Options page

You can configure the settings that apply to the Threat Prevention feature, including quarantine, potentially unwanted programs, and exclusions.

Option definitions
Section Option Definition
Quarantine Manager Quarantine folder (Windows & Linux only) Specifies the location for the quarantine folder or accepts the default location:

Windows — <SYSTEM_DRIVE>\Quarantine

Linux — /quarantine

  • System Drive
  • System Root
  • System Folder
  • Temp Folder
  • Program Files Folder
  • Program Files Common Folder
  • Software Installed Folder

The quarantine folder is limited to 190 characters.

Specify the maximum number of days to keep quarantine data (Windows only) Specifies the number of days (1–999) to keep the quarantined items before automatically deleting. The default is 30 days.
Exclusion by Detection Name (Windows only) Detection Name Specifies exclusions by detection name for the on-access scanner, on-demand scanner, and AMSI scanner.

The detection name appears in the Threat Name column in the McAfee ePO Threat Event Log and in Endpoint Security Client:

  • In the Threat name field in the Event Log details pane for a detection event.
  • In the Detection name column of the On-Access Scan page when Endpoint Security detects a threat.

For example, to specify that the scanners not detect Installation Check threats, enter Installation Check.

Detection name exclusions don't support wildcards.

  • Add — Adds a detection name to the exclusion list.

    Click Add, enter the name and optional description in the dialog, then click Save.

    To automatically add AMSI buffer-hash exclusions and command-line suppressions, select options on the Actions menu on the Threat Event Log Details page.

  • EditChanges the selected item.
  • DeleteRemoves the selected name from the list.
  • Delete AllRemoves all names from the list.
Overwrite exclusions configured on the client (Windows & Linux only) Excludes only items specified in this scan policy.

Deselect this option to enable the client system to use both the exclusions specified in the policy in McAfee ePO and the exclusions specified locally on the client.

Potentially Unwanted Program Detections (Windows only) Exclude custom unwanted programs Specifies individual files or programs to treat as potentially unwanted programs.
Note: The scanners detect the programs you specify and programs specified in the AMCore content files.

The scanner doesn't detect a zero-byte sized user-defined unwanted program.

  • Add — Defines a custom unwanted program.

    Click Add, enter the name and optional description in the dialog, then click Save.

    The Description specifies the information to display as the detection name when a detection occurs.

  • EditChanges the selected item.
  • DeleteRemoves the selected name from the list.
  • Delete AllRemoves all names from the list.
Advanced options
Section Option Definition
Proactive Data Analysis (Windows & Linux only) Sends anonymous diagnostic and usage data to McAfee.
McAfee GTI feedback Enables McAfee GTI-based telemetry feedback to collect anonymized data on files and processes executing on the client system.
Safety Pulse (Windows only) Performs a health check on the client system before and after AMCore content file updates, and at regular intervals, and sends results to McAfee.

The results are encrypted and sent to McAfee using SSL. McAfee then aggregates and analyzes the data from these reports to identify anomalies that might indicate potential content-related issues. Prompt identification of such issues is critical to providing timely containment and remediation.

Note: This setting has no effect if McAfee GTI feedback is disabled.

Safety Pulse collects the following types of data:

  • Operating system version and locale
  • McAfee product version
  • AMCore content and engine version
  • McAfee and Microsoft running process information
AMCore Content Reputation (Windows only) Performs a McAfee GTI lookup to request the reputation of an AMCore content file before updating the client system.

If the AMCore content file is classified as "block", Endpoint Security doesn't update AMCore content on the client system.