McAfee MOVE 4.5.0 Upgrade Guide with NSX

This post walks through the upgrade of McAfee MOVE to version 4.5.0 with NSX Manager, and can be used when upgrading McAfee MOVE Agentless versions 3.5.x, 3.6.x, and 4.0.0. The upgrade of versions 3.5.x or 3.6.x involves migrating all custom settings, policies and tasks with the McAfee MOVE Migration Assistant (these are retained by default when upgrading from version 4.0.0).


The benefits and architecture of offloading AV to a dedicated Service Virtual Machine (SVM) with McAfee MOVE and NSX are covered in the McAfee MOVE with NSX Install Guide. The scope of this guide is to upgrade an existing McAfee MOVE installation and as such it is assumed that NSX Manager, IP Pools, service deployments (i.e. Guest Introspection), policies, and ePO integration are all in place. Furthermore it is assumed that network connectivity between components, time sync, DNS, vSphere access, etc. are also configured. For a full list of pre-requisities see the above install guide. The requirements below are specific to the McAfee MOVE 4.5 upgrade:


Update Extensions

The first step is to update the extensions on the ePO server. When upgrading versions 3.5.x or 3.6.x the existing extensions are left in place to facilitate the migration of data, which we’ll cover later. When upgrading version 4.0.0 the extensions are replaced with the new versions, all settings and policies remain.

I am going to use Software Manager to download, install, and check in the software direct on the ePO web UI. If you prefer you can manually download the extensions on your own machine and then install them through the Extensions page (more info on this below). To use Software Manager click the drop down Menu option in the top left hand corner of the page and select Software Manager. Use the search function to find McAfee MOVE AntiVirus 4.5. Browse through the components, you will notice the Migration Assistant is included, click Check In All.


Accept the license agreement and click Ok. The extensions are downloaded and installed.


An alternative way of installation or updating extensions is to browse to McAfee Downloads, enter your grant number when prompted and then select McAfee MOVE AV for Virtual Servers, McAfee MOVE AntiVirus 4.5. Download the required files and then browse to the web interface of the ePO server (https://EPO:8443/ where EPO is the name of your EPO server). Log in as an administrator and click the drop down Menu option in the top left hand corner of the page. Locate Software, and select Extensions. Click Install Extension and install the downloaded zip files in the following order: Cloud Workload Discovery (note that the CommonUI bundle; mfs-commonui-core-ui,commonui-core-common and commonui-core-rest extensions, is a pre-req for the Cloud Workload Discovery 4.5 for ePO 5.1.3 and 5.3.1), McAfee MOVE AntiVirus extension, Product Help extension

Which ever way you install the extensions, ensure you download MOVE-AL-AL_SVM_OVF_4.5.0.148 (or most recent version). This zip file contains the Service Virtual Machine (SVM), which we’ll need to add to the SVM repository later.

Once the extensions are installed the new version of MOVE AntiVirus will be visible in the Data Center Security group, under Menu > Software > Extensions.


For those upgrading versions 3.5.x or 3.6.x the old extensions remain in place in the MOVE AV group.


You will also notice an additional option in the Automation menu; MOVE AV Agentless remains as the legacy option for versions 3.5.x or 3.6.x, and MOVE AntiVirus Deployment is created for version 4.5.0. The legacy MOVE AV Agentless option is deleted upon removal of the old extensions at the end of the process. Again, doesn’t apply to 4.0.0 because in this case the extensions are upgraded, rather than running side by side.


Migration Assistant

The Migration Assistant can be used when upgrading from MOVE versions 3.5.x or 3.6.x, if you are upgrading from 4.0.0 then this step is not necessary. Use one of the methods outlined above to install the Migration Assistant extension. If you used Software Manager to install the full McAfee MOVE AntiVirus 4.5 package then the Migration Assistant should already be installed. If you need to manually downloading and install the extension then when using McAfee downloads you need to change the Software Downloads tab to Extensions to view the Migration extension, as shown below.


When the install is complete; in the ePO web UI click the drop down Menu option, under Software, click Extensions. The MOVE Migration Assistant 4.5 is listed under Data Center Security.


We can now go ahead and run the Migration Assistant; from the drop down Menu, under Policy, select MOVE Migration Assistant.


Select Automatic migration to migrate all settings for supported products (note that unassigned policies are not migrated) and click Next. To select only certain policies or edit policies you can use the Manual migration option, for more information see page 10 of the McAfee MOVE Migration Guide.


Review the items to be migrated, you can rename and edit the policy notes if required by clicking Rename and Edit Notes. When you’re ready to start migrating click Save.


Once the migration job has finished go back into the MOVE Migration Assistant, next to Migrate Agentless Deployment Configuration Details (Agentless Only) select Run, and click Next. Click Ok to confirm migrating configuration details.


When the config migration has completed click the drop down Menu option and under Automation select MOVE AntiVirus Deployment. You will see the SVM configuration and NSX registrations have all been migrated across.

Note that if you are upgrading from 3.5.x then the NSX certificate and credential data is migrated across, however you still need to enter the SVM configuration under Menu, Automation, MOVE AntiVirus Deployment, Configuration, General.

Upgrade SVM Registration

Now we need to add version 4.5.0 of the Service Virtual Machine (SVM) to the SVM repository, and update the registered SVM version with NSX Manager. In the ePO web UI click Menu, under Automation select MOVE AntiVirus Deployment. From the Configuration tab select SVM Repository, click Actions, Add SVM. Browse to the zip file containing the SVM we downloaded earlier and click Ok.


The new version of the SVM will now be listed in the repository.


Next go to Menu, Automation, MOVE AntiVirus Deployment. In the Configuration tab NSX Manager details and credentials should still be in place. Click the Service tab. The Registered SVM Version will still show the old version, from the Actions column for the NSX Manager click Upgrade. Select the new SVM version and click Ok. The latest version of the MOVE SVM is now registered with the selected NSX Manager.

Upgrade NSX Components

The final stage is to update the NSX security policy and service deployments. Log into the vSphere web client and click Networking & Security from the home page. Select Service Composer and then the Security Policies tab. As we’re upgrading an existing McAfee MOVE solution you should already have an AV related policy or policies configured, we need to reconfigure those to point at the new MOVE policies that were migrated across in ePO. Select the security policy to update and click the Edit icon.


Click Guest Introspection Services and select the existing guest introspection service, click the edit icon and make a note of the existing settings. Cancel out of the edit window and click the red cross to delete the guest introspection service. Click the green plus symbol to add a new service.


Enter a name for the service and ensure Apply is selected, use the McAfee MOVE AV service and select the ePO policy from the Service Profile drop down. The state should be set to Enabled and select Yes to enforce the policy. Use the same settings as the previous service if you like, the only difference will be the new service profile (ePO policy). Click Ok.


Select the Security Groups tab. Confirm that existing security groups are in place with the NSX security policy associated with the McAfee ePO policy applied. If needed you can select a group and click the apply policy icon to apply the security policy edited above to a security group.


Finally, we can update the Service Virtual Machines deployed on the ESXi hosts. From the left hand navigation pane select Installation and the Service Deployments tab. Existing installations will be listed here, with an Upgrade Available status. Service deployments are installed at vSphere cluster level, select the vSphere cluster to upgrade and click the Upgrade icon.


New versions of the SVM are pushed out to each ESXi host in the selected cluster, replacing old versions using the same configuration details (datastore, port group, IP address range). Once complete the new version number is listed, the installation status is succeeded, and the service status is up.


If you upgraded version 3.5.x or 3.6.x you can remove the legacy MOVE extensions once you have updated the SVM registration and service deployments on each vCenter. In the ePO web UI open the Extensions page, locate the old version of the McAfee MOVE extension and click Remove.

If any of the components referenced above are not in place, or you need to deploy McAfee MOVE AV to a new vSphere cluster, see the McAfee MOVE with NSX Install Guide post. The only other thing worth noting is I had a vCenter where the MOVE service registration was failing, I had to remove the MOVE service deployments and service definition from NSX Manager, remove the vCenter from cloud accounts in ePO, and then add it all back in as a new install, deploying the SVM as a fresh 4.5 install rather than an upgrade.

McAfee MOVE with NSX Install Guide

McAfee Management for Optimised Virtual Environments (MOVE) is an anti-virus solution that removes the need for an individual agent install on every guest virtual machine, providing performance benefits and administrative savings at the same time as full anti-virus and malware protection.

MOVE Agentless AntiVirus safeguards virtualised environments using advanced malware protection; integrating real-time threat intelligence with security management whilst offloading all on-access scanning to a dedicated service virtual machine. The agentless solution integrates with NSX Manager and Service Composer for policy and event handling, meaning virtual machines are protected as soon as they are provisioned.

This post will detail the installation and configuration process of the McAfee MOVE service deployment and the associate VMware components; NSX Manager and Guest Introspection. You should already have an ePO server and vCenter server in place.



NSX Manager is deployed and registered with vCenter Server on a 1:1 mapping. Upon registration a plug-in is injected into the vSphere web client to enable deployment and management of logical networks and services.

Service deployments consisting of the Guest Introspection and McAfee MOVE ESX Agents are deployed to vSphere clusters; when a host is added to the cluster the configured services are automatically deployed. The McAfee Service Virtual Appliance (SVA) relies on VirusScan Enterprise for Linux for protection and updates, and utilises Global Threat Intelligence (GTI) for real time malware defense.

NSX Manager integrates with McAfee ePolicy Orchestrator to export profile configurations to be used when creating security profiles with Service Composer. Policies are applied to objects such as clusters belonging to an NSX security group, this ensures all virtual machines and hosts are instantly protected. The McAfee ePO integration also allows for management of Service Virtual Machines and reports.


We will be installing NSX Manager 6.2.4 with McAfee MOVE Agentless 3.6.1 (advanced license), on vCenter 6.0 and ESXi 6.0, version 5.5 of both can also be used. The ePO version should be 4.6.8, 5.1.0, 5.1.1 or 5.3.0. If you are using different versions check the McAfee MOVE compatibility matrix. There is a multi-platform version of McAfee MOVE compatible with Microsoft and Citrix hypervisors, which is beyond the scope of this guide.

With regards to deploying McAfee MOVE in a vCloud Networking and Security (vCNS) environment, using vShield Manager and Endpoint, these products are now end of life. The replacement solution is NSX Manager with Guest Introspection. For assistance with upgrading vShield Manager review Upgrading vShield Manager to NSX Manager.

New post: McAfee MOVE 4.5.0 Upgrade Guide with NSX


  • The NSX Manager appliance (1 per vCenter) is preconfigured with 16 GB RAM, 4 vCPU and 60 GB disk. VMware recommend a memory reservation for NSX Manager in production environments.
  • The Guest Introspection agent (1 per host) is preconfigured with 1 GB RAM, 2 vCPU and 5 GB disk.
  • The McAfee MOVE agent (1 per host) is preconfigured with 2 GB RAM, 2 vCPU and 15 GB disk.
  • Each ESX Agent you deploy requires an IP address; 2 per host. This should be planned into the solution design as you will need to assign IP addresses using either DHCP or an IP pool of reserved addresses.
  • A vSphere Distributed Switch (vDS) must be used, there is a work around for this by configuring the Agent VM Setting on each host, however this should be used for environments such as ROBO and not datacentres.
  • ESXi servers must be grouped into clusters, even if only a single ESXi host resides in a cluster.
  • Connectivity between the NSX Manager and vCenter \ ESXi management networks is required. If you have any firewalls in place review the NSX network port requirements.
  • Environmental variables: correct DNS configuration, time synchronisation, and vSphere administrator access.
  • VMware Tools must be installed on the guest virtual machines as this includes the Guest Introspection driver necessary for offloading on-access scanning.
  • The McAfee MOVE licensing model is as follows: product trial for use with up to 10 hypervisors in a non-production environment, basic license for manual deployment of the Security Virtual Appliance (SVA) bought as a standalone product, advanced license for McAfee ePO based SVA deployment (packaged with Server Security Suite Essentials, Advanced, and Desktop).
  • NSX Manager has a number of licensing models, the default license with NSX Manager v6.2.4 and later includes use of Guest Introspection for offloaded AV. For additional features compare NSX versions.
  • If you have licensing queries check with McAfee support and your VMware account manager.

This guide is intended as a consolidation of the end to end process, before beginning any implementation you should review further documentation including the MOVE AV Agentless Product Guide and the VMware NSX 6.2 Documentation Centre.

Installation Part 1 – NSX Manager

Download the NSX Manager OVA file from the Download VMware NSX for vSphere page.


Deploy the OVA file to your vCenter server, in the customisation options configure the appliance network settings. Once the NSX Manager appliance is deployed and powered on open a web browser to the specified IP address, log in with the admin account, if you didn’t change the password during deployment the default password is default.


Click Manage vCenter Registration, under vCenter Server click Edit. Enter the name of the vCenter server to register NSX Manager and the relevant credentials, click Ok. It is good practise to set the time settings and host name in the Manage Appliance Settings page, you can also configure a syslog server, backups, change network settings, etc.


After configuring NSX Manager restart the VMware vSphere Web Client on the vCenter Server the NSX Manager was registered with. You may also need to restart your browser. Log in to the vSphere web client and browse to Networking & Security, click NSX Managers and verify the newly deployed NSX Manager is present.

To configure additional permissions select the NSX Manager and click Manage, Users. Here you can add, edit, and remove users and permissions. Each role provides a description of the level of access, for more information on NSX permissions click here. To add Active Directory permissions to NSX Manager select the Domains tab, and click the green plus symbol to add the LDAP details.

If you have a license key to apply to NSX Manager you can do so under the Administration option from the home page of the vSphere web client, select Licenses, Assets, Solutions, NSX.

Part 2 – McAfee ePO

Depending on your environment some of the steps below might already be configured, you may also need to repeat sections for multiple vCenters. Download the MOVE AntiVirus Agentless zip package, the MOVE AntiVirus Agentless extension for McAfee ePO, and the Data Center Connector for vSphere from McAfee downloads.

Log in to McAfee ePO as an administrator and browse to Menu, Software, Extensions. Click Install Extension and install the MOVE AntiVirus Agentless extension and the Data Center Connector for vSphere extension.


Next we need to register the vCenter, browse to Menu, Configuration, Registered Cloud Accounts. Click Actions, Add Cloud Account. Ensure VMware vSphere is selected and input the vCenter details.


Before deploying MOVE we create a common configuration on the ePO server for use with each Service Virtual Machine (SVM). Browse to Menu, Automation, MOVE AV Agentless. On the Configuration tab select General, enter your administrative password and configure a naming convention and admin password for use with each SVM.


Next we can check in the SVM zip package downloaded earlier, browse to Menu, Automation, MOVE AV Agentless. From the Configuration tab select SVM repository and Actions, Add SVM.


The extensions we installed will automatically detect NSX Manager instances, however we still need to register these with McAfee ePO. Click Menu, Automation, MOVE AV Agentless. From the Configuration tab select NSX Manager, the discovered instances of NSX Manager will be listed, click Edit. Fill in the NSX Manager details, validate the credentials can connect, and click Save.


Next we register the MOVE Anti Virus service with McAfee ePO, browse to Menu, Automation, MOVE AV Agentless. Select the Service tab and click NSX Manager, the registered vCenters and associated NSX Managers will be listed, click Register. The McAfee MOVE AV service should now be listed in the vSphere web client under Networking & Security, Service Definitions. Once McAfee MOVE is defined as a service definition in vSphere, any scan policies are exported from McAfee ePO to NSX in real time.


Part 3 – Service Deployments

Guest Introspection and McAfee MOVE are service deployments installed on a per cluster basis using the vSphere web client. Guest Introspection must be deployed before McAfee MOVE. Once a cluster has a service deployment installed any new host added to the cluster automatically receives the ESX Agents.

To deploy Guest Introspection log into the vSphere web client and browse to Networking & Security, then click Installation. Click the green plus symbol to add a new service deployment.


In the new service deployment screen select Guest Introspection and click Next.


Select the cluster or clusters to deploy the service to and click Next.

Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps outlined here to extend. When the storage and network settings are configured click Next.


Review the details on the confirmation page and click Finish.

The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX Agents being deployed in the vSphere recent tasks pane. Once complete the installation status should show succeeded and the service status ok.

Click the green plus symbol to add a new service deployment. In the new service deployment screen select McAfee MOVE AV and click Next.


Select the cluster or clusters to deploy the service to and click Next.

Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps outlined here to extend. When the storage and network settings are configured click Next.


Review the details on the confirmation page and click Finish.

The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX Agents being deployed in the vSphere recent tasks pane. Once complete the installation status should show succeeded and the service status ok. Each host will now contain an ESX Agents resource group with the installed service deployments.


If you are using stateless environments then you should update the Auto Deploy image with the NSX VIBs, otherwise the Guest Introspection status will change to not ready after a host is rebooted.

Browse to https:///bin/vdn/ and find the VIB URL for your version of ESXi, open the relevant URL which will auto download For assistance with updating Auto Deploy images see the VMware Auto Deploy Guide.

Part 4 – Service Composer

The final stage is to create and apply security policies to the security group containing virtual machines that you want to protect. McAfee MOVE is optimised for virtual environments and as such the settings out of the box are set to provide maximum protection with minimum overhead. However you can exclude certain file types and create on-access scan schedules tailored to your environment if preferred.

In this example we will be applying the default McAfee scan policy. To create your own scan policies log in to McAfee ePO and browse to Menu, Policy, Policy Catalog and select New Policy. Remember any scan policies created in ePO are automatically exported to NSX.

In the vSphere web client go to Networking & Security, Service Composer and open the Security Policies tab. Click the New Security Policy icon.


Add a new Guest Introspection Service that applies the service profile from ePO, in our case this is the McAfee MOVE AV My Default policy. Click Ok and Finish.


Now we need to create a security group to apply the policy to, select the Security Groups tab and click the New Security Group icon. Enter a group name and description, configure the objects to include and exclude and click Finish. (You can change the Object Type to datacentres, clusters, virtual machines, etc.)


Finally we apply the policy to the newly created group by clicking the Apply Policy icon. Select the policy and group to apply to and click Ok.


The default policy is now applied and members of the security group are protected. Depending on your environment and existing ePO policy standards you may want to setup separate policies such as quarantine, tagging, etc. For further assistance with McAfee policies refer to the MOVE AV Agentless Product Guide.