Quicklinks

• Download Anti-Virus Software
• Learn about the U-M Migration to Microsoft
• Get Support
• Get McAfee Support

The decision not to renew the McAfee license was made by Information and Technology Services (ITS) with the endorsement of the Information and Infrastructure Assurance (IIA) Council.

The decision not to renew the McAfee anti-virus license was primarily a cost/benefit decision. The university already licenses Microsoft’s Forefront Endpoint Protection product through its enterprise licensing agreement. Additionally, Microsoft Security Essentials is available free of charge for personally-owned Windows systems.

While licensing costs alone cannot be disclosed publically, leveraging the highly competitive Microsoft solutions in lieu of renewing the McAfee license saves the university a substantial amount of money without increasing risk.

The McAfee license officially expires in June 2012. However, the community is encouraged to migrate from McAfee much sooner. (See the next two questions.)

Computers that use the U-M licensed McAfee anti-virus software after the expiration date will be operating at an unacceptable level of risk for the following reasons:

• The anti-virus software will be out of date and it will not be possible to get a new version of the McAfee software.
• The signature updates that the anti-virus software relies on to detect malicious software will no longer be available. This will effectively render the anti-virus software useless.

To avoid problems and unacceptable security risks associated with waiting until the last minute, end users are encouraged to migrate as soon as possible. Many campus units plan to complete their migration from McAfee to Forefront for university–owned machines by the end of calendar year 2011.

No. Only the version of McAfee VirusScan that is licensed by U-M needs to be uninstalled. If you rely on an alternative anti-virus solution, you can continue to do so.

1. Right-click on the VirusScan icon in the System Tray (aka "the notification area") and select [VirusScan Console]
2. In the VirusScan Console, Select the [Tools] menu and then [Edit Autoupdate Repository list]
3. If you find listed "UM VirusScan Update Repository", then you have a U-M licensed version of McAfee VirusScan and need to replace it.

As of June 1, 2011, end-users will no longer be able to download the U-M preconfigured VirusScan software from the VirusBusters or BlueDisc sites. These users will be redirected to Microsoft Security Essentials for personally-owned computers or to their local IT department or Microsoft Forefront for university-owned computers.

Unit IT departments will be able to obtain the VirusScan software as needed until they can perform their migration.

Microsoft Security Essentials can be downloaded for free for use on personally-owned computers from:
http://www.microsoft.com/security_essentials/

Microsoft Security Essentials works on Windows XP - Service Pack 2, Vista and Windows 2007.

Yes for Microsoft Security Essentials and no for Microsoft Forefront (see Q19).

For Microsoft Security Essentials, McAfee (or any other anti-virus product) needs to be manually uninstalled prior to installing Microsoft Security Essentials.

No product key or activation process is needed to install Microsoft Security Essentials or the Forefront Endpoint Protection client.

• Support for end users running Microsoft Security Essentials on personally-owned computers is provided by Microsoft via the Microsoft Security Essentials support portal:
  http://www.microsoft.com/en-us/security_essentials/Support.aspx
• For further assistance, end users may bring their machines to the Computer Showcase (http://www.itcs.umich.edu/repair/howitworks.php) for a free consultation for eligible customers, or fee-based remediation services.
• For Microsoft Forefront users, see Q23.

The decision not to renew the McAfee license does not affect anti-virus for Macintosh systems. Macintosh users should continue to use the Sophos anti-virus client. The university is planning to renew its Sophos license for another year in December of 2011, extending its use until December 2012.

According to http://www.microsoft.com/forefront/endpoint-protection/en/us/faq.aspx

• Microsoft Security Essentials is a no-cost, anti-malware service that efficiently addresses the ongoing security needs of a genuine Windows-based PC requiring protection from malicious software, including spyware, viruses, trojans and rootkits.
• Forefront Endpoint Protection 2010 provides endpoint protection for business environments, including antimalware and additional protections like behavior monitoring and firewall management. Forefront Endpoint Protection 2010 also includes central deployment, configuration, and reporting features needed for ensuring protection is maintained across the enterprise.

No. Although it is technically possible, this would violate the Microsoft Security Essentials license agreement. In particular, this software may not be used on devices owned by government or academic institutions.

IT departments can order ($10.00) the complete Microsoft Forefront Endpoint Protection media via U-M Software Licensing and Distribution: https://www.itcs.umich.edu/sw-info/microsoft/products/. This allows you to integrate Forefront with System Center Configuration Manager (SCCM) to provide an integrated (single infrastructure) for both desktop management and security management.

If you just want to manually install the Forefront anti-virus client on an endpoint, you can access the client installation component (FEPInstall.exe) at: http://www.itd.umich.edu/bluedisc/. Use this approach if you did not plan on managing Forefront with SCCM.

No for Microsoft Forefront, and yes for Microsoft Security Essentials (see Q12).

Microsoft Forefront should automatically uninstall McAfee VirusScan and install Forefront as part of a "one step" installation process.

Additional detail: Microsoft cites a 2% overall failure rate for their competitive uninstall process, this failure rate however is based on multiple anti-virus products running on multiple hardware platforms and multiple operating systems. Feedback from early adopters at U-M suggests that the uninstall process has been more reliable (i.e. > 98% successful).

No. Although basic management capabilities are available through Active Directory Group Policy and advanced management and reporting capabilities are available via System Center Configuration Manager (SCCM) you do not need either of these environments to install Forefront. To manually install the Forefront client on a "standalone" machine, run FEPInstall.exe from the Forefront media or from the download site (see Q10).

No. Although advanced management and reporting capabilities are available via System Center Configuration Manager (SCCM), SCCM is not needed to install Forefront. To manually install the Forefront client on a "standalone" machine, run FEPInstall.exe from the Forefront media or from the download site (see Q10).

Yes. HOWEVER, do not install the Microsoft Forefront client on a server as if it were just another end-user workstation:

• Custom versions of Forefront are available for various server roles such as Microsoft Exchange, Microsoft Communications Server, and Microsoft SharePoint. You can order these application-specific versions of Forefront from U-M Software Licensing and Distribution: https://www.itcs.umich.edu/sw-info/microsoft/products/.

• Similarly, customized configuration setting templates are available from Microsoft for deploying Forefront onto other server roles such as Active Directory Servers and SQL Servers. Visit the following link or search for "Forefront Endpoint Protection Tools": http://www.microsoft.com/downloads/en/details.aspx?FamilyID=04f7d456-24a2-4061-a2ed-82fe93a03fd5

For End Users: The ITS Service Center (734-764-4357 [4-HELP]) will provide very basic support for end users.

• Users of Microsoft Security Essentials: see Q14.
• Users of Microsoft Forefront:
• Contact local IT department
• No local IT department? Contact the Microsoft Consumer Security Support Center:
  https://consumersecuritysupport.microsoft.com/
• Visit the Computer Showcase (http://www.itcs.umich.edu/repair/virus.php) for a free consultation. (Charges may apply for other services such as disinfection.)

For IT Pros: Support for IT Professionals is provided through the normal university support channels for Microsoft products. In particular:

• Peer support via the Windows 2000 email list (win2000@umich.edu)
• Premier support from Microsoft for those units that pay for a premier support contract
• Per incident (credit card) support from Microsoft

Depending on how McAfee’s ePolicy Orchestrator was used, you may want to use either Active Directory Group Policies or System Center Configuration Manager (SCCM) to replace it. If ePO was used primarily to enforce configuration settings for VirusScan, you can accomplish this with Active Directory Group Policy.  If you used ePO to actively monitor and produce detailed reports on the status of your VirusScan deployment, you would want SCCM for equivalent functionality.

ITS is in the process of evaluating the feasibility of providing a campus wide SCCM service. If the decision is made to do so, the earliest such a service would be available for campus to leverage would be the end of calendar year 2011. You can use Group Policy to manage settings in the meantime.

No. ITS recommends that units invest their time migrating to Forefront rather than upgrading to VirusScan 8.8.

No. A unit may decide to negotiate their own license agreement with McAfee or another vendor. However, all units will continue to pay for Microsoft Forefront as part of the university’s enterprise license agreement.