1 SQL server administrator rights are required to make group updates. Make these changes under SQL server security:
a Add the custom user account (for example: MSMSDBAccnt) to be used for McAfee Security for Microsoft SharePoint database access account. Provide the public permissions to the user.
b Under user mapping, select:
• All SharePoint content databases corresponding to web applications. • Content database corresponding to your administrator web application. • SharePoint configuration database.
2 Grant these permissions.
• Assign the following securables with Execute rights for SharePoint configuration database (The exact list might be slightly different)
Securables
proc_getObjectsByBaseClass proc_getSiteMap proc_getSiteSubset proc_getObjectsByClass proc_getSiteMapById proc_getSiteNames proc_getSiteCount
• For each web content database and administrator content database, assign the following securables with execute rights. (The exact list may be slightly different based on the
environment and applications deployed in SharePoint farm. Please monitor the event viewer regularly to fine tune this list).
Securables proc_AddDocument proc_GetLinkInfoSingleDoc proc_AL proc_ListAllWebsOfSite proc_AddListItem proc_ListUrls proc_DeleteUrl proc_SecUpdateUserActiveStatus proc_DirtyDependents proc_SecGetSiteGroupByTitle proc_FetchDocForHttpGet proc_SecGetUserPermissionOnGroup proc_FetchDocForUpdate proc_UpdateVirusInfo proc_GetSiteFlags proc_GetListMetaDataAndEventReceivers proc_GetTpWebMetaDataAndListMetaData proc_GetListFields proc_GetUrlDocId proc_UpdateDirtyDocument proc_GetDocsMetaInfo proc_UpdateListItem proc_GetParentWebUrl proc_SecGetIndividualUrlSecurityCheckEventReceivers proc_GenerateNextId UserData ( Under Views Section)
proc_GetWebMetainfo
• For each web content database and administrator content database, assign the execute rights on the fn_GetFullUrl object (Step: Go to Programmability | Functions | Scalar‑Valued Functions for each db).
3 No requirement for local administrator group membership.
SharePoint server
1 No requirement for local administrator group membership by the domain user account (For example: MSMSDBAccnt) used by McAfee Security for Microsoft SharePoint.
2 No requirement for interactive login.
3 No requirement for Site Collection administrator.
4 Create a new Permission Policy Level (For example: MSMS‑Permissions) and grant the following permissions. These permissions are the minimal set for McAfee Security for Microsoft SharePoint to work with the SharePoint Object model and iterate over the SharePoint store to do scan and clean. (SharePoint Farm administrator rights are required to make this change).
a Under Site collection Permissions grant Site Collection Auditor permission. Site collection auditors have Full Read access for the entire site collection including reading permissions and configuration data. McAfee Security for Microsoft SharePoint requires this as it monitors the SharePoint anti‑virus settings to determine whether real‑time scan is enabled or disabled.
b In List permissions section, grant these permissions:
• Manage List — Required for replacing/deleting infected content added as an attachment under items in Discussions.
• Override Check Out — Required to forcefully check in a document detected as infected and perform the action as per policy.
• Add Items — Required for replacing the infected file with a file containing replacement alert message.
• Edit Items — Required for updating the checked out documents while forcefully checking in with a check in comment.
• Delete Items — Required for removing an infected list item (document). • View Items — Required for the target picker while defining a scan target.
c Under Site Permissions, grant View Pages ‑ View pages in a website permission. Without this, McAfee Security for Microsoft SharePoint is unable to iterate over the site in on‑demand scan tasks.
d Save the newly created permission policy level.
5 For each Web application created in the SharePoint Farm:
a Update the Web application policy for the respective web application to add the product database access account (For example: MSMSDBAccnt) with Permission Policy Level created earlier (For example: MSMS‑Permissions).
b Update the Web application policy to cover any web applications that are added in future.
This will not cover the Central Admin application ‑ which will not be scanned unless Option1 above is chosen. Alternatively, we can add the product database access account (For example: MSMSDBAccnt) as a secondary site collection administrator account on the Central Admin web application alone.
6 Manual steps may be possible for scripting. Local administrator rights or GPOs are required to make these group updates. Update the IIS and SharePoint user groups ( IIS_WPG (for IIS 6) and IIS_IUSRS (IIS7) or WSS_WPG ) on each SharePoint Server by adding the McAfee Security for Microsoft SharePoint database access account (For example: MSMSDBAccnt).
7 Add Modify permission allowing the product database access account (For example: MSMSDBAccnt) read/ delete access to the McAfee Security for Microsoft SharePoint bin folder. (<Product Install Location>\Bin). (Manual steps may be possible for scripting. Local admin permission or GPOs are required to make the changes). This folder is specific to McAfee Security for Microsoft SharePoint. For example: For default installation, the bin folder path will be C:\Program Files\McAfee\McAfee PortalShield\Bin
• This permission is required if on‑demand scans are scheduled via ePolicy Orchestrator. During runtime, ePolicy Orchestrator passes the configuration details needed for the on‑demand scan to the McAfee agent plug‑in, which will place the configuration details in a file in the product bin folder with a .tmp extension. The on‑demand process (RunScheduled.exe) reads the configuration from this file and then deletes it.
• If using a regular domain account (For example: MSMSDBAccnt), the account will not have read/delete access for the bin folder. Hence Modify access needs to be added for the product database access account (For example: MSMSDBAccnt) on the bin folder. This can be done after installation or via GPOs (Group Policy Objects).
B
SiteList Editor
SiteList specifies the location from where you can download automatic updates (including DAT file and scanning engines).
Access SiteList Editor
• From the Start menu, click Programs | McAfee | McAfee Security for Microsoft SharePoint | McAfee Auto Update SiteList Editor.
You can use these tabs:
• Repositories — To configure repository settings from where the software can download automatic updates.
By default, McAfee Security for Microsoft SharePoint uses a sitelist that points to a McAfee site for automatic updates, but you can also create alternative sitelists that point to a different location. For example, you might have copied the automatic updates to a local repository and created a sitelist that points your software systems to that local repository.
• Proxy settings — To configure the proxy server settings, so that the software can connect to the Internet using this server, to download automatic updates.
Settings applied in the SiteList Editor are saved in the SiteList.xml file under C:\ProgramData \McAfee\Common FrameWork\ directory.
Contents