Professional Documents
Culture Documents
Copyright Notice
Copyright 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec, the Symantec logo, LiveUpdate, Norton AntiVirus, and Norton SystemWorks are U.S. registered trademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, Symantec Desktop Firewall, Symantec Enterprise Security Architecture, Symantec Packager, Symantec Security Response, and Symantec System Center are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support groups primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts. Symantec technical support offerings include:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program
Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.
When contacting the Technical Support group, please have the following:
Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, and then choose Service and Support. Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals
Contents
Technical support
Section 1
Chapter 1
6 Contents
Configuring login certificates ............................................................................ 39 Configuring login certificate lifetime and time tolerance .................... 40 Configuring login certificate key size ....................................................... 42
Chapter 2
Contents
Using client groups to manage .......................................................................... 74 Creating client groups ................................................................................. 74 Adding clients to a client group ................................................................. 75 Configuring settings and running tasks at the client group level ....... 75 About client group settings ........................................................................ 75 Moving a client to a different client group .............................................. 75 Viewing and filtering client groups .......................................................... 76 Renaming client groups .............................................................................. 78 Deleting client groups ................................................................................. 78 Using client group settings instead of server group settings ............... 79 Managing clients .................................................................................................. 79 Managing legacy clients ............................................................................. 79 Enabling direct client configuration ......................................................... 80 Handling clients with intermittent connectivity .................................... 80 Changing the management mode of a client ........................................... 82
Chapter 3
8 Contents
Section 2
Chapter 4
Chapter 5
Updating definitions
About definitions ............................................................................................... 179 Ensure that all definitions are current .......................................................... 180 Definitions files update methods .................................................................... 180 Best practice: Using the Virus Definition Transport Method and LiveUpdate together .......................................................................... 181 Best practice: Using Continuous LiveUpdate on 64-bit computers ... 182
Contents
Updating definitions files on servers .............................................................182 Updating and configuring servers using the Virus Definition Transport Method ..............................................................................182 Updating servers using LiveUpdate ........................................................188 Updating servers with Intelligent Updater ...........................................191 About using Central Quarantine polling to update servers ................192 Minimizing network traffic and handling missed updates .................192 Updating definitions files on clients ..............................................................195 Forcing definitions files on clients to update immediately .................196 Configuring managed clients to use an internal LiveUpdate server ..............................................................................197 Enabling and configuring Continuous LiveUpdate for managed clients ...................................................................................................198 Setting LiveUpdate usage policies ..........................................................200 Controlling definitions file deployment .........................................................201 Finding computers with outdated definitions files ..............................201 Verifying the version number of definitions files ................................201 Viewing the risk list ...................................................................................202 Rolling back definitions files ...................................................................202 Testing definitions files ....................................................................................203 Scenarios for definitions updates ...................................................................204 About scanning after updating definitions files ...........................................204
Chapter 6
10 Contents
Chapter 7
Chapter 8
Index
Section
12
Chapter
About Symantec AntiVirus About the Symantec System Center Using the Symantec System Center About the Discovery Service Running the Discovery Service Using the Find Computer feature Configuring login certificates
Establish and enforce an antivirus and security risk policy for your business. Retrieve content updates such as virus and security risk definitions. Quarantine and delete live viruses. Analyze logged events.
Symantec AntiVirus product components are described in the Symantec AntiVirus Installation Guide.
The Symantec AntiVirus client software provides antivirus and security risk protection for networked and non-networked computers. The Symantec AntiVirus client software protects 32-bit and supported 64-bit computers that run supported Windows versions. The term, Symantec AntiVirus, refers to both the Symantec AntiVirus server and the Symantec AntiVirus client software. Computers that run Symantec AntiVirus server software might be required to do so because of system requirements. Computers that run Symantec AntiVirus server software are not required to act as management servers. The Symantec AntiVirus server software can manage other computers that run Symantec AntiVirus and supported legacy versions of Norton AntiVirus Corporate Edition, and can push configuration updates as well as virus and security risk definitions file updates to these clients. In addition, the Symantec AntiVirus server software provides antivirus and security risk protection for the computers on which it runs. Note: The Symantec AntiVirus server software is not supported on 64-bit computers.
Installing antivirus and security risk protection on workstations and network servers Updating Symantec AntiVirus definitions Managing Symantec AntiVirus servers and clients Managing content licensing, if you are using a content license rather than a site license for your computers See the Content Licensing chapter in the Symantec AntiVirus Installation Guide.
In addition to the Symantec System Center, you can also use Grc.dat configuration files to configure Symantec AntiVirus clients. You can use configuration files if you want to use a third-party tool to perform remote configuration on your network.
15
17
On the Windows taskbar, click Start > Programs > Symantec System Center Console > Symantec System Center Console.
Top server group level Contents of object selected in tree appear in right pane Locked server group Unlocked server group Client groups
The Symantec System Center opens to the Default Console View. Note: The Symantec System Center console should not be viewed from a terminal session.
Windows 2000 Server/Advanced Server/Professional Windows Server 2003 Web/Standard/Enterprise/Datacenter Editions Windows XP Professional NetWare Server 5.1 Support Pack 8 or higher, 6.0 Support Pack 5 or higher, and 6.5 Support Pack 2 or higher
The primary management server plays an important role, so select a stable server that is always running. To select the primary management server for a server group
Right-click the server that you want to be the primary management server, and then click Make Server A Primary Server.
19
Click Yes if you want to see the same console view the next time that you launch the Symantec System Center. Click No if you want to see the last saved view the next time you launch the Symantec System Center.
Table 1-2 lists the data columns in the Symantec AntiVirus view. Table 1-2 Data columns in the Symantec AntiVirus view Data columns that appear in right pane
Server Group Status Definition Sharing Newest Definitions Status of Server Updates Server Type Status Last Scan Definitions Version Scan Engine Address Status of Client Updates Group Name Configuration Change Date Number of Clients
Server group
21
Table 1-2
Data columns in the Symantec AntiVirus view Data columns that appear in right pane
Client User, including the domain that authenticated the user Status Last Scan Definitions Version Scan Engine Address Group Server
You can rearrange the order of the columns to better suit your needs. To customize the columns in a view 1 2 3 4 In the left pane, under Symantec System Center, select an object. On the View menu, in the list that appears at the bottom of the menu, select the view that you want to customize. On the View menu at the top of the Symantec System Center window, click Choose Columns. In the Modify Columns dialog box, use the Add, Remove, Move Up, and Move Down buttons to customize your view as needed, or use Reset to return the settings to the last saved state.
When Auto-Protect is enabled, the icon appears as a full shield. When you right-click the icon, a check mark appears before Enable Auto-Protect. When Auto-Protect is disabled, the icon is covered by a universal no sign (a red circle with a diagonal slash). When you right-click the icon, no check mark appears before Enable Auto-Protect.
23
Date of the computers virus definitions files When the computer was last infected
IP pings are sent to the remote computer running Symantec AntiVirus server software to determine what type of protocol it uses. Pings are also sent that support Norton AntiVirus Corporate Edition and Intel LANDesk Virus Protect, legacy versions of Symantec AntiVirus. The data from the computer that runs Symantec AntiVirus client software is stored on the computer that runs Symantec AntiVirus server software that is the clients parent management server. The Symantec System Center console reads each parent management servers registry to get the data that it displays in the console. Following the completion of this process, Normal Discovery runs.
Types of Discovery
Symantec System Center uses the following types of Discovery:
Load from cache only (with or without using IP Discovery) Local Discovery (with or without using IP Discovery) Intense Discovery (with or without using IP Discovery) Normal Discovery (not user-initiated)
Table 1-3 describes the types of Discovery that Symantec AntiVirus uses: Table 1-3 Type
Load from cache only
Description
Load from cache only offers the most basic type of Discovery. It tries to refresh all of the servers for which the Symantec System Center console address cache contains information. Each server is then sent a series of pings to see if the server checks back in, and to refresh information on the console. Load from cache only reduces traffic on the network when you launch the Symantec System Center. In most cases, you may find that choosing Load from cache only finds all of the servers that you need to add to the Symantec System Center console.
In Local Discovery, a ping packet is broadcast over the local subnet of the computer that runs the Symantec System Center console. Intel PDS services that run on servers on the local subnet reply with pong data. Local Discovery generates less ping noise, but is limited to the local subnet. Local Discovery works very well on small subnets. In very large subnets, you might obtain better results by using Intense Discovery.
Intense Discovery
Intense Discovery walks My Network Places on the local Windows computer and attempts to resolve all computers that it finds into a network address. When it has the network address, it attempts to send ping requests. You can configure whether Intense Discovery walks the NetWare or Microsoft branches of the network tree, or both. The ability of Intense Discovery to locate computers is limited by several factors: the availability of a Windows Internet Naming Service (WINS) server or Active Directory, network subnet and router configuration, DNS configuration, and Microsoft domain and workgroup configuration. Searching by IP address range in most cases is not affected by these factors. For this reason, you may want to use IP Discovery.
25
Description
The Symantec System Center console broadcasts to all servers that are in unlocked server groups. Normal Discovery queries the primary management server of the server group for the list of secondary management servers in its address cache. The Symantec System Center console address cache stores information for all servers that have ever reported to it. The primary management server address cache contains information for every server within the server group. The address cache includes the names of all secondary management servers and their IP addresses. The Symantec System Center console compares its own address cache with the address cache sent by the primary management server. When a mismatch is identified, the console pings the associated server. When the pong data returns, it is added to all other servers in the list. In this way, Normal Discovery can identify every server in the server group and attempt to resolve information conflicts between parent management servers.
You can configure Load from cache only, Local Discovery, and Intense Discovery to use IP Discovery by using either an IP address or an IP subnet address range. You may want to use IP Discovery only periodically to discover computers across the network. After the computers are in the address cache, you can then use the Load from cache only method.
27
In the Discovery Service Properties window, on the Advanced tab, check Enable IP Discovery.
Once Enable IP Discovery is checked, an IP Discovery session runs whenever you run an Intense Discovery. To run any type of Discovery without also running IP Discovery, uncheck Enable IP Discovery. You can also access IP Discovery functionality in the Find Computer dialog box. See Using the Find Computer feature on page 30. 4 In the Scan Type list, select one of the following:
IP Address: The console pings every computer in the range of IP addresses. IP Subnet: The console broadcasts to each subnet.
5 6
In the Beginning of range and End of range boxes, type the addresses. If you clicked IP Subnet, type the subnet mask to refine the search. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results are displayed in the Symantec System Center console status bar.
If you want to run Discovery using IP addresses, configure the settings on the Advanced tab. See To configure the Discovery Service to use IP addresses on page 26. In the Discovery Service Properties window, on the General tab, select one of the following options:
Load from cache only This is the quickest method. The Symantec System Center reads the list of servers and clients stored in the local cache. See Table 1-3, Discovery types, on page 24. Local Discovery Broadcasts to the Symantec System Center consoles local subnet. Servers respond immediately with information about themselves and their clients. Each servers server group appears in the console unless you have filtered the view by using the View menu. Load from cache only runs as well. See Table 1-3, Discovery types, on page 24.
29
Intense Discovery
This is the most thorough method. If you have a large network, the Discovery process may take a long time. The Symantec System Center serially pings every server in the Network Neighborhood. Server names appear in the message area of the Symantec System Center console as they are found during the Discovery process. Intense Discovery also performs the same local subnet broadcast as Local Discovery. Load from cache only and Local Discovery run as well. See Table 1-3, Discovery types, on page 24.
4 5
Under Discovery Cycle, select the interval in minutes, if necessary. See Configuring the Discovery Cycle interval on page 29. If you plan to run Intense Discovery, under Intense Discovery Properties, specify the number of Intense Discovery threads, between 2 and 50. Each Discovery thread is an independent search for servers and clients. To maintain the most up-to-date Discovery information, select a lower Discovery interval and a higher number of Discovery threads. If you want to clear all server and client information out of the active memory and address cache, and immediately run Discovery based on the current Discovery settings, under Cache Information, click Clear Cache Now. When you clear the cache, unlocked server groups are locked. Do one of the following:
If you want to immediately run Discovery, click Run Discovery Now, and then click Close. Only one Discovery can run at a time. Rebuilding a list of servers on a large network during Discovery may take a long time.
Note: Increasing the Discovery Cycle interval can result in a display of outdated information in the Symantec System Center console. To change the Discovery Cycle interval 1 2 On the Tools menu, click Discovery Service. Change the Interval in minutes setting as necessary.
The Symantec System Center may not automatically discover servers on LAN segments that are separated by routers. Servers may not be visible in the Network Neighborhood. For example, Windows Internet Naming Service (WINS) servers or Active Directory may not be replicated across network segments.
If you cannot locate some servers on your LAN, you can locate them manually by using the Find Computer feature in the Symantec System Center console. After you use the Find Computer feature to locate a server, you can manage it from the Symantec System Center console.
31
To find computers using a local cache search 1 On the Tools menu, click Find Computer.
2 3
In the Find Computer window, on the Local Search tab, type the network name of the server that you want to find. Under Match Type, select one of the following:
Exact: Searches for a server name that is an exact match. If you leave the Search For text box empty, and then specify Partial as the match type, all computers in the local cache appear when you run the search. 4 Click Find Now.
Find computers
The Symantec System Center console contains the following Find Computer options that search the network:
Network Discovery Finds computers that run the Symantec AntiVirus server software by computer name or address. Finds computers that run the Symantec AntiVirus server software by using an IP address or subnet range.
Scan Network
Audit Network
This broad network search allows you to not only locate the computers, but also to determine the protection that is available on them, including whether other antivirus software is installed, and to configure a number of search settings. This option takes the most time and resources. See To run a network audit on page 35.
To find computers using an address type 1 2 On the Tools menu, click Find Computer. In the Find Computer window, on the Network Discovery tab, specify whether you want to use a computer name or an IP address as the search criterion. Type the server address or computer name. Click Find Now.
3 4
To find computers using an IP address range 1 2 On the Tools menu, click Find Computer. In the Find Computer window, on the Scan Network tab, select one of the following:
IP Subnet IP Address Sends out a broadcast to each subnet. Pings every computer in the range of IP addresses.
3 4 5
Type the addresses for Beginning of range and End of range. If you clicked IP Subnet in step 2, type the subnet mask to refine the search. Click Find Now. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results appear in the Symantec System Center console status bar.
33
To locate found items in the Symantec System Center console 1 On the Tools menu, click Find Computer.
2 3
In the Find Computer window, select the desired computer. Click Sync Item. The Symantec System Center console tree view moves to the selected item, which is then highlighted in the right pane. Click Save if you want to save the search results as a comma-delimited file.
In the left pane, right-click the system hierarchy, unlocked server group, server, or client group, and then click Refresh.
Auditing computers
Computers on your network that do not have Symantec AntiVirus running leave holes open in your network security. You can run a network audit of remote computers to determine the following:
Whether a Symantec AntiVirus component is installed and running. The type of protection that is installed, such as Symantec AntiVirus server, client, or unmanaged client software. Whether antivirus software from other vendors or from Symantec (such as a Norton AntiVirus consumer version), including the type and version of that software, is installed on the computer.
You must be able to log in as Administrator to the remote computers that you are auditing. Note: Because Symantec AntiVirus now uses secure communications over SSL, server and server group information for clients that run the current version of Symantec AntiVirus does not appear after a network audit. If a firewall is running on the remote computer, the network audit may not be able to gather information.
35
In the Find Computer window, on the Audit Network tab, type the beginning and end of the IP address range that you want to search.
Click Options to set custom network audit options. For example, if you want to find remote computers that have unmanaged Symantec AntiVirus client software installed, you can enable the related option.
In the Audit Network Options dialog box, set the number of audit threads to use to a value between 2 and 50. A higher number yields faster results but requires more network resources. Under Ping Options, set the following options:
The time-out period in milliseconds for Symantec PDS and Windows ICMP pings. Whether the search should continue even if an ICMP ping fails. This is useful if you know that a firewall is set up with a rule to block an ICMP ping, because you can still audit the network for computers that run Symantec AntiVirus.
Under Symantec AntiVirus IP ports, configure the search to ping up to four Symantec AntiVirus IP ports. To support legacy and current clients, both UDP and TCP ports are pinged. Port 1 defaults to 2967, which is the default port number of Rtvscan, the main Symantec AntiVirus service.
37
Under Display Options, specify whether you want to display the following:
Previously labeled machines Parent management servers discovered through clients even if they are outside the IP address range Whether to look for computers that run unmanaged Symantec AntiVirus client software, and offline servers and clients. This requires you to specify valid administrator account information, such as a user name and password. Whether to look for computers that run other vendors antivirus software. This requires that you know valid administrator account information, such as a user name and password.
Whether or not to always use name resolution. See Setting administrator account options on page 38.
Click OK.
You can see the audit progress at the bottom of the Find Computer dialog box. When the audit completes, the following types of information appear:
Machine Server Group The name of the remote computer. The name of the server group to which the remote computer belongs. The name of the server that controls the remote computer.
Server
Type
The server or client type. Login errors are also reported in this column. The version of the antivirus product running on the computer. The IP address of the computer. The user name associated with the compute, including the domain that authenticated the user.
Look for unmanaged clients, offline servers, and offline clients Look for other AntiVirus software
39
To set administrator account options 1 In the Remote Administrator Account dialog box, do one of the following:
Type the name of the domain that contains the computers that you want to find, followed by valid domain administrator account information. Check Use local accounts to access a specific computer, and then type the Admin user name and password.
Click OK.
Computers that cannot be located or to which a connection cannot be made Routers and network drives Computers that do not have Symantec AntiVirus software installed
To label a found item and rerun the audit 1 2 3 4 In the Find Computer dialog box, in the Machine column, right-click an item, and then click Label. In the Edit description for dialog box, type a new label for the item. Click OK. Right-click the item again, and then click Audit again.
The login certificate is time-limited for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate. You can use the Symantec System Center to configure the login certificate lifetime. Login certificates are time-stamped, and by default, expire 24 hours after being issued. You can configure a shorter lifetime to increase the level of network security, but this also increases processing overhead. Warning: Unsynchronized computer system clocks in a server group can prohibit servers and clients from authenticating a users login certificate because of the time difference. Synchronize your computer system clocks to prevent this from occurring. For example, suppose that a user has a temporary login certificate that contains a primary management servers time stamp and is valid for 30 minutes. If that user attempts to authenticate to a client that has a clock setting that is set 45 minutes ahead of the primary management server, then when the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit configuration changes by that user. Because login certificates are issued by the primary management server in a server group, you can configure login certificate settings only at the server group level.
41
To configure login certificate settings 1 Right-click the server group that you want to configure, and then click Configure login certificate settings.
In the Login Certificate Settings dialog box, under Length of time login certificate is valid, set the number of hours and days that you want the certificate to last. A Symantec System Center user whose login session exceeds this setting is prompted for a user name and password to obtain a new login certificate. The default is 1 day. All computers in this server group whose system clocks are ahead of the primary management server system clock must be no further ahead than this setting to be managed by the Symantec System Center. Under Tolerate time discrepancy between computers of, set the number of hours and days to the amount of backwards time discrepancy that you want to allow between the system clocks of the primary management server, and the system clock of its clients and secondary management servers. The default is 1 day. All computers in this server group whose system clocks are behind the primary management server clock must be no further behind than this setting to be managed by the Symantec System Center.
Chapter
About servers About server groups and client groups Using server groups to manage Enhancing server group security Optimizing server performance Using Tamper Protection Using client groups to manage Managing clients
About servers
The current version of Symantec AntiVirus uses the Secure Sockets Layer (SSL) to encrypt communications between its servers and clients. Symantec AntiVirus versions 9.x and earlier used UDP for such communications. Servers that run the current version of Symantec AntiVirus can manage most legacy clients by default, but in certain cases, configuration is required. See Optimizing definitions and configuration rollouts on page 67. Warning: Symantec AntiVirus 9.x and earlier servers cannot be used to manage clients running the current version of Symantec AntiVirus.
When you manage with the Symantec System Center, computers running Symantec AntiVirus server software can assume the following roles:
45
All servers in a server group are secondary management servers until you assign one as the primary management server. You must designate the primary management server before you can perform most tasks at the server group level.
Assigned clients are Symantec clients that have been assigned to a client group. They receive virus and security risk definitions files from the server to which they are physically attached, but receive configuration settings and updates based upon the client group to which the Symantec AntiVirus policies are applied. Unassigned clients are Symantec clients that have not been assigned to a client group. They receive configuration settings and updates from their parent management server.
Note: The server group level is the highest level at which you can manage Symantec product configuration changes.
Server group
47
Virus sweep Update virus and security risk definitions now History configuration Scheduled and manual scans Virus and security risk definitions updates Quarantine options Client and server Auto-Protect options Client administrator only options Client roaming options Client and server tamper protection options LiveUpdate Auto-Protect status View risk list Clear risk status
Client group
Scheduled scans Virus and security risk definitions updates Quarantine options History configuration Client Auto-Protect options Client tamper protection options Client roaming options Client administrator only options LiveUpdate
Client
Read-only
By default, you cannot use the Symantec System Center to configure individual clients. However, you can use the Allow direct configuration of individual clients option to enable the Symantec System Center to configure individual clients. See Enabling direct client configuration on page 80.
How settings propagate from the Symantec System Center console Description
When you set options at the server group level, and then click OK, the Symantec System Center communicates directly to every server in the server group. Parent management servers update their clients by rolling out a new Grc.dat file. This file replaces the existing Grc.dat file. Custom settings in the old Grc.dat file are not retained. If you click Cancel, no options change. If you click Reset All, Symantec AntiVirus overwrites all settings in the dialog box.
Servers
When you set options at the server level, and then click OK, the Symantec System Center topology service communicates directly with the selected server. Only the selected server is affected. If you click Cancel, no options change. If you click OK without changing options, Symantec AntiVirus does not overwrite the servers current options.
Client groups
When you set options at the client group level, and then click OK, the primary management server creates a Grcgrp.dat file and sends it to secondary management servers. The secondary management servers update their clients by rolling out a new Grc.dat file. This file replaces the existing Grc.dat file. Custom settings in the old Grc.dat file are not retained. If you click Cancel, no options change.
Clients
When you set options at the client level, and then click OK, the System Center Topology service communicates with the client directly and makes the single change in the registry. If you click Cancel, no options change.
49
Note: Auto-Protect scanning settings must be locked before they are propagated to clients. See Scanning for viruses and security risks on page 109.
Note: If you prefer to manage by using client groups, you can achieve the same end by setting up a new client group. See About server groups and client groups on page 45.
2 3
In the New Server Group dialog box, type the name for the server group. The name cannot have more than 47 characters. In the Username text box, type the user name to use for the new server group. This can be any user name you want to use. The user account is automatically created and assigned to the Administrator role and added to the account management list for this server group.
51
4 5
In the Password text box, type a password to use when unlocking the server group. In the Confirm Password text box, retype the password.
Right-click the server group that you want to lock, and then click Lock Server Group.
To unlock a server group 1 In the Symantec System Center console, in the left pane, right-click the server group, and then click Unlock Server Group.
2 3
In the Unlock Server Group dialog box, type the user account name and password for the server group. If you want these options to be filled in automatically each time that you unlock this server group, check Remember this user name and password for me. If you enable the Symantec System Center to remember the user name and password for this server group, then you can configure the Symantec System Center to start with this server group unlocked. Click Automatically unlock this Server Group when I start the Symantec System Center. Click OK.
To stop saving user name and password or to stop automatic unlocking 1 To stop saving your user name and password, and to stop having the Symantec System Center open with this server group unlocked, right-click the server group, and then click Lock Server Group. Right-click the server group again, and then click Unlock Server Group. In the Unlock Server Group dialog box, uncheck Remember this user name and password for me and Automatically unlock this Server Group when I start the Symantec System Center. Click OK.
2 3
53
You can either have the Symantec System Center copy the root certificate to the Symantec System Center computer the first time that you log on to the server group, or copy it by using Windows authentication. If you choose to simply copy the root certificate, you can suppress this message in the future. Select Windows authentication to provide a greater degree of security.
Note: You receive notifications only for displayed server groups. If you filter a server group, you do not receive notifications from that server group. To view a single server group
Right-click the server group, and then click New Window From Here.
To filter the server group view 1 2 In the left pane, right-click System Hierarchy, and then click View > Filter Server Group View. Uncheck the server groups that you want to filter from the server group list.
3 4
55
To change the parent management server of a client by using the Symantec System Center
Drag the client from the old server to the new server.
To change the parent management server of a client manually when the servers are in the same server group 1 2 On the intended parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus folder. On the client computer, paste the Grc.dat file into the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder. Restart the client.
To change the parent management server of a client manually when the servers are not in the same server group 1 2 On the intended parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus folder. On the client computer, paste the Grc.dat file into the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder. On the intended parent management server, open the pki\roots folder and copy the xxx.x.servergroupca.cer file. On the client computer, paste the xxx.x.servergroupca.cer file into the pki\roots directory, which appears under the directory that contains the Symantec AntiVirus files. Restart the client.
3 4
57
Note: If you want to add more servers to a server group, and you have archived the private key for the server group, you must copy the server group private key back to the pki\private-keys directory on the primary management server. To move a server to a different group
Drag the server that you want to move into the new server group.
Administrator
Central Quarantine
Read from and write to virus definitions files. Roll out virus definitions updates to a client or server in the server group. Ping machines in the server group.
Users that are assigned to this role are not allowed to lock and unlock the server group by using the Symantec System Center. Gateway Security This role allows the user to ping computers in the server group. Users that are assigned to this role are not allowed to lock and unlock the server group by using the Symantec System Center.
If the Symantec System Center cannot verify the users role, the user account defaults to Gateway Security, the least privileged of the roles. Symantec AntiVirus also provides one preexisting user who is named admin, and who is assigned to the Administrator role. You cannot delete the admin user account or change its user name, but you can change its password. The following restrictions apply to user accounts:
Passwords that you set must be at least six characters long. Account user names must be unique and are not case-sensitive. Passwords are case-sensitive. User names cannot contain spaces. User names cannot contain the following special characters: "/;\-.+':=
Type the user name. Type the password twice. Under Account Type, select the role that you want to assign to the user: Read-only, Administrator, Central Quarantine, or Gateway Security.
5 6
Click OK. Click Finished. The changes are then sent to the secondary management servers in the server group.
To change a user account for a server group 1 2 3 Right-click the appropriate server group. Click Account Management. In the Configure Server Group Accounts dialog box, select a user account name.
59
4 5
Click Update. In the Account Setup dialog box, type a new password twice. Under Account Type, if you want to change the users role, select the new role. If you are only changing the role that is under Account Type, you should leave the password options blank. Click OK. Click Finished.
6 7
To delete a user account for a server group 1 2 3 4 5 6 Right-click the appropriate server group. Click Account Management. In the Configure Server Group Accounts dialog box, select a user account name. Click Delete. Click Yes to confirm the deletion. Click Finished.
Server and client antivirus and security risk protection settings Auto-Protect settings Client group member assignments Primary management server assignments Grc.dat file distribution Virus and security risks definitions file rollbacks
To implement protection and monitor unauthorized configuration changes, you perform the following tasks:
Roll out the access list. Log unauthorized configuration change attempts.
61
Figure 2-1
Read Write Authorized Symantec System Center console Read Only Primary Management Server
Read Only
Read Write
Read Only Unauthorized Symantec System Center console Secondary Management Server
Access List
Registry
Access List
Client
Registry
you need to allow the Symantec System Center to access the server. Delete the value for an address when you no longer require access.
IP subnet
Create a registry script with the information that you want to add to the access list, such as new values to authorize additional computers. Roll out the access list via your preferred distribution tool. Force the Symantec AntiVirus antivirus component to import the access list immediately. See Forcing the access list to reload on page 62.
63
Description
Enables logging. If you record every incident, the following message appears: Access denied to network communication from unauthorized address: <IP address> <port> where:
<IP address> is the IP address of the computer that was denied access. <port> is the port number that the computer attempted to use.
Description
Sets the frequency for logging unauthorized configuration change attempts.
Log AccessDeniedWindowMinutes
0 records every incident. n (in minutes) records all incidents for the next n minutes.
If you record incidents based on a frequency, the following message appears: Access denied to network communication from unauthorized addresses <number> time(s) in the last <number> minute(s). Most recent address: <IP address> <port> where:
<number> is the frequency and the number of minutes. <IP address> is the IP address of the computer that was denied access. <port> is the port number that the computer attempted to use.
The time period after which WSC considers definitions files to be out of date Whether WSC displays antivirus alerts for Symantec products on the host computer
Note: Symantec product status is always available in the Symantec System Center console, regardless of whether WSC is enabled or disabled.
65
administrators might have to wait up to 15 minutes to view an accurate status in WSC. To configure the out-of-date time for definitions 1 2 3 4 Right-click the server group that you want to change. Click All Tasks > Symantec AntiVirus > Client Administrator Only Options. If the prompt for Symantec AntiVirus Management Snap-In appears, click Yes. In the Client Administrator Only Options dialog box, under Windows Security Center, next to Definition of AntiVirus up-to-date, type the number of days, or use the up or down arrow to select the number of days that the virus and security risk definitions can be out of date. The value must be in the range from 1 to 90. Click OK.
If the prompt for Symantec AntiVirus Management Snap-In appears, click Yes.
In the Client Administrator Only Options dialog box, under Windows Security Center, in the Windows Security Center AntiVirus Alerts dropdown list, select one of the following:
Disable WSC does not display these alerts on the Windows system tray. WSC displays these alerts on the Windows system tray. WSC uses the existing setting to display these alerts.
Enable No action
4 5
Click OK. Restart the clients in each server group to make the changes take effect.
67
Skip clients that are late checking in (and are probably offline)
By default, clients are configured to check in for configuration updates every 60 minutes. Configuring clients to be skipped if they are late checking in should result in faster performance during rollouts; if they are not skipped, the thread that is used for each offline client is tied up until it times out. Clients receive the appropriate updates after they check in. Checking this option is not recommended in environments in which multiple clients are offline frequently, such as when many clients use VPN tunnels.
Skip clients that havent checked in since the last failed rollout attempt (and are probably offline)
Enabling this option should increase performance, but is not recommended in environments in which clients might be offline frequently, for example, as when using VPN tunnels.
More frequent rollouts use more network bandwidth and server resources, but result in more frequent updates to the clients. The valid range is 1-10080 (one week).
For information about the option to manage legacy clients and servers, see Managing legacy clients on page 79. To optimize definitions and configuration rollouts 1 2 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tuning Options. Check or uncheck the following options:
Before attempting rollout, verify that clients havent roamed to another server Skip clients that are late checking in (and are probably offline) Skip clients that havent checked in since the last failed rollout attempt (and are probably offline)
3 4 5
Set the number of threads to use during rollout to a value that is between 1 and 1200. Set the number of minutes to wait between rollouts to a value that is between 1 and 10080. Click OK.
Monitoring clients
Symantec AntiVirus allows you to monitor the following major transitions in the life cycle of a client computer:
The clients initial contact with a parent The times when a client roams from one parent to another
69
The clients failure to check in after a specified amount of time has elapsed The uninstallation of Symantec AntiVirus software from a client
To log whether or not a client checks in with the server that manages it, Symantec AntiVirus compares the last check-in time for each client to a saved value for that client. If the elapsed time is greater than the configured time, the event is logged in the Event Log as a system event. You can specify how often the Symantec System Center notifies you of these system events. For example, you might want to set the minutes of inactivity before logging a no check-in event to 10080 (one week) before Symantec AntiVirus logs an initial event that a client has not checked in. You might then set the minutes between no check-in events to 1440 (one day) and the maximum number of events to log to 7. You are then notified in the Event Log every day for a week if the client does not reappear on the network. For particularly large environments with many thousands of clients that are managed by a single server, you might want to tune the server parameters to regulate its CPU usage. To set options for monitoring clients 1 2 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tuning Options. On the Client Tracking tab, under Processing Parameters, type the following information:
The number of minutes that Symantec AntiVirus should wait for information from the client. The number of clients that Symantec AntiVirus should process before pausing. The number of seconds that Symantec AntiVirus should pause when it checks clients.
Under Log Client Behavior, type values for the following options:
Minutes of inactivity before logging a no check-in event The number of minutes without client activity that Symantec AntiVirus should wait before it logs the first instance of a clients failure to check in. The maximum number of no check-in events to log per client.
Minutes between no check-in events The number of minutes without client activity to wait before subsequent no check-in events are logged.
Click OK.
71
Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Client Tamper Protection Options. Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tamper Protection Options.
2 3
Check or uncheck Enable Tamper Protection. If you enabled Tamper Protection, then under Protection, in the drop-down list, do one of the following:
To block unauthorized activity, click Block. To log unauthorized activity but allow the activity to take place, click Log Only.
4 5
Check or uncheck Keep Tamper Protection enabled even if Symantec AntiVirus is shut down. Under Notifications, check or uncheck Display message on affected computer.
6 7
If you are configuring Client Tamper Protection Options, lock or unlock each setting as appropriate for your network. If you are configuring Client Tamper Protection Options, or you are configuring Server Tamper Protection Options at the server group level, click Reset All if you want to propagate the settings on this tab to every client that is attached to the server or server group.
Location
Target Pathname
73
The following example illustrates a message that tells you which process attempted to take which action and when:
Date: [DateFound] Process Located At: [PathAndFilename] (Named: [Actor Process Name]) Attacked: [Target Pathname] [Target Process ID]
Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Tamper Protection Options. Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tamper Protection Options.
2 3
Under Notifications, check Display message on affected computer and click the lock icon to lock this option. Click Message.
4 5
In the Message box, click to insert a cursor. Use your keyboard to move the cursor, add rows, and type and delete text.
Move the cursor to a position in which you want to insert a field, right-click, click Insert Field, and then select the field to insert. See Table 2-7, Fields for Tamper Protection messages, on page 72. Repeat steps 5 and 6 as necessary. Right-click in the field and use any of the following as necessary: Cut, Copy, Paste, Clear, or Undo.
7 8
2 3 4
In the New Client Group dialog box, type the name for the new client group. The name cannot have more than 15 characters. To apply the settings from an existing client group to the new client group, select the name of the existing client group from the drop-down list. Click Create.
75
Drag the client that you want to move into the new client group. Once you move the client, it receives the new client groups configuration settings.
View a single client group. View information about client groups. Filter the client group view to show only the information that interests you.
Note: Filtering is disabled by default. When you select a client group in the left pane, all of the clients that are assigned to it appear in the right pane. When the Groups folder is selected in the left pane and Default Console View or a Symantec product view is selected from the View menu, the client groups appear in the right pane along with information specific to the view. For example, when the Default Console View is active, the number of clients in each client group appears. The clients must be enumerated to display the client groups accurately. Client group filtering must be enabled in the SSC Console Options Properties dialog box on the Client Display tab for the clients to be enumerated. When you select the Groups folder, the number of clients reported for each client group may not be accurate until a client group is selected. See To filter the client group view on page 77.
77
The client groups appear nested beneath the Groups folder. To filter the client group view 1 On the Tools menu, click SSC Console Options.
In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Group Display Options, check Show client machines when viewing Client Groups. Under Client List Cache Options, check Build client lists when the Server Group is unlocked, if appropriate. This option enumerates all of the clients in the server group when it is unlocked. When this option is unchecked, clients are not added to their client groups until the server is selected. The number of clients in a client group is not accurate until all of the servers in the server group have been selected. This option might affect performance if the server group contains many clients and servers. Under Client Configuration Options, check Indicate when clients are offline to display a unique icon in the Symantec System Center console when a client is not connected to the network. Click OK. On the Action menu, click Refresh.
5 6
Create a new client group and import settings from another client group, if appropriate. See Creating client groups on page 74. Move clients from the old client group to the new client group. See To move a client to a different client group on page 76. Delete the old client group. See Deleting client groups on page 78.
The client checks in with its parent management server. The client is then assigned the servers default settings for unassigned clients. The client is assigned to another client group. The client is then assigned the settings of the new client group.
79
If you delete a client group, and then recreate it before the clients check in with their parent management servers or are reassigned, the clients resume membership in the group automatically. They continue to assume the settings of that group. To delete a client group 1 2 3 4 5 6 In the Symantec System Center console, in the left pane, unlock the server group from which you want to delete the client group. Double-click the server group. Double-click the Groups folder. Right-click the target client group, and then click Delete Group. Click Yes. Click Delete.
Right-click the client group, and then uncheck Inherit settings from Server Group.
Managing clients
You can perform several client management tasks in the Symantec System Center to manage the clients on your network.
this option, you need to restart the server that you configured for the change to take effect. To manage legacy clients 1 2 3 Right-click a server or server group, and then click All Tasks>Symantec AntiVirus>Server Tuning Options. On the Rollout and Management tab, check Allow this server to manage 9.x and earlier clients and servers (requires reboot to take effect). Click OK.
81
3 4 5
3 4
5 6
To change managed clients into unmanaged clients 1 2 3 4 Uninstall Symantec AntiVirus from the client workstation. See the Symantec AntiVirus Installation Guide for more information. Using the registry editor, delete the following subkey: HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6 Begin to reinstall Symantec AntiVirus client software, and when you are prompted to select managed or unmanaged, select unmanaged. Finish the installation.
Chapter
About the Alert Management System How Alert Management System works Configuring alert actions About configuring alert action messages Configuring a default alert message Working with configured alerts Using the Alert Management System Alert Log Forwarding alerts from unmanaged clients
84 Setting up the Alert Management System How Alert Management System works
Run a program Write to the Windows Event Log Send an SNMP trap Load an NLM
Note: Alerts generated through SNMP traps can be sent to any third-party SNMP management console. To receive SNMP traps from Symantec AntiVirus, you must have the Symantec System Center and AMS2 installed. Install AMS2 on a primary management server if you want SNMP traps generated from that system. You must use the Symantec System Center to designate the primary management server. See Configuring the Send SNMP Trap alert action on page 93.
Configuration change Default Alert Symantec AntiVirus startup/shutdown Scan Start/Stop Risk Repair Failed Risk Repaired Virus Definitions File Update Virus Found
If you have configured an alert for any of these events, when the event occurs it will generate a thread. The thread prompts the Symantec AntiVirus service to create a risk information block, which it forwards to the clients parent management server. When the parent management server receives the risk information block, it enters it into its AMS2 log. The risk information is then forwarded to the primary management server, which makes a call to AMS2. AMS2 enters the information into the AMS2 database and acts on it. The action taken depends on how you have the alert configured.
85
Communication in AMS2 is carried out through CBA, which is part of the Intel Communication Method.
Select an alert in the Alert Actions dialog box. Select the alert action that you want to configure for that alert. The alert action is the response AMS2 sends you when an alert parameter is detected. Configure the alert action that you selected.
For example, you can configure the Send Page alert action to notify you if a virus or security risk is detected on a protected server. The pager message can also include information such as virus or security risk name and type, and actions taken. There are no default alert actions for any of the alerts. Until you configure AMS2, no alerts are generated, though virus and security risk events are logged in the AMS2 log file. You can set up more than one action for each alert. Once you have configured alert actions for an alert, a plus (+) or minus (-) sign appears next to each configured alert, depending on whether the entry is collapsed or expanded. Each AMS2 alert action has its own configuration wizard. Once you have configured an alert action, the action appears in the Alert Actions dialog box under the alert for which you configured the action. All alert actions execute on the computer that you select when you configure the action. Actions will not execute if you configure them on a computer that doesnt support that particular action. For example, any computer that you configure the Send Page action on must have a modem.
This is especially useful if you manage a large network with many different servers, and you want to confine your search to one section of the network, or one specific subnet mask. The process is faster when you limit your search, and alerts are contained in the defined network segment. You can get a faster response across a large network if you limit the network segments. You can specify whether you want AMS2 to discover clients only within a certain octet or subnet mask. To speed up alert configuration 1 2 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Options.
In the Options dialog box, in the Add IP address box, type the TCP/IP network broadcast address where you want to search for AMS2 computers. This is the first three segments of the computers IP address followed by an all-inclusive segment. For example, if you enter a search broadcast address of 192.168.0.255, any of the 256 computers with AMS2 in the subnet will receive the broadcast. So if you are searching for an AMS2 computer that has an IP address of 192.168.0.50, you will find it. Click Add to add this net address to the Current discovery broadcast addresses list. Only broadcast networks listed here are searched to discover new AMS2 computers. If you have not specified any broadcast networks, the entire network is searched each time that you start a Discovery.
87
To remove a net address that is no longer needed from the Current discovery broadcast addresses list, select the address, and then click Remove. When you remove a net address from this list, it doesnt disable that section of the network. Removing a net address only prevents AMS2 from searching that section of the network for AMS2 computers. Click OK to save the list and return to the Alert Actions dialog box.
10 Click Finish.
To configure the Broadcast alert action 1 2 3 4 5 6 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Broadcast, and then click Next. Select a computer to execute the action, and then click Next. In the Message box, type any message text that you want to display and move available parameters you want from Alert Parameters to the Message box. See About configuring alert action messages on page 95. Type an action name. The action name and the action computer name will appear in the Alert Actions dialog box beside this action. Click Finish.
89
5 6 7 8 9
Select a computer to execute the action, and then click Next. Type the full path name to the program that you want to run, including the program name. Type any command-line options that you want the program to use. Select a Windows execution state of normal or minimized. Click Finish.
6 7 8 9
7 8
10 Click Finish.
91
Select your service type. If your paging service is not in the Service drop-down list in the Send Page dialog box, try to use the Standard Numeric or the Standard Alpha/Numeric service. Select the one that most closely matches the type of pager that you use. If the generic service that you select doesnt work with your pager, you must configure the communication parameters that the Send Page alert action needs to use. You can get this information from your paging service. If necessary, do the following:
Click Settings.
In the drop-down lists, select the baud rate, data and stop bits, parity, and the paging protocol that your paging service uses, and then click OK. If your paging service is in the Service drop-down list, these parameters are configured automatically when you select the service. 9 Click Next. If youre creating a message for an alphanumeric pager, in the Message box type any message text you want to display and move available parameters from Alert Parameters to the Message box. See About configuring alert action messages on page 95. If youre creating a message for a numeric pager, you can only type numbers in the Message box. The Send Page alert action supports both alphanumeric and numeric-only pagers (numeric-only pagers are sometimes called beepers). If youre paging an alphanumeric pager, the message can include any text that you type in and information from the alert that generated the message. This message should not exceed the maximum number of characters that your paging service supports; otherwise, you could get a truncated message. If youre paging a numeric-only pager, you may want to create a system of server numbers and numeric error codes that correspond to alerts that you configure. For instance, you could create a system where 1 refers to your main production server and number 101 means some specific event has occurred. If you received the message 1 101, then you would know that the event had occurred on your main production server.
10 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 11 Click Finish.
93
6 7 8
In the right pane, click SNMP Service. On the Action menu, click Properties. On the Traps tab, under Community name, type the case-sensitive community name to which this computer will send trap messages, and then click Add to List. In Trap destinations, click Add.
10 In Host name, IP address, type information for the host, and click Add. 11 Repeat steps 8 through 10 until you have added all the communities and trap destinations you want.
To modify an existing address, select it, and then press Enter. To add a new address, press Insert, type an IP address, and then press Enter. To delete an address, select it, press Delete, and then press Enter to confirm the deletion.
6 7
Press the Esc key to close the dialog box. Press Enter to confirm the change to the database.
Setting up the Alert Management System About configuring alert action messages
95
To configure the Write To Event Log alert action 1 2 3 4 5 6 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Write To Event Log, and then click Next. Select a computer to execute the action, and then click Next. In the Message box, type any message text that you want to display and move parameters that you want from Alert Parameters to the Message box. See About configuring alert action messages on page 95. Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. Click Finish.
96 Setting up the Alert Management System About configuring alert action messages
<Severity>
<Source>
<Virus Name>
The Message dialog box includes a text box in which you can enter as many as 256 characters to be used as the text of the message that you want to send. You can use the variables in Alert parameters to insert information generated by the alert. Parameters are delimited by < and > characters. Each parameter placeholder that you add to the Message text box is substituted with corresponding alert information when an alert occurs.
Alerting System Notification
97
Type custom message text that you want to display and move available parameters that you want from Alert Parameters to the Message box.
Click Default to use the default message information for this alert action, and then type custom message text that you want to display. See About configuring alert action messages on page 95.
Click Finish.
Test them to make sure they work as expected. Delete them. Export them to other computers.
In the Alert Actions dialog box, select an alert, and then click Test Action.
99
If the export option cannot export an alert action because the alert for which the action was configured doesnt exist on the target computer (or for any other reason), the Export Status dialog box indicates that the alert action couldnt be exported. Alert actions also may fail to export if the target computers AMS2 installation is not working correctly. To export alert actions to other computers 1 2 3 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Symantec AntiVirus Corporate Edition, and then click Export. In the Select Actions dialog box, check the actions that you want to export, and then click Next. To select all configured actions, click Symantec AntiVirus Corporate Edition. In the Select Computers dialog box, check the computers that you want to receive the alert actions that you selected. If the computer you want has AMS2 active on it and it is not in the Available Computers list, click Options. See Speeding up alert configuration on page 85. Click Finish. In the Export Status dialog box, verify that the alert actions were exported successfully, and then click Close.
4 5
6 7
AMS2 is not up or working correctly on the target computer. Verify AMS2 by testing a configured alert action on that computer from the Alert Actions dialog box. The alert for which the action was configured doesnt exist on the target computer. Make sure that the application that registered the alert with AMS2 on the source computer is installed on the target computer.
100 Setting up the Alert Management System Using the Alert Management System Alert Log
Display only the alerts that match the conditions that you specify. Display a specified number of entries.
The Alert Log displays a list of alerts with the following information about each alert:
You can view more detailed information about each alert in the Alert Information dialog box. Each server stores its own copy of the Alert Log locally. When you select a server and view its Alert Log, youre actually retrieving a copy of that servers Alert Log to your local console. Therefore, if that server is not powered on or available, you wont able to retrieve its Alert Log for viewing.
Change the number of entries displayed in the log Delete entries Copy the contents to the clipboard
Setting up the Alert Management System Using the Alert Management System Alert Log
101
Right-click the server group, and then click All Tasks > AMS > View Log.
To change the number of entries displayed in the Alert Log 1 2 In the Alert Log window, right-click, and then click Options. On the Settings tab, specify the maximum number of log entries that you want the log to store. You can independently configure the number of entries that an Alert Log stores on each server.
Right-click the log entry, and then click Delete > Selected Entries.
To delete multiple log entries 1 2 Press Ctrl and select the multiple log entries. In the Alert Log window, right-click, and then click Delete > Selected Entries. To select a range, click the first entry, and then press Shift and click the last entry.
In the Alert Log window, right-click, and then click Delete > Filtered Entries.
102 Setting up the Alert Management System Using the Alert Management System Alert Log
To copy Alert Log contents to the Clipboard 1 2 Press and hold the Ctrl key, and then select the multiple log entries. In the Alert Log window, right-click, and then click Copy. Only the alerts visible in the log are copied. If you want to limit the number of entries that the Alert Log copies to the Clipboard, apply filters to limit the number of visible log entries. See Filtering the Alert Log display list on page 103.
To view the alert information and Action Status 1 2 In the Alert Log window, double-click the alert for which you want to display detailed information. When you finish viewing the alert information, click Close. The computer listed in the Alert Log is the primary management server that recorded the action because it records all events for the Symantec server group. Look at the Alert Information dialog box to see which computer actually generated the alert.
Setting up the Alert Management System Using the Alert Management System Alert Log
103
Alert Severity
Date
To specify which alerts appear in the Alert Log 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > View Log.
104 Setting up the Alert Management System Forwarding alerts from unmanaged clients
3 4
Select the filters you want to apply to the Alert Log list. Click OK.
Setting up the Alert Management System Forwarding alerts from unmanaged clients
105
To forward alerts to an AMS2 server 1 2 Use a text editor such as Notepad to create a new text file. Add the following lines:
[KEYS] !KEY!=$REGROOT$\Common AMSServer=S<AMSServerName> AMS=D1 !KEY!=$REGROOT$\ProductControl LoadAMS=D1
Type the IP address for the intended AMS2 server. Type the name of the intended AMS2 server (make sure that the client can resolve the server name). Be sure to include the S that precedes <AMSServerName>. Do not include the brackets.
Save the file as Grc.dat to the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus folder on the client computer. After you create the Grc.dat configuration file, you can copy it to other unmanaged clients. These unmanaged clients then forward alerts to the same AMS2 server.
106 Setting up the Alert Management System Forwarding alerts from unmanaged clients
Section
108
Chapter
About viruses and security risks About Symantec AntiVirus scans Configuring Auto-Protect Configuring manual scans Creating and configuring scheduled scans Managing the client user experience
Detects, removes, and repairs the side effects of viruses, worms, Trojan horses, and blended threats. Detects, removes, and repairs the side effects of security risks such as adware, dialers, hack tools, joke programs, remote access programs, spyware, trackware, and others.
110 Scanning for viruses and security risks About viruses and security risks
Trojan horses
Blended threats
Adware
Hack tools
Joke programs
Other
Scanning for viruses and security risks About Symantec AntiVirus scans
111
Spyware
Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay it back to another computer. Spyware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through email messages or instant messenger programs. Often a user unknowingly downloads spyware by accepting an End User License Agreement from a software program.
Trackware
Stand-alone or appended applications that trace a user's path on the Internet and send information to the target system. For example, the application can be downloaded from a Web site, email message, or instant messenger program. It can then obtain confidential information regarding user behavior.
By default, Auto-Protect scans for viruses, Trojan horses, worms, and security risks when it runs and when you perform a scan of any type. Some risks, such as Back Orifice, were detected as viruses in earlier versions of Symantec AntiVirus. They remain detected as viruses so that Symantec AntiVirus can continue to provide protection for legacy computers.
Auto-Protect scans
Auto-Protect File System scans Auto-Protect email attachment scanning for Lotus Notes, Microsoft Exchange, and Outlook (MAPI and Internet) Auto-Protect scanning for Internet email messages and attachments that use the POP3 or SMTP communications protocols; Auto-Protect scanning for Internet email also includes outbound email heuristics scanning
By default, all types of Symantec AntiVirus scans detect viruses and security risks, such as adware and spyware, and quarantine them and remove or repair their side effects.
112 Scanning for viruses and security risks About Symantec AntiVirus scans
Note: In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. To avoid leaving the computer in an unstable state, Symantec AntiVirus waits until the application installation is complete before it quarantines the risk. It then repairs the risks effects. You can perform scans on the following:
Individual and multiple Symantec AntiVirus servers and clients Groups of Symantec AntiVirus servers and clients, using server groups
Right-click a server or client, and then click All Tasks > Symantec AntiVirus > Auto-Protect Status.
Scanning for viruses and security risks About Symantec AntiVirus scans
113
114 Scanning for viruses and security risks About Symantec AntiVirus scans
Virus sweep scanning of all Symantec AntiVirus servers and their clients in the selected server groups. Scheduled scanning for the selected Symantec AntiVirus servers. Virus sweep scanning of all Symantec AntiVirus servers and their clients in the selected server group. Scheduled scanning for the Symantec AntiVirus servers in the selected server group. Virus sweep scanning of the selected Symantec AntiVirus servers. Manual scanning of the selected Symantec AntiVirus server. Virus sweep scanning of the Symantec AntiVirus server and all of its Symantec AntiVirus clients. Manual scanning of the Symantec AntiVirus server. Scheduled scanning of the Symantec AntiVirus server or its Symantec AntiVirus clients.
Server group
Single server
Selected Symantec AntiVirus clients for a single Symantec AntiVirus server An individual Symantec AntiVirus client
Manual scanning of the selected Symantec AntiVirus clients that are managed by the Symantec AntiVirus server.
Manual scanning of the selected Symantec AntiVirus client. Scheduled scanning of the selected Symantec AntiVirus client.
Scanning for viruses and security risks About Symantec AntiVirus scans
115
A solid black check mark in a check box A solid black bullet in an option
A dimmed check mark in a dimmed box A blank series of options A blank box
Note: Some options, such as excluding files and folders, are not available when you select multiple computers because the option applies only to a specific computer.
116 Scanning for viruses and security risks About Symantec AntiVirus scans
Server scans: File extensions, drives, files, and folders. Client scans: File extensions, drives, and named folders.
Client scans: File extensions, drives, and named folders. Files by drives and named folders; you cannot exclude files by file extension. Note: If you use the iFolder feature in NetWare 6, you should exclude the iFolder directory from virus scans. The default directory to exclude is sys:\iFolder. Configure this option by using the Server Auto-Protect Options dialog box in the Symantec System Center. See Configuring inclusions and exclusions on page 121.
Scanning for viruses and security risks About Symantec AntiVirus scans
117
Description
Symantec AntiVirus scans all of the files in this folder and also all of the files in subfolders. Symantec AntiVirus scans one or more items that you have selected in the folder or one of the subfolders. Symantec AntiVirus scans the selected file. This is available only from the client or server interface. Symantec AntiVirus does not scan the folder or subitems.
Scan only files of a specific file type or with specific extensions. Exclude from the scan files of a specific file type or with specific extensions.
118 Scanning for viruses and security risks About Symantec AntiVirus scans
You can use the Symantec System Center to set inclusions and exclusions for specific file types and extensions. Scans by file type or extension are available when you select the following objects and scan types:
Client object: Manual scan, scheduled scan, and client Auto-Protect Server object: Virus sweep, manual scan, scheduled server scan, and server Auto-Protect (Windows only)
When you scan by file type, Symantec AntiVirus reads each files header to determine the file type. For example, if you enable document scanning, Symantec AntiVirus scans all documents even if you name them with nonstandard extensions, such as Document3.mlt instead of Document3.doc. Note: The file type option doesnt apply to NetWare servers; it applies only to Windows-based computers. When you scan by file extension, Symantec AntiVirus does not read the file header to determine the file type and scans only files with the extensions that you specify. Table 4-5 describes the recommended extensions for scanning. Note: A question mark (?) in a file extension in Table 4-5 means that the letter in the file extension might vary, depending on the version of the program or application that produces it. Table 4-5 File extension
386 ACM ACV ADT AX BAT BTM BIN CLA
Scanning for viruses and security risks About Symantec AntiVirus scans
119
120 Scanning for viruses and security risks About Symantec AntiVirus scans
Scanning for viruses and security risks About Symantec AntiVirus scans
121
When Symantec AntiVirus applies exclusions, the excluded items are not scanned. If the file is not excluded, it is scanned. For virus sweep, manual, Auto-Protect, and scheduled scans, Symantec AntiVirus takes no action on excluded files.
Enabling and disabling exclusions can improve performance depending on the situation. For example, if you copied a large folder that was in the exclusions list and the exclusions setting was enabled, the copying process would not take as long since the folders contents would be excluded. Files that you exclude appear with various icons in the Symantec AntiVirus tree. See Table 4-4, Tree view icons and their meaning, on page 117. To configure exclusions for scans 1 2 3 4 Open the Scan Options dialog box for the type of scan that you want to configure: Auto-Protect, Manual, Virus Sweep, Scheduled. Click Exclude files and folders. Click Exclusions. Depending on the types and numbers of computers that you are configuring, you can do the following:
Click Extensions and select file extensions to exclude. You can use wildcards when you exclude by extension. Select files to exclude within specific folders by extension or file type. Click Files/Folders or Folders, as available, and select folders to exclude from the scan.
122 Scanning for viruses and security risks About Symantec AntiVirus scans
In the Selected Extensions dialog box, you can do any of the following:
To add your own extensions, type the extension, and then click Add. To add all document extensions, click Documents. To add all program extensions, click Add. To add all extensions and program types, click Use Defaults.
To select files to include in scans by type 1 2 3 In the Scan Options dialog box for the scan that you want to configure, under File Types, click Selected file types. Click Types. In the Selected Types dialog box, select one of the following:
Document files: Scan document files regardless of their extensions. Program files: Scan MS-DOS and Windows program files.
To select files to include in manual scans by folder 1 2 3 4 Right-click the object that you want to scan, and then click All Tasks > Symantec AntiVirus > Start Manual Scan. In the Select Items dialog box, select the folders to scan. Click Options and select the extensions and types to scan for the selected folders. Click OK until the Symantec System Center console appears.
To select files to include in a scheduled scan by folder 1 2 3 4 5 6 7 Right-click the object that you want to scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. On the Server Scans tab, in the Server scans list, select a scan. Click Edit. In the Scheduled Scan dialog box, click Scan Settings. In the Select Items dialog box, select the folders to scan. Click Options and select the extensions and types to scan for the selected folders. Click OK until the Symantec System Center console appears.
123
About actions for viruses and security risks that scans detect
Many of the same scan options are available in different types of scans. For example, when you configure manual, scheduled, or Auto-Protect scans, you can assign first and second actions for Symantec AntiVirus to take when it finds viruses and security risks. You can assign individual first and second actions for Symantec AntiVirus to take when it discovers the following:
Macro viruses Non-macro viruses All security risks (adware, spyware, joke programs, dialers, hack tools, remote access programs, trackware, and others) Individual categories of security risks, such as spyware Custom actions for a particular instance of a security risk
For viruses, by default, Symantec AntiVirus first attempts to clean the file. If Symantec AntiVirus cannot clean the file, it moves the file to the Quarantine on the infected computer, denies access to the file, and logs the event. For security risks, by default, Symantec AntiVirus moves any infected files to the Quarantine on the infected computer and attempts to remove or repair the risks side effects. For security risks, by default, Quarantine contains a record of all actions that Symantec AntiVirus performed so that if needed, the computer can be returned to the state that existed before Symantec AntiVirus attempted the removal and repair. If it is not possible to quarantine and repair a security risk, the second action is to log the risk. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137.
Configuring Auto-Protect
Configuring Auto-Protect consists of the following tasks:
Changing server Auto-Protect settings for an individual server allows you to push a specific configuration to that server, which overrides settings that are made at the server group level. Resetting server Auto-Protect settings at the server group level allows you to reset previous settings made at the individual server level. Changing client Auto-Protect settings at the parent management server or client group level allows you to push a specific configuration to the clients of that parent management server or client group.
Resetting client Auto-Protect settings at the server group level resets previous settings made at the parent management server or client group level, for all clients. Changing client Auto-Protect settings at the parent management server level changes the settings for clients not assigned to client groups; clients assigned to a client group retain their settings.
Warning: You must lock Auto-Protect options that you want to propagate to clients or the options are not propagated. The buttons in the Auto-Protect Options dialog box affect settings propagation as follows:
Clicking OK propagates the settings that you change. Clicking Reset All propagates all settings in the dialog box, regardless of whether you change or visit them.
125
Table 4-6 describes the Auto-Protect lock icons. Table 4-6 Icon Auto-Protect lock icons What it means
Users can change this setting in the Symantec AntiVirus user interface.
Users cannot change this setting in the Symantec AntiVirus user interface.
To lock or unlock Auto-Protect options 1 In the Symantec System Center console, do one of the following:
To change server Auto-Protect settings, right-click a server group or server, and then click All Tasks > Symantec AntiVirus > Server AutoProtect Options. To change client Auto-Protect settings, right-click a server-group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
2 3
In the Auto-Protect Options dialog box, click the lock icon next to the option that you want to lock or unlock to change its current state. Click OK.
Table 4-7 describes the Auto-Protect scan options. Table 4-7 Section or option name
Enable Auto-Protect File types
Available options
Check to enable Auto-Protect. You can configure Symantec AntiVirus to scan all file types, to include files that have only the selected extensions in the scan, or to use SmartScan. The following options are available:
All Types Select this option to scan all files on the computer, regardless of type. Selected Extensions Select this option to scan only the files that have certain extensions. You can add more extensions for programs and documents, if you have files that use extensions that are not already in the list. You can also reset this option to its default value. SmartScan SmartScan scans a specific, configurable group of file extensions that contain executable code, and all .exe and .doc files. SmartScan reads each files header to determine its file type. It scans .exe and .doc files even if the file extensions for the .exe and .doc files are changed by a virus. SmartScan is enabled by default.
Options
Uncheck Scan for Security Risks to stop Auto-Protect from scanning for security risks. Scanning for security risks is enabled by default. Check Exclude selected files and folders to exclude certain files and folders from being scanned by Auto-Protect. Click Exclusions to select the file extensions and paths for folders to exclude.
Drive types
Network If you enable Auto-Protect on network drives, Symantec AntiVirus can scan files as theyre written from a client computer to a server or from a server to another server. This option is not necessary if you enable Auto-Protect on your servers. For example, if you enable the scanning of network drives on client A and also have Auto-Protect enabled on server B, when client A writes a file to a network drive on server B, Symantec AntiVirus scans the file on client A and scans the file again on server B. This could reduce network performance on the client computer. Floppy Symantec AntiVirus can scan files as they are read from or written to floppy disks. Floppy disks are common sources of virus infections because users might bring infected disks from home. CD-ROM If you enable Auto-Protect on CD-ROM drives, Symantec AntiVirus can scan files as they are read from or written to CD-ROM disks.
127
Available options
Click this button to set advanced Auto-Protect scan options, including startup, file cache, backup, and so on. See Configuring advanced File System Auto-Protect options on page 129.
Actions
Click this button to set the kind of actions that you want Symantec AntiVirus to take when it finds a virus or a security risk. See Configuring actions for File System Auto-Protect on page 136.
Notifications
Click this button to set the notifications that you want to appear when Auto-Protect finds a virus or a security risk. See Configuring notifications for File System Auto-Protect on page 142.
Reset All
This option is available only for server Auto-Protect options at the server group level and client Auto-Protect options at the server level. To ensure that all computers use the same Auto-Protect scanning configuration that you set at a higher level, click Reset All when you set the options.
For server Auto-Protect, when you click Reset All at the server group level, the server group settings overwrite any scan options that were previously set at the server level. All options are propagated to all of the servers that belong to the server group. For client Auto-Protect, when you click Reset All at the server group level, the server group settings overwrite any scan options that were previously set at the server and client level. When you click Reset All at the server level, any scan options that were previously set at the client level are overwritten by the server settings.
Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group.
Right-click an individual client or multiple selected clients for a server, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
In the Auto-Protect Options dialog box, enable Auto-Protect, set the file types to include, enable or disable scanning for security risks, exclude files by extension and folders, and set drive types, as needed. See Table 4-7, Auto-Protect scan options, on page 126. To set advanced scan options, click Advanced. See Table 4-8, Advanced scan options for File System Auto-Protect, on page 129. To set the actions that you want Symantec AntiVirus to take when it finds macro viruses, non-macro viruses, and individual or categories of security risks, click Actions. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137. To set the notifications (messages) that you want to display on infected computers when risks are found, click Notifications. See Table 4-10, Notifications options for File System Auto-Protect and manual scans, on page 142.
129
If you are configuring client Auto-Protect options, click the lock icon next to each Auto-Protect option that you want to lock to propagate the option to clients. If you are configuring Auto-Protect options for a server group, click Reset All to ensure that all of the computers are using the Auto-Protect scanning configuration that you set at this level. See About propagating Auto-Protect settings on page 124. Click OK.
System start Load Auto-Protect when the computers operating system starts and unload it when the computer shuts down. This option can help protect against some viruses, such as Fun Love. If Auto-Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine directory. Auto-Protect then detects the virus on startup and creates an alert notification. Symantec AntiVirus start Load Auto-Protect when Symantec AntiVirus starts.
Note: If you disable Auto-Protect on a computer that has this option set to System start, Auto-Protect still functions briefly each time that the computer restarts until the main Symantec AntiVirus service starts and disables Auto-Protect. Changes requiring AutoProtect reload Changes requiring Auto-Protect reload provides the following options:
Wait until system restart Stop and reload Auto-Protect when the computer restarts. Stop and reload Auto-Protect Stop and reload Auto-Protect immediately.
Table 4-8
Modified (scan on create) Scans files when they are written, modified, or copied. Use this option for slightly faster performance, because Auto-Protect scans files only when they are written, modified, or copied. Accessed or modified (scan on create, open, move, copy, or run) Scans files when they are written, opened, moved, copied, or run. Use this option for more complete file system protection. This option might have a performance impact, because Auto-Protect scans files during all types of file operations. Opened for backup (not applicable to Windows 9x or NetWare) Scans files when they are accessed during a backup operation. Use this option if you havent run a virus check on files that you want to back up. Do not enable this option if you want to bypass Auto-Protect for files that are being backed up. By using this option, you can significantly slow backup operations, because Auto-Protect scans each file that is included in the backup. The setting applies only to files that are backed up. Files that are being restored from a backup are scanned regardless of this setting. For Leave Alone (Log only), delete infected files on creation Enable this option if you want the Modified option or the Accessed or modified option to delete a newly created infected file when you configure Leave alone (log only) as the action. For an existing infected file, Scan on Access and Modify detects the infected file and the Leave alone action applies. The file is denied access and logged, but it is not deleted. When you disable this option, Symantec AntiVirus permits the infected file to be created. Preserve file times Enable this option if you do not want the file system to change the last access time. Preserving the last access time prevents backup software from backing up unchanged files.
131
Table 4-8
Disable file cache Disable the file cache. This option is useful during troubleshooting. Use default file cache size Use the default file cache size setting for desktop computers and use as close to the maximum setting as possible for servers. The default file cache size is based on the computer's operating system and the amount of available disk space. File caching decreases Auto-Protects memory usage and can help you to track problems. Symantec AntiVirus adds a 16-byte entry to the cache index, which remains until Symantec AntiVirus detects a change to the file. Custom file cache entries Select the number of custom file cache entries to include. This option is useful for file servers or Web servers on which you want to cache a large number of files.
Threat Tracer
Threat Tracer provides the following options for identifying the source of network share-based virus infections from computers that run supported Windows operating systems:
Enable Threat Tracer Ensure that this option is checked to use Threat Tracer. Resolve source computer IP address If this option is checked, Symantec AntiVirus looks up and records only the computers NetBIOS name. When it is checked, it also reports who was logged on to the computer at delivery time. This feature is supported on Windows XP systems only. Poll for network sessions every <number> milliseconds Symantec AntiVirus polls once every second (1000 milliseconds) by default. Lower values use greater amounts of CPU and memory, but also increase the possibility that Symantec AntiVirus can record the network session information before the threat can shut down network shares. Higher values decrease system overhead, but also decrease Threat Tracers ability to detect infections. See About Threat Tracer on page 135. Client firewall auto blocks IP address This option applies only to Symantec Client Security, which includes Symantec Client Firewall.
Table 4-8
133
Table 4-8
Check floppies for boot viruses upon access Symantec AntiVirus scans the floppy disk in the floppy drive for boot viruses when the drive is first accessed. When Symantec AntiVirus finds a boot virus, select whether to clean a virus from the boot record or leave it alone. If you click Leave alone (log only), an alert is sent when a virus is detected but no action is taken. Use this option if you want to control the virus cleaning and handling process. Do not check floppies upon system shutdown Symantec AntiVirus skips the scan of any floppy disk in the floppy drive when the computer is shut down normally.
These options are available when you configure Client Auto-Protect Options. You might want to monitor virus-like activities, which are activities that viruses perform when they attempt to infect your files. The listed activities might be legitimate, depending on the work context. You can set each activity to be allowed, not allowed, or to alert the user before the activity is performed.
Low-Level Format Of Hard Disk All information on the drive is erased and cannot be recovered. This type of formatting is generally performed at the factory only. If this activity is detected, it usually indicates an unknown virus at work. This is not an option for NEC PC98xx computers. Write To Hard Disk Boot Records Very few programs write to hard disk boot records. If this activity is detected, it could indicate an unknown virus at work. Write To Floppy Disk Boot Records Only a few programs, such as the operating system Format command, write to floppy disk boot records. If this activity is detected, it could indicate an unknown virus at work. Remove the alert dialog after <number> seconds If you selected Prompt to alert the user for any of the activities, you can set the number of seconds that you want the alert to appear.
Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group.
In the Auto-Protect Options dialog box, on the File System tab, click Advanced.
135
In the Auto-Protect Advanced Options dialog box, set the following options:
Startup options Changes requiring Auto-Protect reload Scan files when File cache Threat Tracer Automatic enabler When scanning compressed files (if configuring Server Auto-Protect Options)
Backup options, and additional advanced options, if needed See Table 4-8, Advanced scan options for File System Auto-Protect, on page 129.
If you are configuring Client Auto-Protect Options, in the Monitor dialog box, set one or more of the following options for virus-like activities:
Low-Level Format Of Hard Disk Write To Hard Disk Boot Records Write To Floppy Disk Boot Records Allow, Prompt, or Dont Allow Allow, Prompt, or Dont Allow Allow, Prompt, or Dont Allow
If you selected Prompt for any of the options, check Remove the alert dialog after <number> seconds and type the number of seconds that you want the alert to last. In the Auto-Protect Advanced Options dialog box, when you have finished configuring Auto-Protect Advanced Options, click OK. If you want to propagate all the settings in the dialog box, regardless of whether you changed or visited them, click Reset All. In the Auto-Protect Options dialog box, click OK.
6 7 8
Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information, which you can configure in the Auto-Protect Advanced Options dialog box, maximizes the frequency with which Threat Tracer can successfully identify the infected remote computer. For example, a threat may close the network share before Rtvscan can record the network session. Threat Tracer then uses the secondary source list to try to identify the remote computer. Threat Tracer information appears in the Risk properties dialog box, and is available only for the risk entries that the infected files cause. When Threat Tracer determines that the infection came from local host activity, it lists the source as the local host. Threat Tracer lists a source as unknown in the Risk properties dialog box when the following conditions are true:
It cannot identify the remote computer. The authenticated user for a file share refers to multiple computers. This can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID.
To record the full list of multiple remote computers that are infecting the current computer, set the HKEY_LOCAL_MACHINE\Software\Intel\LANDesk \VirusProtect6\CurrentVersion\ProtectControl\Debug string value to THREATTRACER X on the current computer. The THREATTRACER value turns on the debug output and the X ensures that only debug output that is related to Threat Tracer appears. You can also add an L to ensure that the logging goes to the <SAV_Program_Folder>\vpdebug.log log file. To ensure that the debug window does not appear, add XW. Use the test virus file Eicar.com, available from www.eicar.org, if you want to experiment with this feature.
137
Table 4-9 describes the options that you can configure for File System AutoProtect and manual scan actions. Table 4-9 Tab
Actions tab
Type of risk
Macro virus Non-macro virus
Clean threat (default first action): Attempts to clean the infected file when a virus is found. Quarantine threat (default second action): Attempts to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, no user can execute it until you take an action, such as clean, and move the file back to its original location. Delete threat: Attempts to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy because the file is permanently deleted and cannot be recovered from the Recycle Bin. If Symantec AntiVirus cannot delete the file, detailed information about the action that Symantec AntiVirus took appears in the Notification dialog box and the Symantec AntiVirus Event Log. Leave alone (log only): Denies access to the file, displays a notification, and logs the event. Use this option to take manual control of how Symantec AntiVirus handles a virus. When you are notified of a virus, open the Risk History for the computer, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.
Type of risk
Security risks
Configure the same actions to take for all security risks. Configure the same actions for a whole category of security risks. Configure individual security risk exceptions to the actions that you set for specific categories.
Other (programs that might pose a You can configure a first action to take and a second action to take if security risk but the first action fails. Actions for security risks include the following: do not fit into Quarantine risk (default first action): Attempts to move any other security infected files to the Quarantine on the infected computer as soon risk categories) as the security risk is detected or completes its installation. Remote Access Symantec AntiVirus removes or repairs any side effects of the Spyware risk, such as deleting registry keys that were added, reverting Trackware registry key values that were changed, and deleting additions to .ini or .bat files. You can restore security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.
Delete risk: Attempts to delete infected files. Use this option only if you can replace the files with a security risk-free backup copy because files are permanently deleted and cannot be recovered from the Recycle Bin. Use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality. If Symantec AntiVirus cannot delete files, detailed information about the actions that Symantec AntiVirus took appear in the Notification dialog box and the Symantec AntiVirus Event Log. Leave alone (log only) (default second action): The risk is left alone and its detection is logged. Use this option to take manual control of how Symantec AntiVirus handles a security risk. When you are notified of a security risk, open the Risk History for the computer, right-click the name of the infected file or files, and select one of the following actions: Delete Permanently or Move To Quarantine.
Note: In some instances, a security risk such as adware or spyware is installed as part of another desired application. Symantec AntiVirus waits until that application installation is complete before it performs the configured action on the security risk so that it does not leave the computer in an unstable state.
139
Type of risk
Available only for security risks
Warning: If you configure Symantec AntiVirus to delete files that are infected by a security risk such as adware or spyware, it cannot restore those files. To back up files that contain security risks such as adware or spyware, configure Symantec AntiVirus to quarantine them. To configure actions for File System Auto-Protect 1 Do one of the following:
Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group.
In the Auto-Protect Options dialog box, on the File System tab, click Actions.
In the Actions dialog box, in the tree, select a type of virus or security risk. By default, each security risk subcategory, such as Spyware, is automatically configured to use the actions that are set at the top level for the entire Security Risks category. To configure a category or specific instances of a category to use different actions, check Override actions configured for Security risks, and then set the actions for that category only. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137. Select the first and second actions that you want Symantec AntiVirus to take when it detects that category of virus or security risk. For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. If you selected a security risk category, click the Exceptions tab to configure custom actions for one or more specific instances of that security risk category. If you are configuring Client Auto-Protect Options, you can lock Exceptions that you configure on the Actions tab. Click Add.
141
In the Select risks dialog box, select the specific risks in the list for which you want to configure custom actions, and then click Next.
In the Configure risks dialog box, select the first and second actions that you want Symantec AntiVirus to take when it detects the specific risks that you selected, and then click Finish.
Repeat step 4 for each category for which you want to set actions (viruses and security risks).
10 Repeat steps 5 through 8 for all security risk categories in which you want to set custom actions for individual risks. 11 Click OK.
Symantec AntiVirus finds a virus or a security risk. Symantec AntiVirus needs to stop a process or service to remove or repair the effects of a virus or security risk.
You can suppress all or some user notifications. On clients, users are notified and processes and services are not terminated automatically by default. This allows users to save data before Symantec AntiVirus initiates actions to remove or repair a virus or security risk. On servers, notifications are turned off and processes and services are terminated automatically by default. Note: Notifications options are the same for File System Auto-Protect and for all types of manual scans with one exception. The Display Auto-Protect results dialog on infected computer option is available only for File System AutoProtect. Table 4-10 describes the notifications options for File System Auto-Protect and manual scans. Table 4-10 Option
Detection options
Description
Check Display message on infected computer to display a message on the computer when a virus or security risk is found. Right-click in the text field to insert new fields or type or edit directly in the field to alter the message. See Table 4-11, File System Auto-Protect and manual scan message fields, on page 143. Uncheck Display Auto-Protect results dialog on infected computer to suppress the dialog box that displays the results on the infected computer when Auto-Protect finds viruses and security risks. This option is available only when you configure File System Auto-Protect.
143
Description
If you check both remediation options, then users are not notified when Symantec AntiVirus needs to terminate a process or application, such as a Web browser, or stop a service on the users computer to complete the removal or repair of a risk. Symantec AntiVirus automatically takes the necessary action without notifying users.
Automatically terminate processes Check this if you do not want users to be notified when Symantec AntiVirus must terminate a process to remove or repair a risk. Automatically stop services Check this if you do not want users to be notified when Symantec AntiVirus must stop a service to remove or repair a risk.
Note: Users will always be notified when a restart is required. They will be allowed to save data and close open applications or to opt out of restarting.
You can construct a custom message to appear on infected computers when a virus or a security risk is found. You can type directly in the message field to add your own text, and you can right-click in the field to select variables. Table 4-11 describes the variable fields that are available for File System AutoProtect and manual scan notification messages. Table 4-11 Field
SecurityRiskName ActionTaken
Status
Filename PathAndFilename
The name of the file that the virus or security risk infected. The complete path and name of the file that the virus or security risk infected. The drive on the computer on which the virus or security risk was located. The name of the computer on which the virus or security risk was found.
Location
Computer
Event LoggedBy
DateFound StorageName
ActionDescription
Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click a server group, an individual server, or multiple selected servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
145
In the Client or Server Auto-Protect Options dialog box, on the File System tab, click Notifications.
In the Notification Options window, under Detection Options, check Display notification message on infected computer if you want a message to appear on the infected computer when a virus or security risk is found. In the message box, do any or all of the following to construct the message that you want:
Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. See Table 4-11, File System Auto-Protect and manual scan message fields, on page 143. Right-click, and then select Cut, Copy, Paste, Clear, or Undo.
Under the message box, uncheck Display Auto-Protect results dialog on infected computer if you want to suppress the dialog box that displays results when Auto-Protect finds viruses and security risks.
Under Remediation Options, check each option that you want to set. Your options are as follows:
Automatically terminate processes If checked, Symantec AntiVirus automatically terminates processes when it needs to do so to remove or repair a virus or security risk. Users are not prompted to save data before Symantec AntiVirus terminates the processes. If checked, Symantec AntiVirus automatically stops services when it needs to do so to remove or repair a virus or security risk. Users are not prompted to save data before Symantec AntiVirus stops the services.
Use these options with caution on clients, because users can potentially lose data when Symantec AntiVirus terminates processes or applications or stops services. 7 Click OK.
147
If Symantec AntiVirus needs to terminate a process or application or stop a service, the Remove Risk button is active. When users click Remove Risk, the following message appears:
If Symantec AntiVirus needs to restart the computer to complete the removal or repair, the Reboot button is active. When users click Reboot, the following message appears:
If users click No and close the message box without restarting, the removal or repair will not be complete until the computer is restarted the next time. And finally, if users opt to close the message box without taking an action to complete the removal or repair, the following message appears:
If the user clicks Yes and closes the dialog box without taking any action, the risk can be removed or repaired at a later time in the following ways:
The user can open the Risk History, right-click the risk, and then take an action. The user can run a scan to redetect the risk and reopen the results dialog.
The actions that users can take depend on the actions that are configured for the particular type of virus or security risk that was found.
If the user clicks No, the user is returned to the dialog box so that the user can take the appropriate action.
Click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Click All Tasks > Symantec AntiVirus > Server Auto-Protect Options.
3 4
In the Auto-Protect Options dialog box, under Options, uncheck Scan for Security Risks. If you selected Client Auto-Protect Options, then lock the option if you want this setting to propagate to clients.
Lotus Notes 4.5x, 4.6, 5.0, and 6.x Microsoft Outlook 98/2000/2002/2003 (MAPI and Internet) Microsoft Exchange client 5.0 and 5.5
When Auto-Protect is enabled for email, attachments are immediately downloaded to the computer that is running the email client and scanned when the user opens the message. If you are downloading a large attachment over a slow connection, mail performance is affected. You may want to disable this feature for users who regularly receive large attachments. Symantec AntiVirus supports email scanning only for Symantec AntiVirus clients. It can coexist on Microsoft Exchange Server 5.0 and 5.5, but does not actually scan the Exchange Server files. See the Symantec Client Security Reference Guide.
149
Note: If Lotus Notes or Microsoft Outlook is already installed on the computer when you perform a client software installation from the Symantec System Center, then Symantec AntiVirus detects the email application and automatically installs the correct Auto-Protect plug-in for it. Both plug-ins are installed if you select a complete installation when you perform a manual Symantec AntiVirus installation. To configure email scanning 1 2 Right-click the server group or the servers to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Lotus Notes or Microsoft Exchange tab, check Enable Auto-Protect. You can use the Microsoft Exchange tab to configure Auto-Protect options for both Microsoft Exchange and Microsoft Outlook. To set Auto-Protect options, do any of the following:
Select all types or select file types or extensions to scan. Insert a warning into an email message. Send an email message to the sender of an infected attachment. Send an email message to selected recipients when a virus is detected.
Click Advanced to disable the scanning of compressed files or to change the number of levels of compression to scan when there are compressed files within compressed files, and then click OK. Click Actions to configure the detection and remediation actions you want Symantec AntiVirus to take when it finds a virus or security risk, and then click OK. Actions options are the same as those for File System Auto-Protect. For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. See Configuring actions for File System Auto-Protect on page 136. Click Notifications to configure the type of notification you want Symantec AntiVirus to provide users when it finds a virus or security risk, and then click OK. Notifications options are the same as those for File System Auto-Protect, except that the Display Auto-Protect results dialog on infected computer option is not available. See Configuring notifications for File System Auto-Protect on page 142.
7 8
Lock or unlock options as needed. Click Reset All to ensure that all of the computers are using the AutoProtect scanning configuration that you have specified immediately. See About propagating Auto-Protect settings on page 124.
151
POP3 that uses Secure Sockets Layer (SSL) HTTP-based email such as Hotmail and Yahoo! Mail
To configure Auto-Protect scanning for Internet email 1 2 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, check Enable Internet E-mail Auto-Protect. The settings that you choose apply to both the POP3 and SMTP protocols. To set Auto-Protect options, do any of the following:
Select all types, or select file types or extensions to scan. Insert a warning into an email message. Send an email message to the sender of an infected attachment. Send an email message to selected recipients when a virus is detected. Enable the scanning of compressed files. Change the number of levels of compression that you want to scan when there are compressed files within compressed files. Change the POP3 and SMTP ports that are scanned. See Changing the POP3 and SMTP ports that are scanned on page 152. Set outbound mail heuristics. See Enabling outbound email heuristics scanning on page 152. Set options to display a progress notification window when you send email, and to display a tray icon.
5 6
When you have finished setting advanced options, click OK. Click Actions to configure the detection and remediation actions you want Symantec AntiVirus to take when it finds a virus or security risk, and then click OK. Actions options are the same as those for File System Auto-Protect. See Configuring actions for File System Auto-Protect on page 136. Click Notifications to configure the type of notification you want Symantec AntiVirus to provide users when it finds a virus or security risk, and then click OK. Notifications options are the same as those for File System Auto-Protect, except that the Display Auto-Protect results dialog on infected computer option is not available.
See Configuring notifications for File System Auto-Protect on page 142. 8 9 On the Internet E-mail tab, lock or unlock options as needed. Click Reset All to ensure that all of the computers are using the AutoProtect scanning configuration that you have specified immediately. See About propagating Auto-Protect settings on page 124.
5 6 7
153
2 3 4
In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, check Enable Internet E-mail Auto-Protect. Click Advanced. In the Internet E-mail Advanced Options dialog box, check Outbound Worm Heuristics, and then set a first and second action for Symantec AntiVirus to take, or leave the default settings. Click OK. Click Reset All to ensure that all of the computers are using the AutoProtect scanning configuration that you have specified. See Configuring Auto-Protect on page 123.
5 6
154 Scanning for viruses and security risks Configuring manual scans
Full
Custom
Note: If you want to scan all servers and clients in a server group, run a virus sweep or create a scheduled scan instead. See Running a virus sweep on page 212. See Creating and configuring scheduled scans on page 164. Some of the manual scan options are the same as the scan options for AutoProtect scans. Table 4-13 describes the options for manual scans. Table 4-13 Section or option
File types
Available options
You can configure Symantec AntiVirus to scan all file types, to scan by selected extensions, or to scan by selected file types. The following options are available:
All types Select this option to scan all files that are found on the computer, regardless of type. Selected extensions Select this option to scan only the files that have certain extensions. You can add more extensions for programs and documents if you have files that use extensions that are not already in the list. You can also reset this option to its default value. Selected file types Select this option to scan only Microsoft Word, Excel, and other OLE document files, or only MS-DOS and Microsoft Windows application program files.
155
Available options
Select the following options to find viruses and security risks more quickly. These commonly infected locations are scanned before the files and folders that you have selected are scanned. The following options are available:
Scanning program files loaded into memory Scanning common infection locations (load points) Scanning for traces of well-known viruses and security risks
This option applies only to detecting security risks on version 9.x legacy clients. Note: Risks on legacy clients are detected, not repaired. Check this option to exclude certain files or folders from being scanned by AutoProtect. Click Exclusions, and then select one of the following:
Extensions: Exclude files by their extensions. Files/Folders: Exclude folders by their paths.
This option is not available for multiple clients or servers. Note: When you exclude a folder, Symantec AntiVirus cannot protect an infected computer from infected files in the folder. Advanced Click this button to set advanced scan options, including backup, remote, compressed files, and so on. See Table 4-14, Advanced manual scan options, on page 157. Actions Click this button to configure the actions that you want Symantec AntiVirus to take when it detects macro viruses, non-macro viruses, and security risks. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137.
156 Scanning for viruses and security risks Configuring manual scans
Available options
Click this button to set CPU utilization options. Set the sliders to configure the scan priority when the computers are idle and not idle. Check Throttle NetWare Load and set its slider, if applicable. For scheduled and manual scans, Symantec AntiVirus allows you to control the scans CPU priority. Giving a scan a lower priority means that the scan takes longer to complete, but also frees the CPU to work on other tasks. You may want to set a lower priority in some situations. For example, if you have scans running at lunch time during the work week, you might want to lower the scan priority to minimize the impact on user productivity. You can specify a scan priority for the following:
Windows computers: Priority differs depending on whether the computer is idle or not idle. The idle setting specifies the priority that is assigned to scans when the computer is idle. The not idle setting specifies the priority that is assigned to scans when the computer is actively working. NetWare computers: Symantec AntiVirus can throttle its load on NetWare servers. A lower load setting means that the server scan takes longer to complete.
Notifications
Click this button to set the detection and remediation options for notifications that you want to appear on the infected computer when Auto-Protect finds a virus or a security risk. See Table 4-10, Notifications options for File System Auto-Protect and manual scans, on page 142.
157
Table 4-14 describes advanced options for manual scans. Table 4-14 Section or Available options option
When scanning compressed files If you check this option, Symantec AntiVirus scans the container, such as Files.zip, and the contents of the container, which are the individual compressed files. Symantec AntiVirus supports a maximum depth of ten levels of nested compressed files for Window computers. NetWare servers are limited to eight levels. Options for scanning compressed files options are as follows:
Windows Symantec AntiVirus scans compressed files during manual, email, and scheduled scans. Because of the significant processing overhead, Auto-Protect does not scan files that are within compressed files on Windows computers. However, the files are scanned as they are extracted from compressed files. NetWare Symantec AntiVirus scans compressed files during Auto-Protect and scheduled scans. To scan the contents of a compressed file, Symantec AntiVirus extracts each file, one file at a time, from the container and copies it to the SYS volume where it is scanned. The SYS volume must have enough space available on the volume to accommodate the largest file in the container.
Note: You cannot stop a scan that is in progress on a compressed file. If you click Stop Scan, Symantec AntiVirus stops the scan only after it has finished scanning the compressed file. Backup options As a data safety precaution, before you attempt to repair a file, check Back up file before attempting repair. This is checked by default. The original virus-infected file is encrypted and then copied into the Quarantine directory. If needed, you can use this unrepaired backup file to return the file to its original, but infected state. Note: Uncheck this option with caution, since it means that files containing viruses are not going to be backed up before repairs are attempted. You might want to turn it off if performance is an issue, for example on a file server, where the files are backed up regularly by other means This setting applies only to virus-infected files, as files quarantined and repaired for security risks and are always backed up regardless of this setting. Remote options Use this option to display a progress dialog box on the computer while the scan runs, to display a progress dialog box on the computer while the scan runs only if a risk is detected, or to not display a progress dialog box on the computer at all. You can also do the following:
Configure the progress dialog box to close automatically when the scan has completed. Allow a user to stop the scan. When this option is enabled, a Stop button appears on the remote computer. When this option is disabled, the scan cannot be stopped from the remote computer.
158 Scanning for viruses and security risks Configuring manual scans
Fine-tune scans of the files that Hierarchical Storage Management (HSM) and offline backup systems maintain. An HSM system migrates files to secondary storage such as CD-ROM, tape jukebox, SAN storage, and so on, but might leave parts of the original file on the disk. Performance and disk space issues arise during scans if Symantec AntiVirus opens all of the stubs and the HSM system places the Note: Does files back on the original disk. For all these options, consult your HSM or backup vendor to select not apply to appropriate settings. Storage migration options are as follows: Windows Open files using backup semantics. 2000 and Skip offline files: If the offline bit is set, Symantec AntiVirus skips the file. A small clock over a later. For files icon in Windows Explorer indicates that the offline bit is set. Any application can set the those offline bit without actually placing the file offline. systems, Storage migration options consult your HMS vendor.
Skip offline and sparse files: Some applications set the file sparse bit to indicate that part of the file is not present on the disk. Some HSM products set this bit and others dont. With a sparse file, a stub of the file remains on the disk, and the majority of the file is moved to offline storage. Skip offline and sparse files with a reparse point (default): Some vendors use reparse points. Applications that use reparse points also use an appropriate device driver to manage reparse points in the files. This is the default setting because it is the most reliable for vendors that use reparse points. With a reparse point, a portion of the file remains on disk, and the remainder is transparently accessed through the device driver. Scan resident portions of offline and sparse files: Symantec AntiVirus identifies resident portions of a file. If the file is sparse, Symantec AntiVirus scans only the resident portion; the nonresident portion remains in secondary storage. Some vendors support this capability. Scan all files, forcing demigration (fills drive): Symantec AntiVirus scans the entire file, which forces demigration from secondary storage if necessary. Because the size of the secondary storage is usually greater than the size of the local volume, this setting might fill the local volume and cause further files that are opened for scanning to fail. Scan all files without forcing demigration (slow): Symantec AntiVirus copies a file from secondary storage to the local hard drive as a temp file for scanning, but the HSM application leaves the original file on the secondary storage. This method is slow and is not supported by all HSM vendors. Because a file is copied from secondary storage to a disk for scanning, resource demand is high. Processor and network performance might further degrade as Symantec AntiVirus detects infected content when a repair or deletion is returned to secondary storage. Scan all files recently touched without forcing demigration: To reduce some of the resource demand issues with the Scan all files without forcing demigration option, this option lets you specify that only files that have been migrated recently and might still reside on faster secondary storage are scanned. You might want to scan files if they still reside on the faster secondary disk, and skip demigration and scanning if the files reside on the slow, long-term storage. For example, files might be migrated to a remote disk after 30 days of no access. After 60 days of no access, the file is migrated to CD-ROM or remote SAN storage. In many cases, this method might still be slow because accessing files without forcing demigration is a relatively slow operation. Select the type of access and the number of days to define recently touched.
159
Check Scan NetWare compressed or migrated files to scan NetWare compressed or migrated files.
Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers. Select one or more clients that are managed by the same server, and then right-click the clients.
2 3
Click All Tasks > Symantec AntiVirus > Start Manual Scan. In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-12, Types of manual scans, on page 154.
If you selected a single computer to scan and select Custom Scan, you can select the drives and folders that you want to scan. If you are scanning multiple computers, this option is not available. Skip to step 6.
160 Scanning for viruses and security risks Configuring manual scans
Click Save Settings if you want Symantec AntiVirus to remember your selections for future manual scans on this computer. Symantec AntiVirus also remembers the settings of the other options for future scans when multiple computers are selected. Click Options.
6
.
In the Scan Options dialog box, you can select file types or extensions to scan, enable scan enhancements, enable security risk scanning for legacy clients, and exclude files and folders from the scan. See Table 4-13, Manual scan options, on page 154. 7 Click Advanced. In the Scan Advanced Options dialog box, you can set options for scanning compressed files, back up files infected by viruses or blended threats before attempting to repair them, set options on the remote computer, set storage migration options for Windows computers, and enable scans of compressed or migrated files on NetWare servers. See Table 4-14, Advanced manual scan options, on page 157. Set the options you that you want, and then click OK to save advanced options.
161
In the Scan Options dialog box, click Save Settings if you want Symantec AntiVirus to remember these options for future manual scans on this computer. Symantec AntiVirus also remembers these settings for future scans when you select multiple computers.
Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers. Select one or more clients that are managed by the same server, and then right-click the clients.
2 3
Click All Tasks > Symantec AntiVirus > Start Manual Scan. In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-12, Types of manual scans, on page 154. Click Options. In the Scan Options dialog box, click Actions.
4 5
162 Scanning for viruses and security risks Configuring manual scans
In the Actions dialog box, in the tree, select a type of virus or security risk. By default, each security risk subcategory, such as Spyware, is automatically configured to use the actions that are set at the top level for the entire Security Risks category. To configure a category or specific instances of a category to use different actions, check Override actions configured for Security Risks, and then set the actions for that category only. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137. Select each category of virus and security risk that you want to configure, and repeat step 6 for each. If you selected a security risk category, click the Exceptions tab to configure custom actions for one or more specific instances of that security risk category. Click Add.
7 8
10 In the Select risks dialog box, select the specific risks in the list for which you want to configure custom actions, and then click Next. 11 In the Configure risks dialog box, select the first and second actions that you want Symantec AntiVirus to take when it detects the specific risks that you selected, and then click Finish. 12 Repeat steps 8 through 11 for each individual security risk for which you want to set specific actions. 13 Click OK, and then click Start.
Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers. Select one or more clients that are managed by the same server, and then right-click the clients.
163
2 3
Click All Tasks > Symantec AntiVirus > Start Manual Scan. In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-12, Types of manual scans, on page 154. Click Options. In the Scan Options dialog box, click Notifications. In the Notifications Options window, under Detection Options, check Display notification message on infected computer if you want a message to appear on the infected computer when a virus or security risk is found. In the message box, do any or all of the following to construct the message that you want:
4 5 6
Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. See Table 4-11, File System Auto-Protect and manual scan message fields, on page 143. Right-click, and then select Cut, Copy, Paste, Clear, or Undo.
To set Remediation Options, check each option that you want to set. Your options are as follows:
Automatically terminate processes Check this if you do not want users to be notified when Symantec AntiVirus must terminate a process to remove or repair a risk. Users are not prompted to save data before Symantec AntiVirus terminates the processes. Check this if you do not want users to be notified when Symantec AntiVirus must stop a service to remove or repair a risk. Users are not prompted to save data before Symantec AntiVirus stops the services.
Click OK until you return to the Select Items dialog box, and then click Start.
164 Scanning for viruses and security risks Creating and configuring scheduled scans
A Quick Scan is a fast scan of system memory, and all the common virus and security risk locations on the computer. A Full Scan scans the entire computer for viruses and security risks, including the boot sector and system memory. A Custom Scan scans the drives and folders that you select. When you configure client scans, you cannot select individual files and folders to include in the scan.
Enable scan
Make sure that this option is checked so that the scan occurs as you configured it. Determines how often the scan runs. Select Daily, Weekly, or Monthly. Determines the time at which the scan runs. You can type any time in increments of 1 minute, or use the drop-down list to select a time in increments of 15 minutes.
Frequency
When
Scanning for viruses and security risks Creating and configuring scheduled scans
165
To create scheduled scans 1 2 Select one or more servers, groups, or clients. Do one of the following:
If you right-clicked a server group or multiple server groups, click All Tasks > Symantec AntiVirus > Server Scheduled Scans. If you right-clicked an individual server or client, click All Tasks > Symantec AntiVirus > Scheduled Scans. In the <Servername> Scheduled Scans dialog box, on the Server Group Scans tab, click New. In the <Servername> Scheduled Scans dialog box, on either the Server Scans or the Client Scans tab, click New.
166 Scanning for viruses and security risks Creating and configuring scheduled scans
In the <Servername> Scheduled Scan dialog box, type a name for the scan, ensure that Enable scan is checked, and then set the frequency and time at which the scan should run. See Table 4-15, Scheduled scan options, on page 164. Click Advanced to set how to handle missed events, and then click OK. See Table 4-15, Scheduled scan options, on page 164. In the <Servername> Scheduled Scan dialog box, click Scan Settings. Select the type of scan that you want to schedule: Quick, Full, or Custom. In the Select Items dialog box, do one of the following:
5 6 7 8
If you selected multiple servers, clients, or a server group, click Options. If you selected an individual server, select the drives or folders that you want to scan, and then click Options. In the tree view, files and folders appear with various icons. See Table 4-4, Tree view icons and their meaning, on page 117.
In the Scheduled Scan Options dialog box, you can select all types, file types, or extensions to scan, enable and disable scanning enhancements, enable security risk scanning on legacy clients, and exclude files and folders from the scan. If you selected an object that contains multiple computers, you can exclude files and folders from the scan by typing the full path names. The scheduled scan options are the same as the scan options for manual scans. See Table 4-13, Manual scan options, on page 154.
10 Click Advanced. In the Scan Advanced Options dialog box, you can set options for scanning compressed files, back up files that are infected by viruses or blended threats before you attempt to repair them, set options on the remote computer, set storage migration options for Windows computers, and enable scans of compressed or migrated files on NetWare servers. The Advanced scan options are the same as the Advanced scan options for manual scans. See Table 4-14, Advanced manual scan options, on page 157. 11 Under Scheduled Scan Options, click Actions. You can configure the same actions as for File System Auto-Protect and manual scans. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137.
Scanning for viruses and security risks Creating and configuring scheduled scans
167
12 Under Scheduled Scan Options, click Throttling. You can configure the same throttling options as for manual scans. See Table 4-13, Manual scan options, on page 154. 13 Under Scheduled Scan Options, click Notifications. You can configure the same notifications as for File System Auto-Protect and manual scans. See Table 4-10, Notifications options for File System Auto-Protect and manual scans, on page 142. 14 Click OK until you return to the main window in the Symantec System Center console.
If a computer does not run a scheduled scan for some reason, you can set options for how Symantec AntiVirus handles this situation. See Setting options for missed scheduled scans on page 167. You can edit, delete, or disable scheduled scans. See Editing, deleting, or disabling scheduled scans on page 168. For convenience, you can run a scheduled scan on demand. This can save you from having to configure a manual scan. See Running scheduled scans on demand on page 169.
If you do not want to use the default setting, you can specify a different time interval in which to attempt a scheduled scan.
168 Scanning for viruses and security risks Creating and configuring scheduled scans
To set options for missed scheduled scans 1 2 3 4 Right-click a Symantec AntiVirus server, server group, client group, or client, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. In the <Servername> Scheduled Scans dialog box, select a scan in the list of scans, and then click Edit. In the <Servername> Scheduled Scan dialog box, under Start Scan, click Advanced. In the Advanced Schedule Options dialog box, click Handle Missed Events Within, and then specify the time interval for reattempting the scheduled scan. Click OK until the main Symantec System Center console window appears.
Client Scans
Select an existing scan, and then click Edit. Change any properties that you want. Select an existing scan, and then click Delete.
Click OK until you return to the Symantec System Center main window.
Scanning for viruses and security risks Creating and configuring scheduled scans
169
To disable scheduled scans 1 Right-click one or more server groups, a server, or a client for which you want to disable the scheduled scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. The scans that you can disable depend on the object that you select. In the Scheduled Scans dialog box, select one of the following:
Server Scans Disable scans for servers. This option is not available if you selected a client computer in step 1. Disable scans for clients. This option is not available if you selected a server group in step 1.
Client Scans
3 4
170 Scanning for viruses and security risks Managing the client user experience
Allow users to pause or stop a scheduled scan. Display a scan progress window. See To enable users to stop scans on page 172. Prevent or allow users to unload Symantec AntiVirus services. Change the password that is required before users can uninstall Symantec AntiVirus. Display and customize warning messages that appear on computers when their virus and security risk definitions are outdated or missing. Display and customize a warning message on an infected computer. For example, if users have a spyware program installed on their computers, you can notify them that they have violated your corporate policy and must uninstall the application immediately. Add an infection warning to an infected email message. Notify the sender of an infected email message. Notify others about the receipt of an infected email message.
Scanning for viruses and security risks Managing the client user experience
171
Snoozed scan
Stopped scan
Select a scheduled scan, and then click Edit. Click New to create a new scan.
3 4 5 6 7 8 9
In the Scheduled Scan dialog box, click Scan Settings. In the Select Items dialog box, click Options. In the Scheduled Scan Options dialog box, click Advanced. In the Scan Advanced Options dialog box, under Remote options, click Show scan progress. Uncheck Allow user to stop scan. Check Allow user to pause/snooze scan. Click Pause Options.
172 Scanning for viruses and security risks Managing the client user experience
To limit the number of minutes that a user may pause a scan, check Limit the time this scan may be paused and type a number of minutes. To limit the number of times a user may pause a scan, in the Number of times it can snooze box, type a number between 1 and 8. To display a three-hour snooze button, check Enable the 3 hour snooze button. By default, a user can pause a scan for one hour. You must enable this option to allow a user to pause a scan for three hours.
11 Click OK until the main Symantec System Center console window appears. To enable users to stop scans 1 2 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. In the Scheduled Scans dialog box, do one of the following:
Select a scheduled scan, and then click Edit. Click New to create a new scan.
3 4 5 6 7 8 9
In the Scheduled Scan dialog box, click Scan Settings. In the Select Items dialog box, click Options. In the Scheduled Scan Options dialog box, click Advanced. In the Scan Advanced Options dialog box, in the drop-down list, select Show scan progress. Check Allow user to stop scan. If you want to automatically close the scan progress indicator after the scan completes, check Close scan progress when done. Click OK until the main Symantec System Center console window appears.
Scanning for viruses and security risks Managing the client user experience
173
3 4
Change the setting for Lock the ability of users to unload Symantec AntiVirus Services. Click OK.
174 Scanning for viruses and security risks Managing the client user experience
To display a warning about definitions 1 2 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. On the General tab, under Actions, select one or both of the following:
Display message when definitions are outdated Display message when Symantec AntiVirus is running without virus definitions
3 4
For outdated virus and security risk definitions, set the number of days that definitions can be outdated before the warning is displayed. For missing virus and security risk definitions, set the number of attempts that Symantec AntiVirus can make to retrieve definitions after the computer is restarted, before the warning is displayed. Click Warning Message for each option that you checked, and then customize the default message. Click OK until the main Symantec System Center console window appears.
5 6
Customizing messages for manual scans is covered under manual scans. See Configuring notifications for manual scans on page 162.
Scanning for viruses and security risks Managing the client user experience
175
Name of the file attachment Name of the virus Action taken: cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected
You can customize the subject and body of the message. The email message contains a field called [EmailSender]. All fields in brackets contain variable information. You can customize the default message by rightclicking the body of the message and selecting a field to insert into the message. The message would look as follows to the recipient: Symantec AntiVirus found a virus in an attachment from John.Smith@mycompany.com. To add email warnings to infected messages 1 2 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Internet E-mail, Lotus Notes, or Microsoft Exchange tab, click Insert warning into email message. Do one of the following:
Click OK to accept the default message. Click Warning and customize the text.
176 Scanning for viruses and security risks Managing the client user experience
Name of the file attachment Name of the virus Action taken: such as cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected
You can also customize this message. To notify senders of infected messages in groupware email applications 1 2 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect. Click Send e-mail to sender. Click Compose. Do one of the following:
3 4 5
Click OK to accept the default message. Click Message and customize the text.
Scanning for viruses and security risks Managing the client user experience
177
To notify senders of infected messages in Internet email applications 1 2 3 4 5 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, click Enable Internet E-mail Auto-Protect. Click Send e-mail to sender. Click Settings. In the E-mail Notifications Settings dialog box, on the E-mail Server tab, type the mail server name and port, the user name and password, and the reverse path for the mail. Click the Message tab and type a subject line, message body, and infection information to appear in each message, and then click OK. Click OK until the Client Auto-Protect Options dialog box disappears.
6 7
Name of the file attachment Name of the virus Action taken: such as cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected
178 Scanning for viruses and security risks Managing the client user experience
To notify others of infected messages in groupware email applications 1 2 Right-click a server group, Symantec AntiVirus server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect. Click Send e-mail to selected. Click Settings. In the E-mail Notifications Settings dialog box, on the Addresses tab, provide one or more email addresses to which notification should be sent. Click the Message tab and type a subject line, message body, and infection information to appear in each message. Click OK until the Client Auto-Protect Options dialog box disappears.
3 4 5 6 7
To notify others of infected messages in Internet email applications 1 2 3 4 5 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, click Enable Internet E-mail Auto-Protect. Click Send e-mail to selected. Click Settings. In the E-mail Notifications Settings dialog box, on the E-mail Server tab, type the mail server name and port, the user name and password, and the reverse path for the mail. Click the Addresses tab and provide one or more email addresses to which notification should be sent. Click the Message tab and type a subject line, message body, and infection information to appear in each message. Click OK until the Client Auto-Protect Options dialog box disappears.
6 7 8
Chapter
Updating definitions
This chapter includes the following topics:
About definitions Ensure that all definitions are current Definitions files update methods Updating definitions files on servers Updating definitions files on clients Controlling definitions file deployment Testing definitions files Scenarios for definitions updates About scanning after updating definitions files
About definitions
Virus and security risks definitions contain sample code for thousands of threats and security risks. When Symantec AntiVirus scans for threats and security risks, it attempts to find matches between your files and sample code that is inside of the definitions. If Symantec AntiVirus finds a match, one or more files might be infected by threats or security risks. Every server and client that runs Symantec AntiVirus has a copy of the definitions. These definitions can become outdated as new viruses and security risks are discovered. Symantec updates definitions about once a week, or more frequently if needed. It is important to keep definitions current to maintain the highest level of protection for your network.
Description
A push operation starts when new virus and security risk definitions are received via the Symantec FTP site or LiveUpdate server by a primary management server on your network. The primary management server passes a definitions package to all of the secondary management servers in the server group. Secondary management servers extract the definitions and place them in the appropriate directory. Clients receive the package from their parent management servers. Clients extract the definitions and place them in the appropriate directory.
181
Description
A scheduled pull operation starts when a client or server that runs LiveUpdate requests new virus and security risk definitions. LiveUpdate may be configured on each computer to request the update from a designated internal LiveUpdate server or directly from the Symantec LiveUpdate server.
Intelligent Updater
Intelligent Updater is a self-extracting executable Use Intelligent Updater when you file that contains virus and security risk definitions need to distribute virus and security files. risk definitions updates to users who do not have active network connections. The Central Quarantine Server periodically polls the Digital Immune System gateway for new virus and security risk definitions files. When new definitions are available, the Central Quarantine Server can push the new definitions to the computers that need it automatically. Use Central Quarantine when you want to automate the distribution of definitions file updates across your network. For information about using Central Quarantine, see the Symantec Central Quarantine Administrators Guide.
Note: 64-bit computers receive definitions files using LiveUpdate. All other methods of updating these files are not supported.
Best practice: Using the Virus Definition Transport Method and LiveUpdate together
You can use the Virus Definition Transport Method and LiveUpdate together. Using the Virus Definition Transport Method allows you to schedule and push virus and security risk definitions updates from the Symantec System Center. In addition, you can use the Virus Definition Transport Method as an emergency system for distributing new virus definitions quickly when the network is threatened by a new virus. Although the Virus Definition Transport Method is used more often, some large networks depend on LiveUpdate. These installations do not permit direct access to the Symantec site by a large number of servers and clients. One or more servers act as an internal LiveUpdate server to all of the other servers on the network, and in some installations, to all clients.
Virus Definition Transport Method LiveUpdate Intelligent Updater Central Quarantine polling
Updating and configuring servers using the Virus Definition Transport Method
Update Symantec AntiVirus servers manually when you need to force an immediate update. Schedule automatic updates to handle routine definitions files updating without requiring further interaction.
Update servers manually or automatically using the Virus Definition Transport Method
You can update servers manually or automatically. Updates occur only when the virus and security risk definitions files on a server are older than the definitions that are available on the LiveUpdate server. To update all unlocked servers in the system 1 In the Symantec System Center console, right-click System Hierarchy, and then click Symantec AntiVirus > Update Virus Defs Now.
183
2 3
In the confirmation dialog box, click Yes. In the status dialog box, click OK.
To update servers manually 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. Select one of the following:
Update The Primary Server Of This Server Group Only Update Each Server In This Server Group Individually To update all servers in the group from the primary management server To update servers individually
The option that you select affects all of the servers in the server group, whether you right-click a server group or an individual server. 3 4 Click Configure. Click Update Now. A message appears with information about how you can view the date of the new virus and security risks definitions file. Read the information that appears, and then click OK until the Symantec System Center console reappears.
To update servers automatically 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. Select one of the following:
Update The Primary Server Of This Server Group Only To update all servers in the group automatically from the primary management server To update servers individually
The option that you select affects all servers in the server group, whether you right-click a server group or an individual server. 3 Click Configure.
4 5 6
Ensure that Schedule For Automatic Updates is checked, and then click Schedule. Select options to determine when the definitions file updates (for example, every Tuesday at 10:00 P.M.). Click OK until you return to the Symantec System Center main window.
7 8
Click Update Now to retrieve the definitions file from the master primary management server immediately. Click Schedule For Automatic Updates, and then click Schedule. Set a frequency and time when the server checks for updates on the master primary management server.
Click OK until you return to the Symantec System Center main window.
185
You can designate a NetWare server as the primary management server for your network, or designate a supported Windows computer as the primary management server. If your NetWare servers are running on faster computers or have a higher bandwidth connection than your Windows servers, you can designate a NetWare server as a primary management server for increased performance. NetWare primary management servers must have TCP/IP and FTP running and must be able to connect to the Internet. FTP is enabled by default on NetWare 5.x servers and later. In addition, NetWare environments require a supported Windows computer to run the Symantec System Center console. NetWare servers do not store the addresses of supported Windows servers in their address caches. As a result, if your NetWare server is not running TCP/IP and is not using a domain naming system (DNS) server, you might have difficulty updating a NetWare server from a Windows server that resides in a different server group.
Figure 5-1
Server group A
Client
Client
Client
Client
Client
Client
IP
Server group B
Client
Client
Client
Client
Client
Client
Configure a primary management server to retrieve the latest virus and security risk definitions file updates; you can download through HTTP, FTP, or another computer. Configure primary management server 2 to retrieve the latest update from primary management server 1. This makes primary management server 1 a master primary management server. Symantec AntiVirus servers in server group B receive updates from their primary management server. Clients automatically receive updates from their Symantec AntiVirus parent servers.
187
Figure 5-2 illustrates how you might configure definitions file updates if your organization has multiple sites that are linked over a wide area network (WAN). Figure 5-2 Definitions file updating for multiple sites over a WAN
ftp.symantec.com or Symantec LiveUpdate server
Central region
East region
West region
Server group primary management servers on separate WANs retrieve the update from the Symantec FTP site or LiveUpdate server. Primary management servers distribute the update to primary management servers in other server groups in their local networks. The primary management servers distribute the update to other protected servers and clients in their server group.
For smaller networks (less than 1000 nodes), configure managed servers to directly retrieve updates from the Symantec FTP site, Symantec LiveUpdate server, or an internal LiveUpdate server. For larger networks (greater than 1000 nodes), set up an internal LiveUpdate server, download updates to that server, and have your managed servers retrieve updates from the internal LiveUpdate server.
Update Symantec AntiVirus servers directly from the Symantec FTP site or LiveUpdate server
You can update all of the Symantec AntiVirus servers in a server group from a primary management server, or update each server in the group individually. To update primary management servers 1 2 3 4 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Update The Primary Server Of This Server Group Only. Click Configure. In the Configure Primary Server Updates dialog box, do one of the following:
Click Update Now to launch a LiveUpdate session immediately. Click Schedule For Automatic Updates, and then click Schedule to set a frequency and time when the server runs a LiveUpdate session.
5 6
Click OK. In the Configure Primary Server Updates dialog box, click Source.
189
7 8
In the Update definition file via list, click LiveUpdate (Win32)/ FTP(NetWare). Click OK until you return to the Symantec System Center main window.
To update individual servers 1 2 3 4 5 6 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Update Each Server In This Server Group Individually. Click Configure. In the Configure Server Updates dialog box, click Source. Click LiveUpdate (Win32)/FTP (NetWare). Click OK. If you are configuring a NetWare server, make sure that the server is running FTP. Do one of the following:
Click Update Now to launch a LiveUpdate session immediately. Click Schedule For Automatic Updates, and then click Schedule to set a frequency and time when the server runs a LiveUpdate session.
Click OK until you return to the Symantec System Center main window.
To update servers from an internal LiveUpdate server 1 2 3 In the Symantec System Center console, right-click a server group, and then click All Tasks > LiveUpdate > Configure. In the Configure LiveUpdate dialog box, click Internal LiveUpdate Server. Set the following internal LiveUpdate server options:
Name The name of the server. This name will appear when you run LiveUpdate. This box is optional. You can type descriptive information that is related to the server. For example, you can type the name of the site. The logon name that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information. The logon password that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information.
Location
Login Name
Login Password
URL or IP Address
If you are using the FTP method (recommended), under Type, you can click FTP, and then type the FTP address for the server. For example: ftp.myliveupdateserver.com If you are using the HTTP method, under Type, you can click HTTP, and then type the URL for the server. For example: http:\\myliveupdateserver.com or 192.168.133.11\Export\Home\LUDepot If you are using the LAN method, under Type, you can click LAN, and then type the server UNC path name. For example: \\Myserver\LUDepot In the Login box, type the name and password to access the server.
If you leave the Login Name and Login Password boxes empty, an anonymous logon is used. This requires that anonymous logons be enabled on the FTP server. If your policy prohibits anonymous logons on FTP servers, type the logon name and password for the FTP server and directory to be accessed. 4 Click OK until you return to the Symantec System Center main window.
191
To install the virus and security risk definitions files 1 2 Locate the Intelligent Updater file that you downloaded from Symantec. Double-click the file and follow the on-screen instructions.
When to use
Use when you want to stagger updates for multiple computers to minimize the impact on network traffic. By default, Symantec AntiVirus randomizes LiveUpdate sessions to minimize bandwidth spikes.
Plus or minus a specified number of minutes of the scheduled time Any day of the week within a specified time interval Any day of the month plus or minus a specified number of days of the scheduled date
Determines how missed LiveUpdate events are handled. An event might be missed if a computer is turned off when the LiveUpdate session is scheduled to run. You can set options so that scheduled LiveUpdate events that were missed run at a later time.
Use to ensure that computers that are unavailable for a regularly scheduled LiveUpdate event attempt to pull definitions at a later time.
193
2 3 4 5 6 7
To randomize the LiveUpdate schedule for clients 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Schedule Client For Automatic Virus Definition Updates Using LiveUpdate. Click Schedule. Set the frequency and time when the clients will check for updates. Click Advanced. In the Advanced Schedule Options dialog box, under Randomization Options, check the options that you want, and then set the minutes, day of the week, or day of the month options. Click OK until you return to the Symantec System Center main window.
2 3 4 5 6
To handle missed LiveUpdate events for servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Configure. Click Schedule for Automatic Updates. In the Configure Primary Server Updates dialog box or the Configure Server Updates dialog box, click Schedule. In the Virus Definition Update Schedule dialog box, click Advanced. In the Advanced Schedule Options dialog box, check Handle Missed Events Within. Set the time limit within which you want the scan to run. For example, you might want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. Click OK until you return to the Symantec System Center main window.
2 3 4 5 6 7
To handle missed LiveUpdate events for clients 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Schedule Client For Automatic Virus Definition Updates Using LiveUpdate. Click Schedule. In the Virus Definition Update Schedule dialog box, click Advanced. In the Advanced Schedule Options dialog box, check Handle Missed Events Within. Set the time limit within which you want the scan to run. For example, you may want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. Click OK until you return to the Symantec System Center main window.
2 3 4 5 6
195
Virus Definition Transport Method LiveUpdate Intelligent Updater See Updating servers with Intelligent Updater on page 191. Central Quarantine polling See About using Central Quarantine polling to update servers on page 192.
To update clients using LiveUpdate 1 2 3 4 5 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Schedule Client For Automatic Updates Using LiveUpdate. Click Schedule. In the Virus Definition Update Schedule dialog box, select the frequency, day, and time that you want the update to occur. Click OK until you return to the Symantec System Center main window.
To update clients using both the Virus Definition Transport Method and LiveUpdate 1 2 3 4 5 6 7 8 9 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Update Virus Definitions from Parent Server. Check Schedule Client For Automatic Updates Using LiveUpdate. Click Schedule. In the Virus Definition Update Schedule dialog box, select the frequency, day, and time that you want the update to occur. Click OK. Click Settings. In the Update Settings dialog box, set the frequency with which the parent management server pushes updates. Click OK until you return to the Symantec System Center main window.
197
Warning: Updating a large number of clients immediately can result in slow performance. Once you start this operation, you cannot cancel it. Do not use this feature to update definitions files during a virus outbreak. See Handling a virus outbreak on your network on page 211.
To update one or more clients immediately with LiveUpdate 1 In the Symantec System Center console, right-click one or more clients in the right pane, and then click All Tasks > Symantec AntiVirus > Update Virus Defs Now. If you selected more than the administrator-specified number of clients, in the confirmation dialog box, select one of the following:
Yes
Cancel If a client is configured to update using the Virus Definition Transport Method, Symantec AntiVirus prompts you to allow LiveUpdate to run. 3 Click OK in the status dialog box.
For information on configuring LiveUpdate for unmanaged Symantec AntiVirus clients, see the LiveUpdate Administrators Guide. To configure a managed Symantec AntiVirus client to use an internal LiveUpdate server 1 2 3 4 Right-click a parent management server or a server group, and then click All Tasks > LiveUpdate > Configure. In the Configure LiveUpdate dialog box, click Internal LiveUpdate Server. If you are using an FTP or HTTP server, type the appropriate data in the Login Name and Password boxes. In the Connection box, type one of the following:
The Universal Naming Convention (UNC) path to your shared folder The URL or IP address for your FTP or HTTP server LAN FTP HTTP
6 7
To configure individual clients to use an internal LiveUpdate server as well, check Apply settings to clients not in Groups. Click OK until you return to the Symantec System Center main window. If you are using multiple parent management servers, repeat steps 1 through 7 for each parent management server so that all Symantec AntiVirus clients and servers receive the changes.
199
You can enable Continuous LiveUpdate by using the Symantec System Center. You can also enable Continuous LiveUpdate by changing the client registry.
2 3
Description
Disable or enable Continuous LiveUpdate. Specify the age (in days) that the definitions can be before Symantec AntiVirus runs a silent LiveUpdate. Specify the interval (in minutes) to check for old definitions.
AdminForcedLUCheckInterval
Description
Set the startup delay time (between 10 and 180 minutes) of the Continuous LiveUpdate feature. This delay time is valid only if the feature is enabled. The actual delay time is a random number between 8 and n+8 where n is the value in the registry key. The default value is 30 minutes.
Note: Set the MaxDefsDaysOldAllowed value to 8 days or higher. Lower settings may cause problems if you need to perform a definitions rollback, since the age of the definitions files that you want to roll back to may exceed the maximum number of days that Continuous LiveUpdate allows before forcing an update.
To set LiveUpdate usage policies 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, do one of the following:
Check Do Not Allow Client To Modify LiveUpdate Schedule to prevent the LiveUpdate schedule from being modified on the client. (Schedule Client For Automatic Updates Using LiveUpdate must be checked or this box is dimmed.) When this option is unchecked, LiveUpdate can run on the client at any time. Uncheck Do Not Allow Client To Manually Launch LiveUpdate to prevent LiveUpdate from being manually launched on the client. When this option is unchecked, LiveUpdate can run on the client at any time.
201
Verify the version numbers of definitions files on servers. See Verifying the version number of definitions files on page 201. View the risk lists on servers and clients. See Viewing the risk list on page 202. Roll back to a previous definitions file (network-wide). See Rolling back definitions files on page 202.
If new definitions files are causing false positives or other problems for a server, you can verify the version number of the definitions file on that computer and then deploy an earlier definitions set from the Symantec System Center console. All servers and clients in that server group will roll back to the specified definitions file. You can also control the version of the definitions file that is used on all servers and clients in a server group. Users who download a definitions file that was not approved for company use can be forced to use the virus and security risks definitions file that you specify. Because you can easily undo a definitions file rollout, you can release new definitions files in less time.
Expand the server, server group, or client group and look for warning icons.
In the Symantec System Center console, right-click a server group, client group, Symantec AntiVirus server, or client, and then click Properties. On the Symantec AntiVirus tab, in the Virus Definitions box, the file version is listed as a numerical date, followed by a version number. After a definitions file is updated on a computer, it might take several minutes before the information is available from the console.
203
4 5 6
In the Select Virus Definition File dialog box, select the definitions file that you want to roll back to, and then click Apply. Click Yes to change the current file. Click OK until you return to the Symantec System Center main window.
At Company A, the administrator downloads the new virus and security risk definitions file from the Symantec FTP site or Symantec LiveUpdate server to a primary management server on the test network. He tests the definitions file. When testing is completed, he copies the definitions file to the master primary management server on his production network. He has configured other primary management servers so that they retrieve the update from the master primary management server. All of the other connected computers use the Virus Definition Transport Method. Secondary management servers retrieve the update from their primary management server. Clients retrieve the update from their parent management server. At Company B, the administrator downloads the virus and security risk definitions file from the Symantec FTP site or Symantec LiveUpdate server to a test network. She tests the definitions file. When testing is completed, she downloads the new definitions file from the Symantec FTP site or Symantec LiveUpdate server to the internal LiveUpdate server on her production network. Some low-risk users are allowed to go outside of the firewall. When LiveUpdate runs on their computers, the definitions file is downloaded directly from the Symantec FTP site or Symantec LiveUpdate server.
Chapter
Creating and reviewing a virus outbreak plan. See Creating a virus outbreak plan on page 206. Defining Symantec AntiVirus actions for handling viruses. See Defining Symantec AntiVirus actions for handling suspicious files on page 208. A strategy for handling virus outbreaks includes the following:
Enable virus alerts and messages. See Using virus alerts and messages on page 211.
Run a virus sweep of your network. See Running a virus sweep on page 212. Track viruses using logs. See Tracking virus alerts using Event Logs and Histories on page 212. Use the Central Quarantine Console to track infected computers on your network, and submit suspicious file samples to Symantec Security Response for analysis and cure. See Tracking submissions to Symantec Security Response with Central Quarantine Console on page 213.
Prepare a network topology map so that you can systematically isolate and clean computers by segment before you reconnect them to your local network. Your map should contain the following information:
Server names and addresses Client names and addresses Network protocols Shared resources
207
What security programs are protecting network servers and workstations? What is the schedule for updating definitions? What alternative methods of obtaining updates are available if the normal channels are under attack? What log files are available for tracking viruses on your network?
In the event of a catastrophic virus infection, you may need to restore servers and clients to be sure that your network has not been compromised. Having a backup plan in place to restore critical computers is essential. Blended threats such as worms can travel via shared resources without user interaction. When you respond to an infection by a computer worm, it can be critical to isolate the infected computers by disconnecting them from the network. Symantec AntiVirus logs are a good source of information about viruses on your network. If you can identify a virus from the logs, you can use the Symantec Security Response Virus Encyclopedia to learn how to remove the virus. If you cannot identify a suspicious file as a virus by examining the logs, and the latest virus definitions files do not clean the file, go to http:// securityresponse.symantec.com and look at the Latest Virus Threats and Security Advisories areas for news.
Symantec AntiVirus attempts to repair the file. If the file cannot be repaired with the current set of definitions files, the infected file is moved to the Quarantine on the local computer. In addition, the Symantec AntiVirus client makes a log entry of the risk event in its log. The Symantec AntiVirus client data is forwarded to a primary management server. You can view log data from the Symantec System Center console.
You can perform the following additional actions to complete your virus handling strategy:
Define different repair actions based on virus type. For example, you can have Symantec AntiVirus automatically fix macro viruses, but ask what action to take when a program file virus is detected. Assign a backup action for files that Symantec AntiVirus cannot repair, such as deleting the infected file. See About actions for viruses and security risks that scans detect on page 123. See Configuring actions for File System Auto-Protect on page 136. Receive virus alerts, such as a page or email message, if you are using AMS2. See About the Alert Management System on page 83. Configure the local Quarantine to forward infected files to the Central Quarantine. You can configure the Central Quarantine to attempt a repair based on its set of virus definitions (which may be more up-to-date than the definitions on the local computer), or automatically forward samples of infected files to Symantec Security Response for analysis. For more information, see the Symantec Central Quarantine Administrators Guide.
209
Table 6-2 lists the possible Quarantine purge settings. Table 6-2 Subkey name
QuarantinePurgeEnabled QuarantinePurgeAgeLimit
Description
Disables/enables purge Specifies the maximum number of days to keep a file in the Quarantine directory Sets the frequency value for purging: 0=Days, 1=Months, 2=Years Disables/enables purging backup files Specifies the maximum number of days to keep a backup file in Quarantine Sets the frequency value for purging backup files: 0=Days, 1=Months, 2=Years Disables/enables purging repaired files Specifies the maximum number of days to keep a repaired item in Quarantine Sets the frequency value for purging repaired files: 0=Days, 1=Months, 2=Years
QuarantinePurgeFrequency
BackupItemPurgeEnabled BackupItemPurgeAgeLimit
0/1 n
BackupItemPurgeFrequency
RepairedItemPurgeEnabled RepairedItemPurgeAgeLimit
0/1 n
RepairedItemPurgeFrequency
5 6
211
To configure actions for new definitions 1 2 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. Under When new virus definitions arrive, select one of the following actions:
Automatically repair and restore silently Repair silently without restoring Prompt user Do nothing
3 4
AMS2: If configured, Symantec AntiVirus clients can send risk events to an AMS2 server. You can configure AMS2 servers to send alerts to a pager, email address, and other notification mechanisms. See About the Alert Management System on page 83. Custom messages: From the Symantec System Center console, you can have a custom message appear on Symantec AntiVirus clients when they encounter a suspicious file. See Customizing and displaying warnings on infected computers on page 174.
2 3
213
Chapter
About roaming clients Roaming client components How roaming works Implementing roaming Command-line options Registry values
Automatically identify its best parent management server, based on speed and proximity, and become a managed client of that parent management server. For example, when a mobile user who is based in New York travels to California, the roaming client detects the new network address and reassigns the users laptop to the best parent management server. Connect to the nearest appropriate parent management server whenever its network address changes. Connect to a different parent management server if the current parent management server becomes unavailable. Periodically recheck for the nearest parent management server to adjust for changes in servers and server load. Attempt to balance the load among a pool of equivalent servers when selecting a parent management server.
Automatically identify the best parent management server when the client connects to the network (for unmanaged clients that are converted to managed clients). For example, a corporation may have a distribution center for new computers. Administrators enable roaming on the computers before they are sent to branch offices. This entails specifying all of the possible roam servers for the new computers. When end users connect the new computers to the network, Symantec AntiVirus automatically assigns the best parent management server.
List of level 0 servers Lists the level 0 of servers that are available as possible roam servers for a specific roaming client. Roaming clients store this data in their registries. See Analyzing and mapping your Symantec AntiVirus network on page 218. See Creating a list of level 0 Symantec AntiVirus servers on page 219. Hierarchical list of servers Lists all roam servers, grouped by hierarchical level. Roaming servers store this data in their registries. See Analyzing and mapping your Symantec AntiVirus network on page 218. See Creating a hierarchical list of Symantec AntiVirus servers on page 220. Roamadmn.exe Sets up Symantec AntiVirus servers for roaming access. See Configuring additional roaming client support for roam servers on page 223. SavRoam.exe Provides roam server data to roaming clients. See Configuring roaming client support options from the Symantec System Center console on page 220.
217
One or more lists of level 0 servers A hierarchical list of the servers that you want to support roaming clients
Roaming clients store the level 0 list in their registries, and use it to identify the servers to which they should attempt to connect. To implement roaming on your network, start by preparing one or more lists of level 0 servers, and the hierarchical list of servers. After you roll out this data, roaming clients work in the following manner:
SavRoam.exe launches on the Symantec AntiVirus client during startup, and selects the best Symantec AntiVirus server, based on registry values and server feedback. The selected server provides the client with a list of servers at the next level in the network hierarchy. SavRoam loops through the network hierarchy until no lower level exists. The final server becomes the clients new parent management server, and immediately pushes a full configuration to the roaming client. SavRoam runs the following checks at regular intervals:
Checks for the availability and response time of its parent management server. If its parent management server is unavailable or another parent management server can provide better performance, SavRoam connects the client with a new best parent management server on the network. Checks for the computers network address. If the address has changed, it connects to the new best parent management server. If the client was previously assigned to a different parent management server, SavRoam attempts to delete itself from the old parent after it checks in with the new parent.
Implementing roaming
To implement roaming, you must complete the following tasks:
Analyze and map your Symantec AntiVirus network. Identify servers in each region that point roaming clients to the next level of roam servers. Create a list of level 0 servers for roaming clients.
Create a hierarchical list of all roam servers, layered hierarchically. Configure roaming client support for roaming clients and servers from the Symantec System Center console. Configure additional roaming client options for roaming clients in the registry. This task is optional. Configure additional roaming client options for roam servers in the registry. This task is optional.
Level 0
EuropeSvr EUROEastSvr
Level 1
EUROWestSvr
219
<local> indicates to the client that this is the level 0 of servers that the client should attempt to contact when searching for a roam server. <type of server> is the server type, such as parent server. <level> is 0. <server list> is the list of servers, which are separated by commas. (Spaces between the commas are optional.)
For example, the clients server list text file that corresponds to Figure 7-1 is as follows: <local> Parent 0 USASvr,EuropeSvr,AsiaSvr This is the only line in the server list for the roaming clients in this example. The list tells the clients to contact and compare response time from these three servers only. Depending on which server is best, the client continues its search down the list into one of the three continents.
<computer> is the host name of the server. <type of server> is the server type such as parent server. <level> is the level that is specified in the server list text file. <server list> is the list of servers, which are separated by commas. (Spaces between the commas are optional.)
For example, in the enterprise map in Figure 7-1, the USA branch would have the following server list: USASvr Parent 1 USAWestSvr,USAEastSvr
Configuring roaming client support options from the Symantec System Center console
You can configure roaming client support options from the Symantec System Center console. You can configure options at the following levels:
Once you set the options, Symantec AntiVirus pushes them to the Symantec AntiVirus clients based on the selected level. To configure roaming client support options from the Symantec System Center console 1 In the Symantec System Center console, right-click the server group, Symantec AntiVirus servers, client group, or Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Roaming Options.
221
If you select a server group, the Symantec System Center will configure all of the clients that are in the server group. If you select a client group, the Symantec System Center will configure all of the clients that are in the client group.
Enable roaming on clients on which the Symantec AntiVirus roam service is installed. Set the number of minutes that a client waits before it validates that its parent management server is available. The default setting is 120 minutes. Set the number of minutes that a client waits before it checks for a closer parent management server. The default setting is 60 minutes. Set the number of times that a client checks each server to determine the average number of seconds required to contact it. The client then uses this sampling to determine how close a server is to the client. The default setting is 7 times. Set the number of seconds that a client that cannot find a new parent management server waits before retrying to connect to a new parent management server. The default setting is 30 seconds.
Loadbalance
To specify load balancing among servers, use an equal sign (=) between the servers. For example: MiamiSvr=AtlantaSvr=RichmondSvr To specify failover servers, Use a greater than symbol (>) in the hierarchical list of servers. For example: MiamiSvr>AtlantaSvr>RichmondSvr Click OK.
Configuring roaming on each roaming client Adding level 0 server data to the registry of each roaming client
223
Optionally configure additional load balancing, failover, and alternate Symantec AntiVirus servers. For legacy servers, roll out the hierarchical list of servers to each roam server using RoamAdmn.exe, which is located on Disk 1 in the Tools folder. See Configuring roaming client support options from the Symantec System Center console on page 220.
where <serverlist.txt> is the name of the hierarchical server list that you created.
Data
USAWestSvr,USAEastSvr EUROEastSvr,EUROWestSvr JapanSvr,KoreaSvr
Command-line options
Table 7-3 describes the command-line options that can be used with SavRoam.exe and RoamAdmn.exe. You must have local Administrator rights to use command-line options. Table 7-3 Option
/h
225
Registers and starts the roaming client service. The service runs until the computer is turned off. <path> is the path to the folder in which you want to copy SavRoam.exe. <new service name> is SavRoam.exe. <new exe name> is SavRoam.exe.
Finds and sets the nearest appropriate parent for the parent server. Verifies that the parent management server is running. Disconnects the client from the parent management server. Provides the average amount of time that it takes to contact each specified server. <elapsed-time-in-seconds> is the number of seconds to allow the process to run. <delta-time-in-milliseconds> is how often to contact the server in milliseconds. For example, 10,000 would cause the client to contact the server every ten seconds. <servers> is the list of servers to be contacted. Separate server names with commas. Do not include spaces between server names or commas.
Registry values
You can edit the roaming registry values using a registry editor such as Regedit or Regedt32. The agent behavior is controlled by the registry keys under the following path: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ProductControl Table 7-4 describes the registry values for roaming clients. Table 7-4 Registry value
CheckForNewParentIntervalInSeconds
CheckParentIntervalInMinutes
RoamClient
Chapter
About Histories and Event Logs Working with Histories Forwarding client and server logs Deleting Histories and Event Logs
View data at the server group, server, or individual managed workstation level. In addition, each Symantec AntiVirus client stores its own Event Log data locally. The data is viewable from the Symantec AntiVirus client user interface. Sort and filter History and Event Log data. Perform actions that are based on History and Event Log data. For example, if a Risk History displays a found virus, you can perform actions such as repairing the infected file or moving it to the Central Quarantine. Export data to Microsoft Access (as an .mdb file) or in comma-separated value (.csv) format. Remove History and Event Log data.
228 Working with Histories and Event Logs About Histories and Event Logs
Table 8-1 describes the Histories and Event Logs that Symantec AntiVirus provides. Table 8-1 Name
Event Log
Description
Provides the following information:
Symantec AntiVirus startups and shutdowns Scans that were started, stopped, or aborted Configuration changes User name and domain that authenticated the user Virus and security risk definitions updates Viruses and security risks that were found and repaired Items that were forwarded to the Central Quarantine Items that were forwarded to Symantec Security Response
Scan History
Provides information about scans that have run or are running on Symantec AntiVirus clients at the server group, server, or individual workstation level. Specify a time range to filter the view. For example, you might want to view only those scans that ran within the last seven days. Lists all viruses and security risks that were detected for selected computers or server groups. You can select a virus or security risk item in the list and perform additional actions, such as Delete or Move To Quarantine. Risk History shows many details about each virus and security risk that was detected, including the following:
Risk History
The name and location of the infected files The name of the infected computer The first and second actions that were configured for the detected virus or security risk The action that was taken on the virus or security risk User name and domain that authenticated the user
You can click on the link in the security risk item to access detailed information about it at the Symantec Security Response Web site. Since security risks often involve many types of objects and files, this log contains a summary line for security risks. You can view more details by looking at the Risk properties. See Viewing Risk properties on page 239. Tamper History Provides information about the attempts to tamper with Symantec applications that Tamper Protection thwarted for servers and clients. Tamper History shows details about each attack, including the name of the user and the domain that authenticated the user. Server groups Individual servers Individual clients
Working with Histories and Event Logs About Histories and Event Logs
229
Description
Includes information about previous virus sweeps for servers or server groups.
Note: When a Symantec AntiVirus parent management server receives client Event Logs from different time zones, the server adjusts the client time stamps to correspond to the Symantec AntiVirus server's local time.
Today Past 7 days This month All items A selected range of days
You can also filter event types by selecting just the events that you want to view.
Click the column header. The ascending sort icon appears within a column header the first time that you click it. The descending sort icon appears the next time that you click the column header.
230 Working with Histories and Event Logs About Histories and Event Logs
To filter History and Event Log data by date 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs, and then select one of the following:
Event Log Scan History Risk History Tamper History Virus Sweep History Today Past 7 Days This Month All Items Selected Range If you select Selected Range, select start and end dates, and then click OK.
To filter Event Log data by event type 1 2 3 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Event Log. In the Event Log dialog box, click the filter icon. In the Filter Event Log dialog box, select the events that you want to display:
Configuration change Symantec AntiVirus startup and shutdown Virus definition file Scan omissions Forward to the Quarantine Server Deliver to Symantec Security Response Auto-Protect load/unload Licensing Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management
Working with Histories and Event Logs About Histories and Event Logs
231
Click OK.
Configuration change Symantec AntiVirus startup/shutdown Definitions file Scan Omissions Forward to Quarantine Deliver to Symantec Security Response Auto-Protect load/unload Licensing Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management
232 Working with Histories and Event Logs About Histories and Event Logs
Viewing Histories
Table 8-3 describes the Histories that you can view in the Symantec System Center console. Table 8-3 History
Scan History (current and scheduled)
Histories Description
At the server group level, displays all of the scans for that server group At the server level, displays all of the virus sweeps for clients that are managed by that server At the client level, displays all of the virus sweeps for that client At the server group level, displays all of the viruses and security risks that were found in that server group At the server level, displays all of the viruses and security risks that were found for clients that are managed by that server At the client level, displays all of the viruses and security risks that were found for the client At the server group level, displays all of the attempts to tamper with Symantec processes for that server group At the server level, displays all of the attempts to tamper with Symantec processes for clients that are managed by that server At the client level, displays all of the attempts to tamper with Symantec processes on that client At the server group and server level, displays all of the virus sweeps for all servers in a server group or a server
Risk History
Tamper History
View Histories
You can view Scan Histories, Risk Histories, Tamper Histories, and Virus Sweep Histories. To view a Scan History
In the Symantec System Center console, right-click a server group, server, or client, and then click All Tasks > Symantec AntiVirus > Logs > Scan History.
233
In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Risk History.
In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Tamper History.
To view a Virus Sweep History 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Virus Sweep History. In the Virus Sweep History dialog box, click View Results to examine the results of previous sweeps.
234 Working with Histories and Event Logs Working with Histories
Table 8-4 describes the Scan History icons. Table 8-4 Icon Scan History icons Description
The file is infected. The file is not infected. The file was never infected, or it has been cleaned. See the action taken on the file for more information. Close the Scan History window. Display item properties. Save the data that is shown in the Scan History as a comma-separated value (.csv) file or as a Microsoft Access database file (.mdb). Display Help for the Scan History.
Table 8-5 describes the actions available in the Scan History window. Table 8-5 Action
Undo Action Taken
Delete Permanently
You can permanently delete an infected file (including a compressed file) that is stored in the Quarantine or Scan History. Permanently deleted items cannot be recovered. Note: For security risks, use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality.
235
Move To Quarantine
Export
Properties
To clean an infected file 1 2 3 Double-click the entry. In the new dialog box that opens, right-click a file, and then click Clean. In the Take Action dialog box, click Start Clean.
To delete an infected file permanently 1 2 3 Double-click the entry. In the new dialog box that opens, right-click a file, and then click Delete Permanently. In the Take Action dialog box, click Start Delete. Permanently deleted files cannot be recovered.
236 Working with Histories and Event Logs Working with Histories
To move a file to the Central Quarantine 1 2 3 Double-click the entry. In the new dialog box that opens, right-click a file, and then click Move To Quarantine. In the Take Action dialog box, click Quarantine.
To export the Scan History data 1 2 3 Double-click the entry. Right-click the file, and then click Export. In the Save as type list, select one of the following:
4 5
237
Note: You cannot perform actions on email data. You can perform only limited actions on compressed files. Table 8-6 describes the Risk History icons. Table 8-6 Icon Risk History icons Description
This file has been infected with a virus or security risk. This file is not infected by a virus. The file was never infected, or it has been cleaned. See the action that was taken on the file for more information. An error occurred in association with this file. Close the Risk History window.
Table 8-7 describes the actions that are available in the Risk History window. Table 8-7 Action
Undo Action Taken
Delete Permanently
238 Working with Histories and Event Logs Working with Histories
Move To Quarantine
Export
Properties
To clean a virus-infected file 1 2 Right-click a file, and then click Clean. In the Take Action dialog box, click Start Clean.
To delete a file permanently 1 2 Right-click the file, and then click Delete Permanently. In the Take Action dialog box, click Start Delete. Permanently deleted files cannot be recovered.
To move a file to the Central Quarantine 1 2 Right-click the file, and then click Move To Quarantine. In the Take Action dialog box, click Quarantine.
239
To see more information about a security risk 1 2 Double-click the entry to view its properties. Click the link in the entry to view a Symantec Security Response Web page, which describes the security risk in detail and provides information about removal.
To export Risk History data 1 2 Right-click the file, and then click Export. In the Save as type list, select one of the following:
3 4
240 Working with Histories and Event Logs Working with Histories
To view Risk properties 1 2 Right-click a computer. Click All Tasks > Symantec AntiVirus > Logs > Risk History.
In the Risk History dialog box, right-click a risk entry, and then click Properties.
Working with Histories and Event Logs Forwarding client and server logs
241
To export the Tamper History data 1 2 Right-click the file, and then click Export. In the Save as type list, select one of the following:
3 4
4 5
242 Working with Histories and Event Logs Forwarding client and server logs
Symantec AntiVirus tracks a client log throughout the forwarding process and handles delivery failures by resending the log when necessary. You can configure events to forward from a client to its parent management server, or from a secondary management server to its primary management server.
Description
Number of seconds between log record processing intervals. There is no minimum or maximum number. The number of records to process in each polling interval. There is no minimum or maximum number. The default is 10 records.
Count
Working with Histories and Event Logs Forwarding client and server logs
243
Virus definition update information Virus infections File not scanned New virus defs applied Configuration change Service shutdown Service startup Virus definitions downloaded from parent File forwarded to Quarantine Server File forwarded to Symantec File backed-up/restored to/from Quarantine Scan aborted Error loading services Services loaded Services unloaded Client removed from parent server Scan delayed Scan restarted Client roamed to new parent server
244 Working with Histories and Event Logs Forwarding client and server logs
Client roamed from parent server License in warning period License expired, invalid or does not exist License in grace period Unauthorized communication Log forwarding error License installed License valid Virus definition rollback Client running without virus definitions Tamper protection alert Login failed Login succeeded Unauthorized communication (with certificate info) AntiVirus client installed Client uninstalled Client uninstall rolled-back Primary Server created (root certificate created) Server added to Server Group (certificates issued)
Working with Histories and Event Logs Forwarding client and server logs
245
Trusted root certificate added or removed Server startup failed due to certificate problem Client successfully checked in with its parent Client has failed to check in with its parent server
All events (default) Scanning and infection events Virus definition events Management and configuration events Startup and shutdown events Licensing events Security related events
246 Working with Histories and Event Logs Forwarding client and server logs
3 4
Check the events that you want the clients to forward to their parent management servers. Click OK.
To configure events to forward from secondary management servers to their primary management servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Server Log Forwarding. In the Log Event Forwarding dialog box, for quicker configuration, you can display only certain items in the list by selecting one of the following preconfigured options from the drop-down list:
All events (default) Scanning and infection events Virus definition events Management and configuration events Startup and shutdown events Licensing events Security related events
3 4
Check the events that you want the secondary management servers to forward to their primary management server. Click OK.
Forward the Virus definitions update information event only. Poll at a high interval. Count at a low value.
See Table 8-10, Client log forwarding registry key values, on page 242.
Working with Histories and Event Logs Deleting Histories and Event Logs
247
2 3
248 Working with Histories and Event Logs Deleting Histories and Event Logs
Index
Numerics
64-bit operating systems definitions files 181 Internet email support 150 using Continuous LiveUpdate 182
A
access list reloading 62 using to enhance server group security 59 values for IP addresses 62 Action Status for alerts 102 actions configuring 139 File System Auto-Protect 136, 142 security risks 138 viruses 137 Active Directory, requirement for Discovery 25 adware 110 Alert Log Action Status 102 copying contents to Clipboard 102 deleting entries 101 displaying alerts in 100 filtering display list 103 viewing detailed information 102 Alert Management System about 83 alert forwarding for unmanaged clients 104 Alert Log 100 alert notification methods 83 configuring alert action messages 95 event threads 84 forwarding alerts to servers 105 limiting alert configuration network segments 86 alerts actions configuring 85 configuring messages 95 deleting actions from alerts 98
alerts (continued) actions (continued) export status 99 exporting to other computers 98, 99 testing 98 viewing export status 99 configuring Broadcast 87 default messages 97 paging services 91 SNMP traps 93 forwarding to AMS2 servers 105 message parameters 95 size limitation 97 antivirus and security risk protection 14 antivirus clients, configuring with Grc.dat 14 audits determining network security 34 labeling items and rerunning audits 39 Automatic enabler 132 Auto-Protect about 112 advanced options 129 configuring 123 email scanning 148 resetting options at different levels 124 scanning about 112 configuring for mail applications 123 options 115 SmartScan 126
B
backup files 132 blended threats 110 Bloodhound scanning 132 Broadcast alert, configuring 87
250 Index
C
cache discovering computers from 28 Discovery Clear Cache Now setting 29 file options 131 finding computers in local cache 30, 31 Normal Discovery address cache comparisons 25 server names and IP addresses in Symantec System Center console 25 client configuration, enabling direct 80 client groups adding clients to 75 changing settings for the access list 61 configuration change priority 46 configuring settings for 75 creating 74 deciding whether to manage with 46 deleting 78, 79 dragging and dropping clients to move them 76 filtering client group view 77 finding settings 75 in Symantec AntiVirus console view 20 moving clients between 75 renaming 78 running tasks 75 scenario 49 settings 75 viewing 76 clients about antivirus protection for 14 adding to client groups 75 assigned and unassigned 45 Auto-Protect options for 127, 134, 139, 144 changing between unmanaged and managed 82 check-in time 80 configuring check-in intervals 80, 81 configuring expiration 80, 81 disabling scheduled scans 169 editing or deleting scheduled scans 168 forcing definitions file updates 196 log forwarding registry values 242 moving between client groups 75 settings when the client group is deleted 78 viewing virus list 202 with intermittent connectivity 80 compressed files, configuring scanning of 157
computers, finding by using an IP address range 32 by using computer names 30 by using network search 31 by using TCP/IP 30 computers that run antivirus software from other vendors 37 computers that run unmanaged antivirus client or server software 38 in local cache 30 syncing to 38 unprotected 34 with outdated definitions 201 configuration change priority 46 roaming client support for servers 223 scan options about 111 on multiple selected computers 115 sharing in server and client groups 45 unauthorized change attempts log 63 console refreshing 33 starting 17 Continuous LiveUpdate changing registry values to enable 199 configuring for managed clients 198 CPU utilization, setting options for scheduled and manual scans 156
D
data columns, Symantec AntiVirus view 20 definitions files controlling deployment 201 displaying out-of-date or missing warning 173 finding computers with outdated definitions 201 forcing updates on all unlocked servers 182 on clients 197 on servers 183 Intelligent Updater 191 legacy clients 180 LiveUpdate 188 rolling back 202 rollouts 201 update methods 180 verifying dates 201 verifying version numbers 201
Index
251
delete frequency, setting for Histories and Event Logs 247 dialers 110 Discovery about Discovery types 23 Intense 24 Load from cache only 24 Local 24 Normal 25 Discovery Service changing the Discovery Cycle interval 30 configuring 28 Discovery Cycle configuration 29 how it works 23 how to find NetWare computers 26 Intense Discovery limitations 24 IP Discovery 24 running 26 why Discovery may not find computers 30 WINS or Active Directory requirement 25 within octets or subnet masks 86 drag-and-drop operation adding a client to a client group 75 moving a client from one client group to another 76 moving a server between server groups 49, 56
files (continued) cache options 131 cleaning infected 235, 238 deleting infected 235, 238 excluding from scanning 117 exclusions and inclusions 121 exclusions for NetWare 116 moving to Quarantine 236, 238 undoing action taken 235, 238 found items, locating in the Symantec System Center console 32
G
Grc.dat 56 changing parent management servers 55 configuring antivirus clients 14 enabling and configuring roaming clients 223 forwarding alerts to AMS2 servers 105
H
hack tools 110 heuristic scanning 132 Hierarchical Storage Management (HSM) settings, configuring 158 Histories about 227 deleting 247 filtering data 229 Risk History actions 237 Risk History icons 237 Scan Histories 233 Scan History actions 234 Scan History icons 234 setting delete frequency 247 sorting data 229 Tamper Histories 240 types 228 viewing 232 Virus Sweep Histories 241 History and Event Log data exporting to Microsoft Access 238 filtering 229
E
email, Lotus Notes, configuring scans for 123 Event Logs deleting 247 filtering data 229 forwarding 242 icons 231 setting delete frequency 247 sorting data 229 types 228 event threads 84 events, forwarding from clients and servers 242 exceptions for security risks 139 exclusions from scanning, configuring 121 export command for roaming client support 225 export status, viewing for alert actions 99
F
failover servers for roaming clients 222 files backing up before repairing 132
I
icons Risk History 236 Risk properties 239
252 Index
icons (continued) Scan History 233 Symantec System Center 15 Tamper History 240 inclusions for scanning, configuring 121 infected email message, notifying senders 176 infected files cleaning 238 deleting 238 infections, managing 205 Intense Discovery, about 24, 29 IP address range, finding computers by using 32 IP Discovery 24
N
NetWare excluding iFolder 116 finding NetWare servers 26 network auditing, setting options 36 Normal Discovery 25 notifications configuring 144 detection options 142 File System Auto-Protect 142 remediation options 143 user interaction with 146 Nsctop.exe 22
J
joke programs 110
L
LiveUpdate configuring servers to retrieve from Symantec FTP site 188 setting client policy for 200 using with internal LiveUpdate server 189 LiveUpdate servers, configuring internally for managed clients 197 Load an NLM alert, configuring 89 load balancing for roam servers 222 Load from cache only Discovery 24 Local Discovery 24, 28 log events, forwarding 242 login certificate configuring key size 42 lifetime about 39 configuring 40 Lotus Notes, configuring scans for 123
O
Other risk category 110
P
pager message, entering 92 paging services, configuring alerting 91 for AMS2 93 parent management server 55 See also servers passwords scanning mapped drives 173 uninstallation 173 Ping Discovery Service 23 primary management servers 44, 55
Q
Quarantine moving files to 236, 238 purging suspicious files from 208
M
managed clients changing to unmanaged clients 82 configuring Continuous LiveUpdate for 198 configuring for internal LiveUpdate servers 197 mobile clients 80 management servers, configuring by using the Virus Definition Transport Method 182 manual scans, configuring 154
R
Refresh feature 33 registry values changing to enable Continuous LiveUpdate 199 for access list 62 for client log forwarding 242 for roaming clients 226
Index
253
remote access programs 110 risk detection 110 Risk History about 228 icons and actions 236 sorting columns 229 Risk History data, exporting 239 Risk properties icons 239 RoamAdmn.exe about 216 command-line options 224 roaming client support configuring for clients 222 from Symantec System Center console 220 how it works 217 roaming clients about 215 analyzing and mapping antivirus network 218 components 216 creating hierarchical server list 220 enabling and configuring with Grc.dat 223 export command 225 failover servers for 222 implementing 217 registry values 226 server list 216 roaming servers configuring roaming support 223 example 224 identifying 218 level 0 216 sample registry values 224 Run Program alert, configuring 88
S
SavRoam.exe about 216, 217 command-line options 224 Scan History icons 233 sorting columns 229 Scan History data, exporting 235 scans assigning actions 123 Bloodhound 132 by program type 122
scans (continued) configuring Auto-Protect scans 123 exclusions 121 for compressed files 157 inclusions 121 manual scans 154 dimmed or missing options 115 displaying warning message on client 174 email 148 for viruses and security risks 109 options File System Auto-Protect 123 manual scans 154 precedence 115 scheduled scans 164 to exclude files from scanning 117 paused 171 recommended file extensions 118 scheduled scans allowing user to pause or stop 171 configuring 167 deleting 168 disabling 168 editing 168 running on demand 169 selecting files and folders to scan 121 setting Auto-Protect for files 123 CPU utilization options 156 options on multiple selected computers 115 snoozed 171 stopped 171 scheduled scans configuring 164 deleting 168 secondary management servers 44 security risks 109 security, enhancing for server groups 59 Send Internet Mail alert, configuring 90 Send Page alert configuring 91 paging service 91 server groups about 59 configuration change priority 46 creating 50 deciding whether to manage with 46
254 Index
server groups (continued) deleting 54 enhancing security 59 filtering views 54 how to view 53 locking and unlocking 51 moving servers to a new server group 56 refreshing the console 33 renaming 54 scenario 49 selecting primary management server for 18 viewing 53 servers Auto-Protect options 127, 134, 139, 144 changing parent management servers 55 changing primary management servers 55 configuring management servers by using the Virus Definition Transport Method 182 disabling scheduled scans 169 dragging and dropping to move between server groups 49, 57 editing or deleting scheduled scans 168 grouping into server groups 50 identifying best parent for roaming clients 215 moving to a new server group 56 parent management servers 45 primary management servers 44 secondary management servers 44 viewing in console 33 risk list for 202 SmartScan 126 spyware 111 subnet, IP Discovery for 24 Symantec Security Response, tracking submissions 213 Symantec System Center changing views 19 console views 19 icons 15 locating found items 32 populating the console 22 product management snap-ins 19 refreshing the console 33 saving console settings 19 starting 17 System Hierarchy display 15 System Hierarchy configuration change priority 46
System Hierarchy (continued) data columns in Default Console View 20 description 17 icon 15
T
Tamper History about 228 exporting data 241 icon 240 Tamper Protection about 70 enabling, disabling, and configuring 70 message fields 72 messages 72 Threat Tracer 131, 135 threats blended 110 tracing 135 throttling options 156 time discrepancy tolerance between clients and servers, configuring 40 Trackware 111 Trojan horses 110
U
unauthorized configuration change attempts, logging 63 uninstallation password 173 unmanaged clients alert forwarding 104 changing to managed clients 82 creating a custom .hst file for LiveUpdate 197 finding with network audits 34 updates, ensuring definitions file is current for all clients 180 user access levels, user account management 57
V
viewing Alert Log 100 client groups 76 Histories 232 server groups 53 virus list 202 views changing 19
Index
255
views (continued) filtering server group 54 Symantec System Center console 19 virus alerts, tracking 212 Virus Definition Transport Method configuring management servers by using 182 updating NetWare servers 185 virus list 202 virus sweep History 229, 232 running in response to outbreaks 206 viruses 109, 110
W
warning message adding to infected email message 175 displaying on infected computer 174 example 174 for email scanning 149, 151 WINS requirement for Discovery 25 worms 110