Anti-Virus: How can Mcafee Total Protection Suite Clients update their dat files with no internet access?

03/26/2020 5 12559

DESCRIPTION:

Anti-Virus: How can Mcafee Total Protection Suite Clients update their dat files when Internet access is restricted (aka Rumour Technology)?

A notice has been issued for SonicWall Enforced Client's (McAfee and Kaspersky). Please see Notice: End of Support for SonicWall Enforced Client for more information.

RESOLUTION:

This is done via Rumor technology;

Rumor technology allows any computer on the network to broadcast a request for information that identifies the latest DAT and program file versions, and if required, broadcasts a request for the updated files themselves. Any computer that had already downloaded the information and files can provide them to any other.

Earlier versions of Rumor required all computers on the network to have direct access to the Internet. This requirement was incompatible with customers who restrict their employees' access to the Internet.

Enhanced rumoring (Rumor II) resolves this incompatibility by requiring only one computer in each network subnet to have direct access to the Internet. This computer serves both as an ASaP client, and as a proxy connection to the remote ASaP Network Operations Center (NOC) for computers in the subnet without an Internet connection. Only computers in the subnet that are running the ASaP software can benefit from the rumor technology.

When a computer in the subnet starts up (and periodically during its normal operations), its resident ASaP agent attempts to connect to the NOC to request a catalog file that lists the currently available updates. If the computer does not have access to the Internet, the attempt fails.

The agent then broadcasts a search for a system in its subnet that is capable of connecting to the NOC. The computer that has access to the Internet establishes a connection between the NOC and the computer that is requesting the catalog.

When the connection is established, the agent first uploads to the NOC information that it has collected about the client, such as properties (for example, client system data, unique identifying information, current configuration, installed software) and events (for example, virus detections, agent attempts to connect to NOC). After uploading the client information, the agent then downloads the catalog file from the NOC.

When the download is completed, the ASaP agent compares the version information of the files in the catalog with the version information of the files that are currently installed.

If the information in the catalog is identical with the currently installed version information, no further action is required and the rumor process terminates.
If the information in the catalog differs from the currently installed version information, the agent broadcasts a request to all computers in the subnet for the updated files that it requires in order to be current.
If another computer already has the updated files, a peer-to-peer transfer of the files takes place.
If no other computer has the updated files, the computer that has access to the Internet establishes a download connection between the NOC and the computer that is requesting the files.
When the download is completed, no further action is required and the rumor process terminates.

Ports used by rumor:
**********************
Rumor Technology uses ports 6515 and 1967.  Broadcasts go out on 6515 and replies are received on 1967. A session is then negotiated and the transfer is made on an open port. The session is dropped after the file or files are transferred.

Performance:
**************
The system impact to the user has been observed to be minimal.  One brief test using an Intel-based 600 MHz PIII supplying an update to another 600 MHz PIII showed less than a 2% impact on CPU utilization to supply the update.