Product Guide

McAfee GetClean
version 2.0
Introducing GetClean
About this guide

COPYRIGHT LICENSE INFORMATION

Copyright © 2013-2017 McAfee, LLC. YOUR RIGHTS TO COPY AND RUN THIS TOOL ARE DEFINED BY THE MCAFEE SOFTWARE ROYALTY-FREE LICENSE FOUND ON
MCAFEE.COM WEBSITE. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH BY THAT AGREEMENT, THEN DO NOT INSTALL THE SOFTWARE OR STOP ALL USE
AND UNINSTALL THE SOFTWARE.

TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other names and
brands may be claimed as the property of others.

2
Introducing GetClean
About this guide

Contents
Preface 4
About this guide ................................................................................................................ 4
Audience .................................................................................................................... 4
Conventions................................................................................................................ 4
Find product documentation ................................................................................................ 4

Introducing GetClean 6
How GetClean works .......................................................................................................... 6
Benefits...................................................................................................................... 6
Features ..................................................................................................................... 6
System requirements ................................................................................................... 7
Understanding the GetClean user interface ..................................................................... 7
How to use GetClean .......................................................................................................... 9
Get ready to participate ............................................................................................... 9
Download GetClean ................................................................................................... 10
Scan directories and submit clean files ......................................................................... 10
Interpreting scan results ............................................................................................ 11
Review scan results and upload clean files .................................................................... 12
Track results ............................................................................................................. 13

Frequently asked questions 14

3
Introducing GetClean
About this guide

Preface

This guide provides the information you need to configure, use, and maintain your McAfee GetClean.

About this guide

This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.

Audience
McAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

 Customers and Partners — People who use our product.

 Security Officers — People who determine sensitive and confidential data, and define the
corporate policy that protects the company’s intellectual property.

 Reviewers — People who evaluate the product.

Conventions
This guide uses the following typographical conventions and icons.

Book title or Title of a book, chapter, or topic; introduction of a new term;

Emphasis emphasis.

Bold Text that is strongly emphasized.

User input, Path, or Commands and other text that the user types; the path of a folder or
Code program; a code sample.
Hypertext A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system, software installation,

network, business, or data.

Warning/Danger: Critical advice to prevent bodily harm when using a hardware product.

Find product documentation

McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.

4
Introducing GetClean
Find product documentation

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access… Do this…
User documentation 1 Click Product Documentation.
2 Select a Product, then select a Version.
3 Select a product document.
KnowledgeBase  Click Search the KnowledgeBase for answers to your product
questions.
 Click Browse the KnowledgeBase for articles listed by product and
version.

5
Introducing GetClean
How GetClean works

Introducing GetClean

McAfee® GetClean is an initiative to collect and upload clean files from software vendors and customers. You can
deploy the McAfee GetClean (GetClean henceforth) tool to submit information on your clean file repositories.
Samples and metadata can then be uploaded to McAfee.
After processing these samples and metadata, the McAfee Global Threat Intelligence™ database is populated with
information about the submitted files. The files then become a part of McAfee test systems where they are scanned
before release of any new DAT update.

Contents
 How GetClean works
 How to use GetClean
 Frequently asked questions

How GetClean works

GetClean incorporates participating customers’ and partners’ files into the McAfee test environment.
Each day, in parallel with the anti-malware DAT update test process, we test each new DAT update
against the participating customers’ files.

Before every DAT release, the files that are submitted via GetClean are scanned for false positive
detections. McAfee Labs™ researchers investigate any identification. The McAfee Labs Research team
will be the final signoff authority for a high quality and error free DAT update.

For participating customers, GetClean significantly reduces the chances of a false positive from
McAfee® GTI File Reputation technology on a laptop and server master images and offers an extra
degree of protection against DAT based false positives.

Benefits
GetClean leverages McAfee Global Threat Intelligence (McAfee GTI) for file reputation lookup so that
only files that are unknown to McAfee or falsely classified are reported.

This considerably reduces the cost and complexity of submitting clean files to McAfee as the tool
simplifies the entire process, saving time and network bandwidth. Instead of submitting entire COE
images, customers can run GetClean on their COE image files or known clean software repositories.

Features
GetClean brings to you these features:

 Delivered as a single Windows executable file with no installation required

 Ability to add, browse, or remove custom directories for a scan

 Choice of reviewing results and deciding to submit actual files

 Option to submit actual samples or metadata of the files to McAfee Labs for whitelisting

 Option to retry file submission to McAfee Labs for whitelisting, if network gets interrupted

6
Introducing GetClean
How GetClean works

 Supports GTI File Reputation lookups via McAfee GTI proxy

System requirements
Make sure to check for these requirements to use GetClean.

Component Requirements
Operating system One of the following Microsoft operating systems:

 Microsoft Windows 7, 8, 10, 2008 Server, 2012 Server, 2016

Server, Windows RS2, Windows RS3

Web Browser One of the following:

 Microsoft Internet Explorer, version 6 or later

 Mozilla Firefox, version 1.0 or later

Hardware  System memory — 1 GB for scanning operations

 At least 4 GB of available disk space
 At least an additional 4GB of hard disk space for temporary files
 Network card (with access to McAfee GTI)

Understanding the GetClean user interface

The GetClean user interface is user-friendly and simple.

7
Introducing GetClean
How GetClean works

Option Definition
File Enables you to save a report or close GetClean

 Save report to file — Saves the scan report as a .txt to a system

location.
 Close — Closes the GetClean tool.

Help Provides help to use GetClean

 Command Line Help — Provides cli commands that can be used to

perform various tasks.
 McAfee Labs Tools — Navigates to the McAfee free tools downloads
site.
 About GetClean — Specifies GetClean version details.

Scans the specified directories

Scan Now
Stops the current scan process on directories
Stop
Specifies customer details and mode of submitting the clean files
Preferences
 Submission Mode — Specifies if you wish to submit the complete
samples(recommended) or only logs to McAfee.
 Execution Mode — Specifies whether the .zip file is submitted online
to McAfee with or without Auto-retry option. By default, the Submit
files to McAfee and Auto-retry failed submission checkboxes are selected.
Auto-retry failed submission — If submit process fails due to network
interruption, retries automatically to submit files to McAfee with
an interval of 120 seconds for two times.
 Customer Information — Specifies details like grant number, email
address, company, and username.
 Save Location — Specifies the location of the clean file on the
system. The file is saved in .zip format.
 Proxy Settings — Specifies server and port details for the proxy
server.

If the Submit files to McAfee checkbox is deselected, Upload enables you to

Upload browse to the .zip location and upload the files to McAfee.
Directories to scan Specifies the directories to be scanned. By default, based on the
operating systems, few paths are displayed.

 Add — Enables to specify a directory to scan.

 Browse — Enables to navigate to a directory in the system.
 Remove — Removes a specified directory from scan.

Scanning window Displays the scan in progress and results. During the scan, you can view
the file reputation as OK or Unknown. The OK status depicts that GTI
whitelists these files.

8
Introducing GetClean
How to use GetClean

Option Definition
The complete scan results display the false positives, unknown digitally
signed files, and unknown files based on GTI File Reputation lookup. The
scan results are saved as a zip file on the system and the submitted files
become a part of the McAfee Labs test environment for the next DAT
update.

How to use GetClean

You can scan directories, review scan reports, and submit clean files to McAfee.

Contents
 Get ready to participate
 Download GetClean
 Scan directories and submit clean files
 Interpret scan results
 Review scan results and upload clean files
 Track results

Get ready to participate

Make sure to follow these guidelines prior to using GetClean.

 GetClean is free and open to only McAfee enterprise customers and partners.
 GetClean should only be run on the master COE image(s) that your IT uses to
reimage systems or on clean software repositories.

Note
If GetClean is executed on an end user system, even if that system was
originally built from a COE image, but then user(s) were allowed to download
and install software themselves, the file is no longer of high trust.

 GetClean can submit only Windows executable files namely exe, dll, pif, scr, and
sys. Data or document files are not harvested.
 GetClean should be run on a regular or scheduled basis on customer systems to
capture the latest file and software updates.

Note
Volume of files submitted reduces significantly in repeat runs as only new files
are submitted.

 Files submitted via GetClean are not distributed outside McAfee or shared with
competitors and third party vendors.

9
Introducing GetClean
How to use GetClean

Download GetClean
Provide a valid grant number and download GetClean from the McAfee Downloads site.

Task
1 Go to the McAfee Downloads site and provide a valid grant number.

2 Download the GetClean .zip file.

3 Extract the files, navigate to the folder, and view the files.

Tip
We recommend creating a folder specifically for GetClean.

Scan directories and submit clean files

Make sure to set the preferences for the scan and locations for the scan reports. The scan report is
submitted to McAfee Labs.

1 Navigate to the GetClean folder and double-click the GetClean.exe file.

2 The McAfee GetClean window is displayed. The selected default directories are displayed.

C:\Program Files

C:\Program Files(x86)

C:\ProgramData

C:\Windows

Note
On Windows XP, the ProgramData folder and on all 32-bit Operating Systems,
C:\Program Files (x86) folder does not exist and will not be part of the default scan
locations. However, you can select the directories you wish to scan.

3 Click Add, Browse, or Remove to specify the directories that contain known clean files to be scanned.

4 Click Preferences and select the different types of execution and sample submission mode. By
default, files are submitted to McAfee Labs in online mode. Click OK.

5 Click Scan Now to begin scanning the system for unknown files.

6 On the End User License Agreement window, accept the license agreement. Click OK.

7 The Scanning window displays the scan initiation, progress, and results for the scanned
directories.

The scan report files are zipped and uploaded to McAfee Labs via HTTPS whenever GetClean is
scanned in online mode.

Note
The default password for the zip file is clean.

10
Introducing GetClean
How to use GetClean

Interpreting scan results

The scan results display false positives and unknown files. When the scan is in progress, the
whitelisted files are displayed as OK.

False positives
GetClean is expected to be run only on clean systems. When McAfee GTI flags a file as
Assumed_Dirty, Trojan, Virus, or PUP there is a high probability of falseness. McAfee Labs researchers
manually analyze these files prior to adding them to the GTI whitelist. The scan results display these
files as Artemis False file(s).

Unknown digitally signed files

In the scan results, there can unknown files that do not have a valid signature. For signed files, the
xml file has a valid publisher and certificate. These unknown classified files undergo a thorough
analysis prior to being whitelisted. The scan results display these files as Unknown Digitally Signed files(s).

Discarding files before an upload

You can review the scan results and decide on the files to upload to McAfee. Navigate to the scanned
result zip file on your system, use WinRaR or 7Zip to open the zip file, and remove files from the
archive. Upload the updated archive to McAfee.

11
Introducing GetClean
How to use GetClean

Scan logs
If a scan stops or gets interrupted before completion, you can view the logs that are stored in the
same location from where GetClean is launched. The scan details are displayed.

Review scan results and upload clean files

You can scan the directories, review the scan results, and then decide to upload clean files. In case
you are offline, you can choose to upload the files manually at a later point of time.

1 Navigate to the GetClean folder and double-click the GetClean.exe file.

2 The McAfee GetClean window is displayed. The selected default directories are displayed.

3 Click Add, Browse, or Remove to specify the directories that contain known clean files to be scanned.

4 Click Preferences and select the different types of execution and submission mode for samples or
logs. Deselect the Submit files to McAfee checkbox. Click OK.

5 Click Scan Now to begin scanning the system for unknown files.

6 On the End User License Agreement window accept the license agreement. Click OK.

7 The Scanning window displays the scan initiation, progress, and results for the scanned
directories.

8 Navigate to the location of the scan report and review the files to be submitted.

9 Click Upload and browse to the zip file. Click Open and then click OK.

12
How to use GetClean

Track results
Once we receive the clean files, the files are validated, and become a part of McAfee Labs test system.
We communicate and follow up with these updates.

 Give us few days for the files to be imported into the McAfee Labs test systems.
 McAfee validates the submitted files and sends an email acknowledgement.
 We then send a confirmation email that the submitted files have been added to
McAfee Labs test systems.

Note
Typically, the acknowledgement emails are sent the same day of submission
unless it is a large submission containing many files to process.

Note
If your request is urgent, you may wish to contact your local McAfee Support
contact.

 Files submitted via GetClean are not distributed outside McAfee or shared with
competitors and third party vendors.

13
Frequently asked questions
How to use GetClean

Frequently asked questions

This section provides you with answers to a few frequently asked questions about GetClean.

Where and how is the data from files being used (primary and secondary)?
1 The harvested files are processed by a whitelisting team and their hashes are classified as clean in
the McAfee Global Threat Intelligence™ database.

2 This information is used by all McAfee Global Threat Intelligence™ enabled products to trust the
whitelisted files as clean.

3 The actual files are transferred to McAfee Labs test systems and are scanned by the latest DAT
files daily before any DAT release.

What kind of metadata is collected about the harvested files?

The following metadata on executable files are logged in the files xml and uploaded to McAfee
Labs.

MD5 SHA1 Location File Name Attribute Company Description Product Version File Version File Size

Publisher Vendor Start Date Expiry Date

Additionally for digitally signed files, we collect information about publisher and certificate.

What kind of details are collected about the user or system?

GetClean collects information like system name, operating system, customer email address,
and user comments. The following is an example of GetClean.xml displaying the type of user
file being harvested.

McAfee GetClean Scan Results

GetClean Build 1.0.0.141

OS Version Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

Computer Name BANVTHOMASLT01

Scan Initiated Mon Mar 28 17:43:09 2011

Scan Finished Mon Mar 28 18:23:26 2011

Customer Email [email protected]

Comment DELL 820 Laptop Image

 If you submit files for inclusion to the False Positive Test Rig, make sure that you are
legally entitled to distribute the software outside of your organization. McAfee can’t be held
responsible for unauthorized software distribution. Refer to KB article KB66642 for more
details.

14
Frequently asked questions
How to use GetClean

 If you choose to submit hashes, McAfee Labs processes only those hashes for which we
have a sample in our collection. Other hashes are ignored. We need a copy of the actual
file in order to run a scan using the DATs.

 You receive an email acknowledgement upon successful submission of files via GetClean.
Depending on the volume of files submitted – please give it 24-48 hours to get an
acknowledgement.

 Upon processing of the files and adding them to the McAfee GTI whitelist and McAfee Labs
test systems, a confirmation mail is sent to you.

Does GetClean support command line parameters?

Yes, GetClean supports command line parameters.

Example:

GetClean.exe –silent –[email protected] –zippath=”C:\Test”

Additional information
 Post whitelisting of the files submitted from a customer environment, Artemis /Network
Heuristic settings on McAfee VirusScan products can be tuned up to Medium-Very High
settings with minimal chance of a false since all known files on the customer end should
have already been whitelisted in the cloud.

15
Frequently asked questions
How to use GetClean

 While GetClean helps McAfee build its whitelist of known clean files and reduce field falses
– memory or environmental based scenarios will always limit our ability to not false in the
field.

 For best results, we recommend before running GetClean that customers install software
that comes packaged as an installer so that it fully extracts all files onto a target system.
While our backend automation systems attempt to unpack installers, in some cases we
might be unable to harvest all files from a package due to use of custom installation scripts
or those that download further components upon install.

16