Components and how they interact

As an administrator and user of VirusScan Enterprise, you should be familiar with its components and connections. The following figure shows these components for a basic environment.

Figure 1. VirusScan Enterprise components McAfee VirusScan components Components and how they interact

Client system

This is where VirusScan Enterprise and optional McAfee Agent are installed and configured.
  • DAT files — Detection definition files, also called malware signatures, work with the scanning engine to identify and take action on threats.
  • Scan engine — Used to scan the files, folders, and disks on the client computer and compares them to the information in the DAT files for known viruses.
    Note: DAT files and scan engine are updated as needed using the Internet connection to McAfee Headquarters, or using the optional connections over the Enterprise Intranet to a designated server.
  • Artemis (Heuristic network check for suspicious files) — Looks for suspicious programs and DLLs running on client systems that are protected by VirusScan Enterprise. When the real-time malware defense detects a suspicious program, it sends a DNS request containing a fingerprint of the suspicious file to a central database server hosted by McAfee Labs.
  • McAfee Agent (optional) — Provides secure communication between McAfee managed products and McAfee ePolicy Orchestrator server. The agent also provides local services like updating, logging, reporting events and properties, task scheduling, communication, and policy storage.

McAfee Headquarters

McAfee Headquarters, home to McAfee Labs and McAfee Technical Support, provides the following VirusScan Enterprise services:

  • DAT updates — Stored on a McAfee central database server, and using AutoUpdate, these DAT update files are copied to the VirusScan Enterprise clients or optional DAT repositories to provide information to fight known threats and new lists of known viruses as they are found in real time.
  • Scan engine updates — Stored on a central database server, scan engine updates are downloaded as needed to keep the VirusScan Enterprise scan engine up-to-date.
  • McAfee Labs — This threat library has detailed information on virus, Trojan, hoax, and potentially unwanted program (PUP) threats — where they come from, how they infect your system, and how to handle them. The Artemis feature sends the fingerprint of the suspicious file to McAfee Labs, where they analyze the file and determine what action to take.


The optional server uses the following components to manage and update many client systems remotely:
  • ePolicy Orchestrator — Centrally manages and enforces VirusScan Enterprise policies, then uses queries and dashboards to track activity and detections.
    Note: This document addresses using ePolicy Orchestrator 4.0, 4.5, and 4.6. For information about ePolicy Orchestrator, see the product documentation for your version.
  • DAT repository — Retrieves the DAT updates from the McAfee download site. From there, DAT files can be replicated throughout your organization, providing access for all other computers. This minimizes the amount of data transferred across your network by automating the process of copying updated files to your share sites.

Components and how they interact