repositories.

Note If GetClean is executed on an end user system, even if that system was originally built from a COE image, but then user(s) were allowed to download and install software themselves, the file is no longer of high trust.

GetClean can submit only Windows executable files namely exe, dll, pif, scr, and sys. Data or document files are not harvested.

GetClean should be run on a regular or scheduled basis on customer systems to capture the latest file and software updates.

Note Volume of files submitted reduces significantly in repeat runs as only new files are submitted.

Files submitted via GetClean are not distributed outside McAfee or shared with competitors and third party vendors.

Introducing GetClean How to use GetClean

10

Download GetClean Provide a valid grant number and download GetClean from the McAfee Downloads site.

Task 1 Go to the McAfee Downloads site and provide a valid grant number.

2 Download the GetClean .zip file.

3 Extract the files, navigate to the folder, and view the files.

Tip We recommend creating a folder specifically for GetClean.

Scan directories and submit clean files Make sure to set the preferences for the scan and locations for the scan reports. The scan report is submitted to McAfee Labs.

1 Navigate to the GetClean folder and double-click the GetClean.exe file.

2 The McAfee GetClean window is displayed. The selected default directories are displayed.

C:\Program Files

C:\Program Files(x86)

C:\ProgramData

C:\Windows

Note On Windows XP, the ProgramData folder and on all 32-bit Operating Systems, C:\Program Files (x86) folder does not exist and will not be part of the default scan locations. However, you can select the directories you wish to scan.

3 Click Add, Browse, or Remove to specify the directories that contain known clean files to be scanned.

4 Click Preferences and select the different types of execution and sample submission mode. By default, files are submitted to McAfee Labs in online mode. Click OK.

5 Click Scan Now to begin scanning the system for unknown files.

6 On the End User License Agreement window, accept the license agreement. Click OK.

7 The Scanning window displays the scan initiation, progress, and results for the scanned directories.

The scan report files are zipped and uploaded to McAfee Labs via HTTPS whenever GetClean is scanned in online mode.

Note The default password for the zip file is clean.

Introducing GetClean How to use GetClean

11

Interpreting scan results The scan results display false positives and unknown files. When the scan is in progress, the whitelisted files are displayed as OK.

False positives GetClean is expected to be run only on clean systems. When McAfee GTI flags a file as Assumed_Dirty, Trojan, Virus, or PUP there is a high probability of falseness. McAfee Labs researchers manually analyze these files prior to adding them to the GTI whitelist. The scan results display these files as Artemis False file(s).

Unknown digitally signed files In the scan results, there can unknown files that do not have a valid signature. For signed files, the xml file has a valid publisher and certificate. These unknown classified files undergo a thorough analysis prior to being whitelisted. The scan results display these files as Unknown Digitally Signed files(s).

Discarding files before an upload You can review the scan results and decide on the files to upload to McAfee. Navigate to the scanned result zip file on your system, use WinRaR or 7Zip to open the zip file, and remove files from the archive. Upload the updated archive to McAfee.

Introducing GetClean How to use GetClean

12

Scan logs If a scan stops or gets interrupted before completion, you can view the logs that are stored in the same location from where GetClean is launched. The scan details are displayed.

Review scan results and upload clean files You can scan the directories, review the scan results, and then decide to upload clean files. In case you are offline, you can choose to upload the files manually at a later point of time.

1 Navigate to the GetClean folder and double-click the GetClean.exe file.

2 The McAfee GetClean window is displayed. The selected default directories are displayed.

3 Click Add, Browse, or Remove to specify the directories that contain known clean files to be scanned.

4 Click Preferences and select the different types of execution and submission mode for samples or logs. Deselect the Submit files to McAfee checkbox. Click OK.

5 Click Scan Now to begin scanning the system for unknown files.

6 On the End User License Agreement window accept the license agreement. Click OK.

7 The Scanning window displays the scan initiation, progress, and results for the scanned directories.

8 Navigate to the location of the scan report and review the files to be submitted.

9 Click Upload and browse to the zip file. Click Open and then click OK.

How to use GetClean

13

Track results Once we receive the clean files, the files are validated, and become a part of McAfee Labs test system. We communicate and follow up with these updates.

Give us few days for the files to be imported into the McAfee Labs test systems.

McAfee validates the submitted files and sends an email acknowledgement.

We then send a confirmation email that the submitted files have been added to McAfee Labs test systems.

Note Typically, the acknowledgement emails are sent the same day of submission unless it is a large submission containing many files to process.

Note If your request is urgent, you may wish to contact your local McAfee Support contact.

Files submitted via GetClean are not distributed outside McAfee or shared with competitors and third party vendors.

Submitting zip files >4GB GetClean has a limitation of being able to upload zip files upto 4GB in size. If the zip created is greater than 4GB in size, one can manually upload it via an FTP client to ftp://ftp.getclean.mcafee.com/getclean

Once uploaded, the Whitelisting automation will pick it up and process it as a regular GetClean submission.

Frequently asked questions How to use GetClean

14

Frequently asked questions

This section provides you with answers to a few frequently asked questions about GetClean.

Where and how is the data from files being used (primary and secondary)? 1 The harvested files are processed by a whitelisting team and their hashes are classified as clean in

the McAfee Global Threat Intelligence™ database.

2 This information is used by all McAfee Global Threat Intelligence™ enabled products to trust the whitelisted files as clean.

3 The actual files are transferred to McAfee Labs test systems and are scanned by the latest DAT files daily before any DAT release.

What kind of metadata is collected about the harvested files? The following metadata on executable files are logged in the files xml and uploaded to McAfee Labs.

MD5 SHA1 Location File Name Attribute Company Description Product Version File Version File Size

Publisher Vendor Start Date Expiry Date

Additionally for digitally signed files, we collect information about publisher and certificate.

What kind of details are collected about the user or system? GetClean collects information like system name, operating system, customer email address, and user comments. The following is an example of GetClean.xml displaying the type of user file being harvested.

McAfee GetClean Scan Results

GetClean Build 1.0.0.141

OS Version Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

Computer Name BANVTHOMASLT01

Scan Initiated Mon Mar 28 17:43:09 2011

Scan Finished Mon Mar 28 18:23:26 2011

Customer Email vinoo_thomas@mcafee.com

Comment DELL 820 Laptop Image

If you submit files for inclusion to the False Positive Test Rig, make sure that you are legally entitled to distribute the software outside of your organization. McAfee can’t be held responsible for unauthorized software distribution. Refer to KB article KB68030 for more details.

Frequently asked questions How to use GetClean

15

If you choose to submit hashes, McAfee Labs processes only those hashes for which we have a sample in our collection. Other hashes are ignored. We need a copy of the actual file in order to run a scan using the DATs.

You receive an email acknowledgement upon successful submission of files via GetClean. Depending on the volume of files submitted – please give it 24-48 hours to get an acknowledgement.

Upon processing of the files and adding them to the McAfee GTI whitelist and McAfee Labs test systems, a confirmation mail is sent to you.

Does GetClean support command line parameters? Yes, GetClean supports command line parameters.

Example:

GetClean.exe –silent –email=john_doe@mcafee.com –zippath=”C:\Test”

Additional information Post whitelisting of the files submitted from a customer environment, Artemis /Network

Heuristic settings on McAfee VirusScan products can be tuned up to Medium-Very High settings with minimal chance of a false since all known files on the customer end should have already been whitelisted in the cloud.

Frequently asked questions How to use GetClean

16

While GetClean helps McAfee build its whitelist of known clean files and reduce field falses – memory or environmental based scenarios will always limit our ability to not false in the field.

For best results, we recommend before running GetClean that customers install software that comes packaged as an installer so that it fully extracts all files onto a target system. While our backend automation systems attempt to unpack installers, in some cases we might be unable to harvest all files from a package due to use of custom installation scripts or those that download further components upon install.