Savcadmn

Symantec AntiVirus Corporate Edition Administrators Guide
Symantec AntiVirus Corporate Edition Administrators Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 10.0
Copyright Notice
Copyright 2005 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec, the Symantec logo, LiveUpdate, Norton AntiVirus, and Norton SystemWorks are U.S. registered trademarks of Symantec Corporation. Norton Internet Security, Norton Personal Firewall, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, Symantec Desktop Firewall, Symantec Enterprise Security Architecture, Symantec Packager, Symantec Security Response, and Symantec System Center are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support groups primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts. Symantec technical support offerings include:

A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program
Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.
Licensing and registration

If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.
Contacting Technical Support

Customers with a current support agreement may contact the Technical Support group via phone or online at www.symantec.com/techsupp. Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www-secure.symantec.com/platinum/.
When contacting the Technical Support group, please have the following:

Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, and then choose Service and Support. Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals
Contents
Technical support
Section 1
Chapter 1
Managing Symantec AntiVirus

Symantec AntiVirus basics
About Symantec AntiVirus ................................................................................ 13 About the Symantec System Center ................................................................. 14 Symantec System Center console icons ................................................... 15 Using the Symantec System Center .................................................................. 17 Starting the Symantec System Center ..................................................... 17 Selecting a primary management server for a server group ................ 18 About console views .................................................................................... 19 Changing console views .............................................................................. 19 Saving console settings ............................................................................... 19 Customizing console view columns .......................................................... 20 Showing when clients are offline .............................................................. 21 Showing client Auto-Protect status .......................................................... 22 About refreshing the console ..................................................................... 22 About the Discovery Service .............................................................................. 22 How Discovery works .................................................................................. 23 Types of Discovery ...................................................................................... 23 Discovery Service requirement for WINS or Active Directory ............. 25 NetWare computers and the Discovery Service ..................................... 26 Running the Discovery Service ......................................................................... 26 Configuring the Discovery Service to use IP addresses ......................... 26 Configuring the Discovery Service ........................................................... 28 Configuring the Discovery Cycle interval ................................................ 29 Using the Find Computer feature ...................................................................... 30 Finding computers using a local cache search ........................................ 30 Finding computers using a network search ............................................. 31 Locating found items in the Symantec System Center console ........... 32 Using the Refresh feature .......................................................................... 33 Auditing computers ..................................................................................... 34
6 Contents
Configuring login certificates ............................................................................ 39 Configuring login certificate lifetime and time tolerance .................... 40 Configuring login certificate key size ....................................................... 42
Chapter 2

About servers ....................................................................................................... 43 About primary management servers ........................................................ 44 About secondary management servers .................................................... 44 About parent management servers .......................................................... 45 About server groups and client groups ............................................................ 45 Deciding whether to use server groups, client groups, or both ............ 46 Client groups and configuration priority ................................................. 46 How settings propagate .............................................................................. 48 Server and client group scenario .............................................................. 49 Using server groups to manage ......................................................................... 49 Best practice: Installing a secondary management server ................... 50 Creating server groups ............................................................................... 50 Locking and unlocking server groups ...................................................... 51 Viewing and filtering server groups ......................................................... 53 Renaming server groups ............................................................................. 54 Deleting server groups ................................................................................ 54 Changing primary management servers ................................................. 55 Changing parent management servers .................................................... 55 Moving a server to a different server group ............................................ 56 Managing user accounts for server groups ............................................. 57 Enhancing server group security ...................................................................... 59 How the access list works ........................................................................... 60 Choosing which computers to protect ...................................................... 61 About the access list .................................................................................... 62 Forcing the access list to reload ................................................................ 62 Rolling out the access list ........................................................................... 62 Logging unauthorized configuration change attempts ......................... 63 Configuring options for Windows Security Center (WSC) .................... 64 Optimizing server performance ........................................................................ 67 Optimizing definitions and configuration rollouts ................................ 67 Monitoring clients ....................................................................................... 68 Using Tamper Protection ................................................................................... 70 Enabling, disabling, and configuring Tamper Protection ..................... 70 Creating Tamper Protection messages .................................................... 72
Contents
Using client groups to manage .......................................................................... 74 Creating client groups ................................................................................. 74 Adding clients to a client group ................................................................. 75 Configuring settings and running tasks at the client group level ....... 75 About client group settings ........................................................................ 75 Moving a client to a different client group .............................................. 75 Viewing and filtering client groups .......................................................... 76 Renaming client groups .............................................................................. 78 Deleting client groups ................................................................................. 78 Using client group settings instead of server group settings ............... 79 Managing clients .................................................................................................. 79 Managing legacy clients ............................................................................. 79 Enabling direct client configuration ......................................................... 80 Handling clients with intermittent connectivity .................................... 80 Changing the management mode of a client ........................................... 82
Chapter 3
Setting up the Alert Management System

About the Alert Management System .............................................................. 83 How Alert Management System works ............................................................ 84 Configuring alert actions .................................................................................... 85 Alert configuration tasks ............................................................................ 85 Speeding up alert configuration ................................................................ 85 Configuring the Message Box alert action ............................................... 87 Configuring the Broadcast alert action .................................................... 87 Configuring the Run Program alert action .............................................. 88 Configuring the Load An NLM alert action .............................................. 89 Configuring the Send Internet Mail alert action .................................... 90 About paging services ................................................................................. 91 Configuring the Send Page alert action .................................................... 91 Configuring the Send SNMP Trap alert action ....................................... 93 Configuring the Write To Event Log alert action ................................... 94 About configuring alert action messages ........................................................ 95 Configuring a default alert message ................................................................. 97 Working with configured alerts ........................................................................ 97 Testing configured alert actions ............................................................... 98 Deleting an alert action from an alert ...................................................... 98 Exporting alert actions to other computers ............................................ 98 Using the Alert Management System Alert Log ...........................................100 Viewing detailed alert information .........................................................102 Filtering the Alert Log display list ..........................................................103 Forwarding alerts from unmanaged clients ..................................................104
8 Contents
Section 2
Chapter 4
Configuring Symantec AntiVirus

Scanning for viruses and security risks
About viruses and security risks ..................................................................... 109 About Symantec AntiVirus scans ................................................................... 111 Understanding Auto-Protect scans ........................................................ 112 Understanding manual scans .................................................................. 113 Understanding virus sweep scans ........................................................... 113 Understanding scheduled scans .............................................................. 113 Selecting computers to scan .................................................................... 114 About inclusions and exclusions in scans .............................................. 116 Configuring inclusions and exclusions .................................................. 121 About actions for viruses and security risks that scans detect .......... 123 Configuring Auto-Protect ................................................................................ 123 About propagating Auto-Protect settings .............................................. 124 Locking and unlocking Auto-Protect options ....................................... 124 Configuring File System Auto-Protect ................................................... 125 Configuring Auto-Protect email scanning for groupware applications ........................................................................................ 148 Configuring Auto-Protect scanning for Internet email ....................... 150 Configuring manual scans ................................................................................ 154 Configuring actions for manual scans .................................................... 161 Configuring notifications for manual scans .......................................... 162 Creating and configuring scheduled scans .................................................... 164 Creating scheduled scans ......................................................................... 164 Configuring scheduled scans ................................................................... 167 Managing the client user experience .............................................................. 170 Enabling users to pause, snooze, or stop scheduled scans .................. 171 Preventing or allowing users to unload Symantec AntiVirus services ................................................................................................ 172 Changing the password that is required to uninstall ........................... 173 Changing the password that is required to scan mapped drives ....... 173 Displaying a warning when definitions are out of date or missing ... 173 Managing warnings and notifications about infected files ................. 174
Chapter 5
Updating definitions
About definitions ............................................................................................... 179 Ensure that all definitions are current .......................................................... 180 Definitions files update methods .................................................................... 180 Best practice: Using the Virus Definition Transport Method and LiveUpdate together .......................................................................... 181 Best practice: Using Continuous LiveUpdate on 64-bit computers ... 182
Contents
Updating definitions files on servers .............................................................182 Updating and configuring servers using the Virus Definition Transport Method ..............................................................................182 Updating servers using LiveUpdate ........................................................188 Updating servers with Intelligent Updater ...........................................191 About using Central Quarantine polling to update servers ................192 Minimizing network traffic and handling missed updates .................192 Updating definitions files on clients ..............................................................195 Forcing definitions files on clients to update immediately .................196 Configuring managed clients to use an internal LiveUpdate server ..............................................................................197 Enabling and configuring Continuous LiveUpdate for managed clients ...................................................................................................198 Setting LiveUpdate usage policies ..........................................................200 Controlling definitions file deployment .........................................................201 Finding computers with outdated definitions files ..............................201 Verifying the version number of definitions files ................................201 Viewing the risk list ...................................................................................202 Rolling back definitions files ...................................................................202 Testing definitions files ....................................................................................203 Scenarios for definitions updates ...................................................................204 About scanning after updating definitions files ...........................................204
Chapter 6
Responding to virus outbreaks

Preparing for virus outbreaks ..........................................................................205 Creating a virus outbreak plan ................................................................206 Defining Symantec AntiVirus actions for handling suspicious files ...................................................................................208 Purging suspicious files from local Quarantine folders automatically ......................................................................................208 Forwarding items to the Quarantine Server ..........................................209 Enabling scan and deliver .........................................................................210 Configuring actions to take when new definitions arrive ...................210 Handling a virus outbreak on your network .................................................211 Using virus alerts and messages .............................................................211 Running a virus sweep ..............................................................................212 Tracking virus alerts using Event Logs and Histories .........................212 Tracking submissions to Symantec Security Response with Central Quarantine Console .............................................................213
10 Contents
Chapter 7
Managing roaming clients

About roaming clients ...................................................................................... 215 Roaming client components ............................................................................ 216 How roaming works .......................................................................................... 217 Implementing roaming ..................................................................................... 217 Analyzing and mapping your Symantec AntiVirus network .............. 218 Identifying servers for each hierarchical level ..................................... 219 Creating a list of level 0 Symantec AntiVirus servers ......................... 219 Creating a hierarchical list of Symantec AntiVirus servers ............... 220 Configuring roaming client support options from the Symantec System Center console ...................................................................... 220 Configuring additional roaming client support for roam servers ..... 223 Command-line options ...................................................................................... 224 Registry values ................................................................................................... 226
Chapter 8
Working with Histories and Event Logs

About Histories and Event Logs ...................................................................... 227 Sorting and filtering History and Event Log data ................................ 229 Understanding Event Log icons .............................................................. 231 Viewing Histories ....................................................................................... 232 Working with Histories .................................................................................... 233 Working with Scan Histories ................................................................... 233 Working with Risk Histories .................................................................... 236 Viewing Risk properties ............................................................................ 239 Working with Tamper Histories .............................................................. 240 Working with Virus Sweep Histories ...................................................... 241 Forwarding client and server logs .................................................................. 241 Configuring log forwarding options ....................................................... 242 Configuring log events to forward .......................................................... 242 Best practice: Configuring events to forward for sometimes-managed clients .................................................................................................. 246 Reviewing the forwarding status file ...................................................... 247 Deleting Histories and Event Logs .................................................................. 247
Index
Section

Symantec AntiVirus basics Managing Symantec AntiVirus Setting up the Alert Management System
12
Chapter
Symantec AntiVirus basics

This chapter includes the following topics:

About Symantec AntiVirus About the Symantec System Center Using the Symantec System Center About the Discovery Service Running the Discovery Service Using the Find Computer feature Configuring login certificates
About Symantec AntiVirus

For workstations and network servers, Symantec AntiVirus provides scalable, cross-platform protection from viruses and security risks, and repairs their side effects. Among the tasks you can perform by using Symantec AntiVirus are the following:
Establish and enforce an antivirus and security risk policy for your business. Retrieve content updates such as virus and security risk definitions. Quarantine and delete live viruses. Analyze logged events.
Symantec AntiVirus product components are described in the Symantec AntiVirus Installation Guide.
14 Symantec AntiVirus basics About the Symantec System Center
The Symantec AntiVirus client software provides antivirus and security risk protection for networked and non-networked computers. The Symantec AntiVirus client software protects 32-bit and supported 64-bit computers that run supported Windows versions. The term, Symantec AntiVirus, refers to both the Symantec AntiVirus server and the Symantec AntiVirus client software. Computers that run Symantec AntiVirus server software might be required to do so because of system requirements. Computers that run Symantec AntiVirus server software are not required to act as management servers. The Symantec AntiVirus server software can manage other computers that run Symantec AntiVirus and supported legacy versions of Norton AntiVirus Corporate Edition, and can push configuration updates as well as virus and security risk definitions file updates to these clients. In addition, the Symantec AntiVirus server software provides antivirus and security risk protection for the computers on which it runs. Note: The Symantec AntiVirus server software is not supported on 64-bit computers.
About the Symantec System Center

By using the Symantec System Center, you can manage network security, performing administrative operations such as the following:
Installing antivirus and security risk protection on workstations and network servers Updating Symantec AntiVirus definitions Managing Symantec AntiVirus servers and clients Managing content licensing, if you are using a content license rather than a site license for your computers See the Content Licensing chapter in the Symantec AntiVirus Installation Guide.
In addition to the Symantec System Center, you can also use Grc.dat configuration files to configure Symantec AntiVirus clients. You can use configuration files if you want to use a third-party tool to perform remote configuration on your network.
Symantec AntiVirus basics About the Symantec System Center
15
Symantec System Center console icons

When the Symantec System Center runs, it displays a system hierarchy of server groups, client groups, and servers that are represented by icons. The icons appear in an expandable tree in the Symantec System Center console. The Symantec System Center uses icons to represent the different states of computers that are running Symantec managed products. For example, if the server group icon in the server group view appears with a padlock icon, the server group must be unlocked with its password before you can configure or run scans for the computers in the server group. Table 1-1 describes the Symantec System Center icons. Table 1-1 Icon Symantec System Center icons Icon descriptions
Highest level object representing the system hierarchy, which contains all server groups. Unlocked server group or client group. Compare this icon to the locked server group icon. For security reasons, all server groups default to locked when you start the Symantec System Center. Locked server group. You must enter a password before you can view the computers in the server group to configure and run updates and scans. An issue needs to be resolved in this server group. For example, there may not be a primary management server assigned to the server group or a server may be infected with a virus or security risk. A security risk, such as adware or spyware, was detected on a computer in this server group. Note: If Symantec AntiVirus detects both a virus and a security risk on the same computer, the virus icon appears. Symantec AntiVirus server running on a supported Windows or NetWare computer. Compare this icon to the next one, which is the primary management server for the server group. Symantec AntiVirus primary management server running on a supported Windows or NetWare computer.
16 Symantec AntiVirus basics About the Symantec System Center
Table 1-1 Icon
Symantec System Center icons Icon descriptions

Unavailable Symantec AntiVirus server. This icon appears when communication is severed between the Symantec AntiVirus server and the Symantec System Center console. The communication error may result from one of several different causes. For example, the server system is not running; the Symantec software has been removed; the server, client, and Symantec System Center system times are out-of-sync; or there could be a network failure between the console and the system. A virus was detected on the computer that is running Symantec AntiVirus server. A security risk, such as adware or spyware, was detected on the computer that is running Symantec AntiVirus server. If Symantec AntiVirus detects both a virus and a security risk on the same computer, the virus icon appears. Symantec AntiVirus client running on a supported Windows computer. When you select this computer, you view options only on that computer. A virus was detected on the computer that is running Symantec AntiVirus client. A security risk, such as adware or spyware, was detected on the computer that is running Symantec AntiVirus client. If Symantec AntiVirus detects both a virus and a security risk on the same computer, the virus icon appears. An issue needs to be resolved with this client. For example, virus and security risk definitions files may be out-of-date or the client group to which the client was assigned may be no longer valid. The status field in the Symantec System Center console indicates the actual problem. The computer, which runs Symantec AntiVirus client software, is not currently connected to the network. This could occur because the server, client, and Symantec System Center system times are out-of-sync. You must enable a setting for the Symantec System Center console to show when clients are not connected to the network.
Symantec AntiVirus basics Using the Symantec System Center
17
Using the Symantec System Center

The system hierarchy in the Symantec System Center console is the top level that contains all server groups and client groups. Note: The system hierarchy is not populated until you install at least one Symantec AntiVirus server.
Starting the Symantec System Center

Start the Symantec System Center when you want to manage Symantec AntiVirus. To start the Symantec System Center
On the Windows taskbar, click Start > Programs > Symantec System Center Console > Symantec System Center Console.
Console tree tab
Top server group level Contents of object selected in tree appear in right pane Locked server group Unlocked server group Client groups
18 Symantec AntiVirus basics Using the Symantec System Center
The Symantec System Center opens to the Default Console View. Note: The Symantec System Center console should not be viewed from a terminal session.
Selecting a primary management server for a server group

If you have not already done so, the first thing that you must do to use Symantec System Center is to assign a primary management server for the server group that you created at the time of installation. You must specify a server in the server group as the primary management server; no server is specified as the primary management server by default. Until you specify a primary management server, you cannot perform most Symantec product management operations. After promoting a server to primary and installing additional secondary management servers, you should remove and archive the server group private key from the pki\private-keys directory that is located under the Symantec AntiVirus directory that you selected at the time of installation. For more information, see the Symantec AntiVirus Reference Guide. When you select a server group object in the Symantec System Center console and set options, the settings are saved to the primary management server in the server group. Other servers in the server group also use the new configuration. Computers that are running any of the following operating systems can be primary management servers:

Windows 2000 Server/Advanced Server/Professional Windows Server 2003 Web/Standard/Enterprise/Datacenter Editions Windows XP Professional NetWare Server 5.1 Support Pack 8 or higher, 6.0 Support Pack 5 or higher, and 6.5 Support Pack 2 or higher
The primary management server plays an important role, so select a stable server that is always running. To select the primary management server for a server group
Right-click the server that you want to be the primary management server, and then click Make Server A Primary Server.
19
About console views

Each product management snap-in makes a new product view available within the Symantec System Center console. For example, when you install the Symantec AntiVirus management snap-in, the Symantec AntiVirus view is added, which includes fields related to Symantec AntiVirus, such as Last Scan and Definitions.
Changing console views

Unless you change the view, the Symantec System Center console displays the Default Console View. The other views available depend upon which managed Symantec AntiVirus snap-ins you have installed. To change console views 1 2 In the left pane, right-click an object, such as System Hierarchy. On the View menu, in the list that appears at the bottom of the menu, click a view.
Saving console settings

When you close the Symantec System Center, you are prompted to save Microsoft Management Console (MMC) console settings for the Symantec System Center. This has no effect on the Symantec AntiVirus configuration changes that you make when you use the Symantec System Center. To save console settings
Do one of the following:
Click Yes if you want to see the same console view the next time that you launch the Symantec System Center. Click No if you want to see the last saved view the next time you launch the Symantec System Center.
20 Symantec AntiVirus basics Using the Symantec System Center
Customizing console view columns

The columns that appear in the right pane change based on the selected view. When System Hierarchy is selected, the Default Console View includes the following data columns:

Name Status Primary Server Valid State
Table 1-2 lists the data columns in the Symantec AntiVirus view. Table 1-2 Data columns in the Symantec AntiVirus view Data columns that appear in right pane

Level selected in left pane

System hierarchy
Server Group Status Definition Sharing Newest Definitions Status of Server Updates Server Type Status Last Scan Definitions Version Scan Engine Address Status of Client Updates Group Name Configuration Change Date Number of Clients
Server group
Groups (for client groups)
21
Table 1-2
Data columns in the Symantec AntiVirus view Data columns that appear in right pane

Level selected in left pane

Client group or server
Client User, including the domain that authenticated the user Status Last Scan Definitions Version Scan Engine Address Group Server
You can rearrange the order of the columns to better suit your needs. To customize the columns in a view 1 2 3 4 In the left pane, under Symantec System Center, select an object. On the View menu, in the list that appears at the bottom of the menu, select the view that you want to customize. On the View menu at the top of the Symantec System Center window, click Choose Columns. In the Modify Columns dialog box, use the Add, Remove, Move Up, and Move Down buttons to customize your view as needed, or use Reset to return the settings to the last saved state.
Showing when clients are offline

You can configure the Symantec System Center console to show when computers running Symantec AntiVirus client software are not currently connected to the network. The icon in the last row of Table 1-1 indicates that the client is offline. To show when clients are offline 1 2 On the Tools menu, click SSC Console Options. In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, check Indicate when clients are offline. This option is unchecked by default.
22 Symantec AntiVirus basics About the Discovery Service
Showing client Auto-Protect status

You can configure the Symantec AntiVirus client or server icon to appear on the Windows system tray. The icon shows a client or servers Auto-Protect status as follows:
When Auto-Protect is enabled, the icon appears as a full shield. When you right-click the icon, a check mark appears before Enable Auto-Protect. When Auto-Protect is disabled, the icon is covered by a universal no sign (a red circle with a diagonal slash). When you right-click the icon, no check mark appears before Enable Auto-Protect.
About refreshing the console

At the first startup of a newly installed Symantec System Center console, the console pings the network to find all available computers that run Symantec AntiVirus server software. As soon as the servers respond, they are added to the console. Connected workstations running a managed Symantec client product are added when their parent management server is selected in the console tree. See About parent management servers on page 45. If you start servers that are running a manageable Symantec product while the Symantec System Center is already running, you may need to locate the servers by using the Find Computer feature or by running the Discovery Service so that they appear in the server group view. See Using the Find Computer feature on page 30. You can also use Discovery to locate network computers on which Symantec AntiVirus is not installed. See About the Discovery Service on page 22.
About the Discovery Service

The Symantec System Center console runs a single service, the Symantec System Center Discovery Service (Nsctop.exe). This service is responsible for discovering the computers running Symantec AntiVirus server software that appear in the Symantec System Center console. The Discovery Service also populates the Symantec System Center console with the objects in the hierarchy. From the Symantec System Center console, you can select any object beneath the console root, and then choose Discovery Service from the Tools menu to perform a new Discovery of servers.
Symantec AntiVirus basics About the Discovery Service
23
How Discovery works

To discover computers on the network, a computer that runs the Symantec System Center sends several pings, which are UDP broadcasts to port 38293, to the network. The ping program verifies that the remote computer exists and can accept requests. When Symantec AntiVirus servers and AMS2 servers that run the Ping Discovery Service (Intel PDS) hear a ping, they respond with pong packets. Only antivirus servers are discovered by using this ping and pong mechanism. Symantec AntiVirus finds client information by querying the server for its client information. Clients ping the server to get the port number that the servers Rtvscan listens on. The clients Rtvscan can then send its keep-alive packet to the parent servers Rtvscan, and communication can begin. The keep-alive packet contains information such as the following:

Date of the computers virus definitions files When the computer was last infected
IP pings are sent to the remote computer running Symantec AntiVirus server software to determine what type of protocol it uses. Pings are also sent that support Norton AntiVirus Corporate Edition and Intel LANDesk Virus Protect, legacy versions of Symantec AntiVirus. The data from the computer that runs Symantec AntiVirus client software is stored on the computer that runs Symantec AntiVirus server software that is the clients parent management server. The Symantec System Center console reads each parent management servers registry to get the data that it displays in the console. Following the completion of this process, Normal Discovery runs.
Types of Discovery
Symantec System Center uses the following types of Discovery:

Load from cache only (with or without using IP Discovery) Local Discovery (with or without using IP Discovery) Intense Discovery (with or without using IP Discovery) Normal Discovery (not user-initiated)
24 Symantec AntiVirus basics About the Discovery Service
Table 1-3 describes the types of Discovery that Symantec AntiVirus uses: Table 1-3 Type
Load from cache only
Discovery types What follows

Normal Discovery
Description
Load from cache only offers the most basic type of Discovery. It tries to refresh all of the servers for which the Symantec System Center console address cache contains information. Each server is then sent a series of pings to see if the server checks back in, and to refresh information on the console. Load from cache only reduces traffic on the network when you launch the Symantec System Center. In most cases, you may find that choosing Load from cache only finds all of the servers that you need to add to the Symantec System Center console.
Local Discovery (default)
In Local Discovery, a ping packet is broadcast over the local subnet of the computer that runs the Symantec System Center console. Intel PDS services that run on servers on the local subnet reply with pong data. Local Discovery generates less ping noise, but is limited to the local subnet. Local Discovery works very well on small subnets. In very large subnets, you might obtain better results by using Intense Discovery.
Load from cache only Normal Discovery
Intense Discovery
Intense Discovery walks My Network Places on the local Windows computer and attempts to resolve all computers that it finds into a network address. When it has the network address, it attempts to send ping requests. You can configure whether Intense Discovery walks the NetWare or Microsoft branches of the network tree, or both. The ability of Intense Discovery to locate computers is limited by several factors: the availability of a Windows Internet Naming Service (WINS) server or Active Directory, network subnet and router configuration, DNS configuration, and Microsoft domain and workgroup configuration. Searching by IP address range in most cases is not affected by these factors. For this reason, you may want to use IP Discovery.
Local Discovery Load from cache only Normal Discovery
Symantec AntiVirus basics About the Discovery Service
25
Table 1-3 Type

Normal Discovery
Discovery types What follows

Runs automatically after other types of Discovery; not userinitiated.
Description
The Symantec System Center console broadcasts to all servers that are in unlocked server groups. Normal Discovery queries the primary management server of the server group for the list of secondary management servers in its address cache. The Symantec System Center console address cache stores information for all servers that have ever reported to it. The primary management server address cache contains information for every server within the server group. The address cache includes the names of all secondary management servers and their IP addresses. The Symantec System Center console compares its own address cache with the address cache sent by the primary management server. When a mismatch is identified, the console pings the associated server. When the pong data returns, it is added to all other servers in the list. In this way, Normal Discovery can identify every server in the server group and attempt to resolve information conflicts between parent management servers.
You can configure Load from cache only, Local Discovery, and Intense Discovery to use IP Discovery by using either an IP address or an IP subnet address range. You may want to use IP Discovery only periodically to discover computers across the network. After the computers are in the address cache, you can then use the Load from cache only method.
Discovery Service requirement for WINS or Active Directory

The Discovery Service requires the use of Windows Internet Naming Service (WINS) or Active Directory name resolution. If you are attempting to run the Discovery Service in an environment where WINS or Active Directory is not available, you need to find at least one computer running Symantec AntiVirus server on your network first. To find the computer, you can use the Find Computer feature or the Importer tool. See Using the Find Computer feature on page 30. See the Symantec AntiVirus Reference Guide for information about the Importer tool.
26 Symantec AntiVirus basics Running the Discovery Service
NetWare computers and the Discovery Service

The Discovery Service may not find NetWare computers that are running IP only. To find computers not located by the Discovery Service, you can use the Find Computer feature. See Using the Find Computer feature on page 30.
Running the Discovery Service

You initiate all types of Discovery in the Symantec System Center console. Note: The Discovery Service uses WINS or Active Directory when it browses for new computers that run Symantec AntiVirus. If you are trying to discover new computers in an environment in which WINS or Active Directory is unavailable, you may want to run the Find Computer feature or the Importer tool first. See Using the Find Computer feature on page 30. See the Symantec AntiVirus Reference Guide for information about the Importer tool.
Configuring the Discovery Service to use IP addresses

You can run the Discovery Service and find servers with or without including IP addresses and subnets. To configure the Discovery Service to use IP addresses 1 2 In the left pane, select any object below the console root. On the Tools menu, click Discovery Service.
Symantec AntiVirus basics Running the Discovery Service
27
In the Discovery Service Properties window, on the Advanced tab, check Enable IP Discovery.
Once Enable IP Discovery is checked, an IP Discovery session runs whenever you run an Intense Discovery. To run any type of Discovery without also running IP Discovery, uncheck Enable IP Discovery. You can also access IP Discovery functionality in the Find Computer dialog box. See Using the Find Computer feature on page 30. 4 In the Scan Type list, select one of the following:
IP Address: The console pings every computer in the range of IP addresses. IP Subnet: The console broadcasts to each subnet.
5 6
In the Beginning of range and End of range boxes, type the addresses. If you clicked IP Subnet, type the subnet mask to refine the search. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results are displayed in the Symantec System Center console status bar.
28 Symantec AntiVirus basics Running the Discovery Service
Configuring the Discovery Service

You can configure and run three types of Discovery. To configure the Discovery Service 1 In the Symantec System Center console, on the Tools menu, click Discovery Service.
If you want to run Discovery using IP addresses, configure the settings on the Advanced tab. See To configure the Discovery Service to use IP addresses on page 26. In the Discovery Service Properties window, on the General tab, select one of the following options:
Load from cache only This is the quickest method. The Symantec System Center reads the list of servers and clients stored in the local cache. See Table 1-3, Discovery types, on page 24. Local Discovery Broadcasts to the Symantec System Center consoles local subnet. Servers respond immediately with information about themselves and their clients. Each servers server group appears in the console unless you have filtered the view by using the View menu. Load from cache only runs as well. See Table 1-3, Discovery types, on page 24.
Symantec AntiVirus basics Running the Discovery Service
29
Intense Discovery
This is the most thorough method. If you have a large network, the Discovery process may take a long time. The Symantec System Center serially pings every server in the Network Neighborhood. Server names appear in the message area of the Symantec System Center console as they are found during the Discovery process. Intense Discovery also performs the same local subnet broadcast as Local Discovery. Load from cache only and Local Discovery run as well. See Table 1-3, Discovery types, on page 24.
4 5
Under Discovery Cycle, select the interval in minutes, if necessary. See Configuring the Discovery Cycle interval on page 29. If you plan to run Intense Discovery, under Intense Discovery Properties, specify the number of Intense Discovery threads, between 2 and 50. Each Discovery thread is an independent search for servers and clients. To maintain the most up-to-date Discovery information, select a lower Discovery interval and a higher number of Discovery threads. If you want to clear all server and client information out of the active memory and address cache, and immediately run Discovery based on the current Discovery settings, under Cache Information, click Clear Cache Now. When you clear the cache, unlocked server groups are locked. Do one of the following:

Click OK to save your changes.
If you want to immediately run Discovery, click Run Discovery Now, and then click Close. Only one Discovery can run at a time. Rebuilding a list of servers on a large network during Discovery may take a long time.
Configuring the Discovery Cycle interval

You can configure the Discovery Cycle time-out interval. By default, the interval is set to 480 minutes (every 8 hours), but you can set the time-out to any value from 1 to 1440 minutes between Discovery attempts. A new Discovery is skipped if the last Discovery is still running. For example, if you have Discovery set to run once a minute, and Discovery takes 20 minutes, 19 Discovery attempts are skipped.
30 Symantec AntiVirus basics Using the Find Computer feature
Note: Increasing the Discovery Cycle interval can result in a display of outdated information in the Symantec System Center console. To change the Discovery Cycle interval 1 2 On the Tools menu, click Discovery Service. Change the Interval in minutes setting as necessary.
Using the Find Computer feature

If you want to quickly find a server without having to expand and browse through the tree, you can use the Find Computer feature. You can search using TCP/IP addresses or computer names. The Find Computer feature is also useful if you install a server and then do not see it in the tree view when you expand a server group or server. This may occur for the following reasons:
The Symantec System Center may not automatically discover servers on LAN segments that are separated by routers. Servers may not be visible in the Network Neighborhood. For example, Windows Internet Naming Service (WINS) servers or Active Directory may not be replicated across network segments.
If you cannot locate some servers on your LAN, you can locate them manually by using the Find Computer feature in the Symantec System Center console. After you use the Find Computer feature to locate a server, you can manage it from the Symantec System Center console.
Finding computers using a local cache search

Rather than search the entire network for computers, you can restrict the search to those known to be stored already in the local cache.
Symantec AntiVirus basics Using the Find Computer feature
31
To find computers using a local cache search 1 On the Tools menu, click Find Computer.
2 3
In the Find Computer window, on the Local Search tab, type the network name of the server that you want to find. Under Match Type, select one of the following:

Partial: Searches for a server name that is a partial match.
Exact: Searches for a server name that is an exact match. If you leave the Search For text box empty, and then specify Partial as the match type, all computers in the local cache appear when you run the search. 4 Click Find Now.
Finding computers using a network search

You can use a network search to find individual computers running the Symantec AntiVirus server software.
Find computers
The Symantec System Center console contains the following Find Computer options that search the network:
Network Discovery Finds computers that run the Symantec AntiVirus server software by computer name or address. Finds computers that run the Symantec AntiVirus server software by using an IP address or subnet range.
Scan Network
Audit Network
This broad network search allows you to not only locate the computers, but also to determine the protection that is available on them, including whether other antivirus software is installed, and to configure a number of search settings. This option takes the most time and resources. See To run a network audit on page 35.
To find computers using an address type 1 2 On the Tools menu, click Find Computer. In the Find Computer window, on the Network Discovery tab, specify whether you want to use a computer name or an IP address as the search criterion. Type the server address or computer name. Click Find Now.
3 4
To find computers using an IP address range 1 2 On the Tools menu, click Find Computer. In the Find Computer window, on the Scan Network tab, select one of the following:
IP Subnet IP Address Sends out a broadcast to each subnet. Pings every computer in the range of IP addresses.
3 4 5
Type the addresses for Beginning of range and End of range. If you clicked IP Subnet in step 2, type the subnet mask to refine the search. Click Find Now. IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results appear in the Symantec System Center console status bar.
Locating found items in the Symantec System Center console

You can use an item in a Find Computer list to locate the same item in the Symantec System Center console tree. This can be particularly useful if you have a very large number of computers in your network. To match an item, the server group to which the item belongs must be unlocked.
33
To locate found items in the Symantec System Center console 1 On the Tools menu, click Find Computer.
2 3
In the Find Computer window, select the desired computer. Click Sync Item. The Symantec System Center console tree view moves to the selected item, which is then highlighted in the right pane. Click Save if you want to save the search results as a comma-delimited file.
Using the Refresh feature

In the Symantec System Center console, you can refresh the information in the console at the system hierarchy, server group, or server level to validate active communication with the list of currently displayed servers. If the refresh determines that a server that previously appeared in the server group view is no longer communicating, the unavailable server icon appears. Note: The Refresh feature does not find servers or server groups that may have been added since the current session of the Symantec System Center started.
To use the Refresh feature
In the left pane, right-click the system hierarchy, unlocked server group, server, or client group, and then click Refresh.
Auditing computers
Computers on your network that do not have Symantec AntiVirus running leave holes open in your network security. You can run a network audit of remote computers to determine the following:

Whether a Symantec AntiVirus component is installed and running. The type of protection that is installed, such as Symantec AntiVirus server, client, or unmanaged client software. Whether antivirus software from other vendors or from Symantec (such as a Norton AntiVirus consumer version), including the type and version of that software, is installed on the computer.
You must be able to log in as Administrator to the remote computers that you are auditing. Note: Because Symantec AntiVirus now uses secure communications over SSL, server and server group information for clients that run the current version of Symantec AntiVirus does not appear after a network audit. If a firewall is running on the remote computer, the network audit may not be able to gather information.
35
To run a network audit 1 On the Tools menu, click Find Computer.
In the Find Computer window, on the Audit Network tab, type the beginning and end of the IP address range that you want to search.
Click Options to set custom network audit options. For example, if you want to find remote computers that have unmanaged Symantec AntiVirus client software installed, you can enable the related option.
In the Audit Network Options dialog box, set the number of audit threads to use to a value between 2 and 50. A higher number yields faster results but requires more network resources. Under Ping Options, set the following options:
The time-out period in milliseconds for Symantec PDS and Windows ICMP pings. Whether the search should continue even if an ICMP ping fails. This is useful if you know that a firewall is set up with a rule to block an ICMP ping, because you can still audit the network for computers that run Symantec AntiVirus.
Under Symantec AntiVirus IP ports, configure the search to ping up to four Symantec AntiVirus IP ports. To support legacy and current clients, both UDP and TCP ports are pinged. Port 1 defaults to 2967, which is the default port number of Rtvscan, the main Symantec AntiVirus service.
37
Under Display Options, specify whether you want to display the following:

Previously labeled machines Parent management servers discovered through clients even if they are outside the IP address range Whether to look for computers that run unmanaged Symantec AntiVirus client software, and offline servers and clients. This requires you to specify valid administrator account information, such as a user name and password. Whether to look for computers that run other vendors antivirus software. This requires that you know valid administrator account information, such as a user name and password.
Under Search Options, set the following options:
Whether or not to always use name resolution. See Setting administrator account options on page 38.
Click OK.
10 Click Find Now to run the audit.
You can see the audit progress at the bottom of the Find Computer dialog box. When the audit completes, the following types of information appear:
Machine Server Group The name of the remote computer. The name of the server group to which the remote computer belongs. The name of the server that controls the remote computer.
Server
Type
The server or client type. Login errors are also reported in this column. The version of the antivirus product running on the computer. The IP address of the computer. The user name associated with the compute, including the domain that authenticated the user.
Version Address User
Syncing found computers to locate them

After the status of the computers in your audit search is identified, you can locate selected computers by syncing to them. To sync found computers 1 In the Find Computer dialog box, select a computer, and then click Sync Item to locate the selected computer that runs Symantec AntiVirus client software. If the computer is in a locked server group, type the user name and password of the server group to which the computer belongs.
Setting administrator account options

When you run a network audit, if you select the following options in the Audit Network Options dialog box, you are required to specify administrator account information:

Look for unmanaged clients, offline servers, and offline clients Look for other AntiVirus software
Symantec AntiVirus basics Configuring login certificates
39
To set administrator account options 1 In the Remote Administrator Account dialog box, do one of the following:
Type the name of the domain that contains the computers that you want to find, followed by valid domain administrator account information. Check Use local accounts to access a specific computer, and then type the Admin user name and password.
Click OK.
Labeling found items and rerunning the audit

You can label the items that an audit finds. It may be useful to label items such as the following:

Computers that cannot be located or to which a connection cannot be made Routers and network drives Computers that do not have Symantec AntiVirus software installed
To label a found item and rerun the audit 1 2 3 4 In the Find Computer dialog box, in the Machine column, right-click an item, and then click Label. In the Edit description for dialog box, type a new label for the item. Click OK. Right-click the item again, and then click Audit again.
Configuring login certificates

Clients and servers use a temporary login certificate to authenticate Symantec System Center users. Because the user's login certificate is chained through the primary management servers login CA certificate back to the Server Group root certificate, the client or server knows that the user is authorized to manage the server group. When servers and clients receive a users request for configuration changes, they authenticate the user. If authentication succeeds, the clients compare their system clocks to the certificates time stamp. If they verify that the users temporary login certificate has not expired, they accept the users configuration changes. For more information about certificates and their use in Symantec AntiVirus, see the Symantec AntiVirus Reference Guide.
40 Symantec AntiVirus basics Configuring login certificates
The login certificate is time-limited for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate. You can use the Symantec System Center to configure the login certificate lifetime. Login certificates are time-stamped, and by default, expire 24 hours after being issued. You can configure a shorter lifetime to increase the level of network security, but this also increases processing overhead. Warning: Unsynchronized computer system clocks in a server group can prohibit servers and clients from authenticating a users login certificate because of the time difference. Synchronize your computer system clocks to prevent this from occurring. For example, suppose that a user has a temporary login certificate that contains a primary management servers time stamp and is valid for 30 minutes. If that user attempts to authenticate to a client that has a clock setting that is set 45 minutes ahead of the primary management server, then when the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit configuration changes by that user. Because login certificates are issued by the primary management server in a server group, you can configure login certificate settings only at the server group level.
Configuring login certificate lifetime and time tolerance

If you do not use some method that automatically synchronizes system clocks in your network, be sure that the time periods that you configure are sufficient to cover any likely time discrepancies between your primary management servers, and the clients and secondary management servers that are managed by the primary management servers. When configuring login certificate settings, Symantec System Center automatically compensates for time zone differences.
Symantec AntiVirus basics Configuring login certificates
41
To configure login certificate settings 1 Right-click the server group that you want to configure, and then click Configure login certificate settings.
In the Login Certificate Settings dialog box, under Length of time login certificate is valid, set the number of hours and days that you want the certificate to last. A Symantec System Center user whose login session exceeds this setting is prompted for a user name and password to obtain a new login certificate. The default is 1 day. All computers in this server group whose system clocks are ahead of the primary management server system clock must be no further ahead than this setting to be managed by the Symantec System Center. Under Tolerate time discrepancy between computers of, set the number of hours and days to the amount of backwards time discrepancy that you want to allow between the system clocks of the primary management server, and the system clock of its clients and secondary management servers. The default is 1 day. All computers in this server group whose system clocks are behind the primary management server clock must be no further behind than this setting to be managed by the Symantec System Center.
42 Symantec AntiVirus basics Configuring login certificates
Configuring login certificate key size

You can configure the size of the keys that the Symantec System Center generates for end-entity login certificates. A larger key provides a greater degree of security. To configure login certificate key size 1 2 3 Click Tools > SSC console options. In the SSC Console Options Properties dialog box, click the Certificates tab. Select the number of bits that you want to use for your login certificate key: 1024, 2048, 3072, or 4096.
Chapter


About servers About server groups and client groups Using server groups to manage Enhancing server group security Optimizing server performance Using Tamper Protection Using client groups to manage Managing clients
About servers
The current version of Symantec AntiVirus uses the Secure Sockets Layer (SSL) to encrypt communications between its servers and clients. Symantec AntiVirus versions 9.x and earlier used UDP for such communications. Servers that run the current version of Symantec AntiVirus can manage most legacy clients by default, but in certain cases, configuration is required. See Optimizing definitions and configuration rollouts on page 67. Warning: Symantec AntiVirus 9.x and earlier servers cannot be used to manage clients running the current version of Symantec AntiVirus.
44 Managing Symantec AntiVirus About servers
When you manage with the Symantec System Center, computers running Symantec AntiVirus server software can assume the following roles:

Primary management server Secondary management server Parent management server
About primary management servers

Each server group has an administrator-designated primary management server. This primary management server is responsible for configuration functions in the server group. It can also be responsible for updating virus and security risk definitions. From the Symantec System Center console, when you launch a task at the server group level, the task runs on the server groups primary management server. The primary management server also forwards the task on to all other servers in the server group. If you are using Alert Management System2, the primary management server also processes all notifications. Computers running any of the supported operating systems for servers can be made primary management servers.
How the registry is affected

When you modify server options, you directly modify the registries of the selected servers. The modification is made through the transport manager, which handles communications. The primary management server acts as the repository of all server options on a group level. If you modify on a group level, the changes are recorded first in the registry of the primary management server for that group in the HKLM\ Software\Intel\LANDesk\VirusProtect6\CurrentVersion\DomainData key. Then they are recorded in each of the other servers.
About secondary management servers

Servers that are not assigned primary management server status are called secondary management servers. Secondary management servers are children of primary management servers. They retrieve information from the primary management server and share it with clients.
Managing Symantec AntiVirus About server groups and client groups
45
All servers in a server group are secondary management servers until you assign one as the primary management server. You must designate the primary management server before you can perform most tasks at the server group level.
About parent management servers

A parent management server is a computer running Symantec AntiVirus server software with which a connected computer running Symantec AntiVirus client software communicates to obtain configuration updates and to send alerts. Some servers may act as parent management servers; others may act as primary management servers. These two functions are not mutually exclusive. A primary management server may also act as a parent management server.
About server groups and client groups

Server group members can share a single Symantec AntiVirus configuration, and you can also run a Symantec AntiVirus operation on all members of a server group. From the Symantec System Center console, you can create new server groups and manage their membership. Server groups are independent of Windows domains and other products. You can combine NetWare and Windows computers into the same server groups, which allows simultaneous remote configuration of these systems. Client groups are logical groupings of computers running Symantec AntiVirus client software. Although client groups are always attached to a server group, each client group can be managed individually. By setting up client groups, you can set up and manage different policies under a single parent. Symantec AntiVirus clients are categorized as follows:
Assigned clients are Symantec clients that have been assigned to a client group. They receive virus and security risk definitions files from the server to which they are physically attached, but receive configuration settings and updates based upon the client group to which the Symantec AntiVirus policies are applied. Unassigned clients are Symantec clients that have not been assigned to a client group. They receive configuration settings and updates from their parent management server.
Note: The server group level is the highest level at which you can manage Symantec product configuration changes.
46 Managing Symantec AntiVirus About server groups and client groups
Deciding whether to use server groups, client groups, or both

Each Symantec AntiVirus server group supports a single configuration for all of the clients it manages. Each additional configuration requires adding an additional server to the server group. Server groups may provide you with all the configuration flexibility you need if all of your clients require the same configuration options. If you need more configuration flexibility, you may benefit from using client groups. When you manage using client groups, clients on the same physical server do not need to share the same configuration as other clients in the same server group. In addition, client groups can also decrease the number of servers required to manage Symantec AntiVirus. While each server group requires at least one server per unique configuration, a server group can contain any number of client groups, each with its own configuration.
Client groups and configuration priority

When you manage using client groups, clients assigned to a group receive their configuration from their group, rather than their parent management server: Configuration changes made at the server level are ignored, and apply only to unassigned clients. Configuration changes made at the server group level or system hierarchy level have priority over client group settings, however, and override any settings made at the client group level. To change this default priority, you can configure client groups to use their own settings instead of inheriting settings from their server group. See Using client group settings instead of server group settings on page 79. Table 2-1 lists each item that you can select in the Symantec System Center, and what you can configure when you select it. Table 2-1 Item selected
System Hierarchy
Configuration item options What you can configure

All unlocked server groups and the clients they manage, regardless of their client group membership All servers and clients in the server group, regardless of their client group membership
Server group
Managing Symantec AntiVirus About server groups and client groups
47
Table 2-1 Item selected

Server
Configuration item options What you can configure

The server and its clients, regardless of their client group membership:

Virus sweep Update virus and security risk definitions now History configuration Scheduled and manual scans Virus and security risk definitions updates Quarantine options Client and server Auto-Protect options Client administrator only options Client roaming options Client and server tamper protection options LiveUpdate Auto-Protect status View risk list Clear risk status
The server and/or its unassigned clients:

Client group
Clients assigned to the client group:

Scheduled scans Virus and security risk definitions updates Quarantine options History configuration Client Auto-Protect options Client tamper protection options Client roaming options Client administrator only options LiveUpdate
Client
Read-only
By default, you cannot use the Symantec System Center to configure individual clients. However, you can use the Allow direct configuration of individual clients option to enable the Symantec System Center to configure individual clients. See Enabling direct client configuration on page 80.
48 Managing Symantec AntiVirus About server groups and client groups
How settings propagate

The method that Symantec AntiVirus uses to propagate settings depends upon the item that you choose in the Symantec System Center console. Table 2-2 describes how settings propagate when you choose server groups, servers, client groups, and clients. Table 2-2 Object
Server groups
How settings propagate from the Symantec System Center console Description
When you set options at the server group level, and then click OK, the Symantec System Center communicates directly to every server in the server group. Parent management servers update their clients by rolling out a new Grc.dat file. This file replaces the existing Grc.dat file. Custom settings in the old Grc.dat file are not retained. If you click Cancel, no options change. If you click Reset All, Symantec AntiVirus overwrites all settings in the dialog box.
Servers
When you set options at the server level, and then click OK, the Symantec System Center topology service communicates directly with the selected server. Only the selected server is affected. If you click Cancel, no options change. If you click OK without changing options, Symantec AntiVirus does not overwrite the servers current options.
Client groups
When you set options at the client group level, and then click OK, the primary management server creates a Grcgrp.dat file and sends it to secondary management servers. The secondary management servers update their clients by rolling out a new Grc.dat file. This file replaces the existing Grc.dat file. Custom settings in the old Grc.dat file are not retained. If you click Cancel, no options change.
Clients
When you set options at the client level, and then click OK, the System Center Topology service communicates with the client directly and makes the single change in the registry. If you click Cancel, no options change.
Managing Symantec AntiVirus Using server groups to manage
49
Note: Auto-Protect scanning settings must be locked before they are propagated to clients. See Scanning for viruses and security risks on page 109.
New Grc.dat values overwrite old Grc.dat values

New Grc.dat files are propagated and their values overwrite the values from the old Grc.dat files any time that they are sent to the client. This behavior occurs even when you open a Symantec AntiVirus window or dialog box that contains options from the Symantec System Center console, and then click OK without changing options. If the earlier Grc.dat version contained custom settings that are not in the new Grc.dat, the settings are overwritten. See the Symantec AntiVirus Installation Guide for additional information on using Grc.dat files for client configuration.
Server and client group scenario

A company has Telemarketing and Accounting departments. These departments have staff in the companys Boston, New York, and Newark offices. All computers in both departments have been assigned to the same server group so that they receive virus and security risk definitions updates from the same source. However, IT reports indicate that the Telemarketing department is more vulnerable to risks than the Accounting department. As a result, the system administrator creates Telemarketing and Accounting client groups. Telemarketing clients share configuration options that strictly limit how users can interact with their antivirus and security risk protection.
Using server groups to manage

The installation program groups all of the servers that you select into one server group. This might be adequate if you want all of your managed computers running Symantec AntiVirus to use the same settings. However, if you want to make global configuration changes for groups of servers, you can create new server groups and easily use a drag-and-drop or cut-and-paste operation to move servers from one server group to another. When you move a server, all of its connected client computers move with it. For example, if you have servers that require higher levels of protection, you can place all of them in the same server group and set special options to protect the server group.
50 Managing Symantec AntiVirus Using server groups to manage
Note: If you prefer to manage by using client groups, you can achieve the same end by setting up a new client group. See About server groups and client groups on page 45.
Best practice: Installing a secondary management server

As a best practice, always install a secondary management server in server groups to assist in recovering from disasters. If you do not add a secondary management server and your primary management server fails, you will not be able to access the server group from the Symantec System Center.
Creating server groups

You can create as many server groups as you need to manage your servers and clients efficiently. Each server group requires a primary management server. See Selecting a primary management server for a server group on page 18. To create a server group 1 Right-click System Hierarchy, and then click New > Server Group.
2 3
In the New Server Group dialog box, type the name for the server group. The name cannot have more than 47 characters. In the Username text box, type the user name to use for the new server group. This can be any user name you want to use. The user account is automatically created and assigned to the Administrator role and added to the account management list for this server group.
51
4 5
In the Password text box, type a password to use when unlocking the server group. In the Confirm Password text box, retype the password.
Locking and unlocking server groups

You can lock a server group with a password to prevent unauthorized administrators from making configuration changes. The password for the initial server group was created for the admin user during installation. You can change passwords at any time by using the Account Management option for each server group. For information about changing passwords, see Managing user accounts for server groups on page 57. Note: Server group passwords are not used to uninstall clients and servers. By default, the password for permitting an uninstallation is set to symantec. See Changing the password that is required to uninstall on page 173. Server groups are automatically locked by default each time that you start the Symantec System Center, unless you configure the Symantec System Center to automatically unlock the server group when you start the Symantec System Center. User names and passwords are not saved unless you explicitly configure the Symantec System Center to do so.
Lock and unlock server groups

You can lock and unlock server groups as necessary. To lock a server group
Right-click the server group that you want to lock, and then click Lock Server Group.
To unlock a server group 1 In the Symantec System Center console, in the left pane, right-click the server group, and then click Unlock Server Group.
2 3
In the Unlock Server Group dialog box, type the user account name and password for the server group. If you want these options to be filled in automatically each time that you unlock this server group, check Remember this user name and password for me. If you enable the Symantec System Center to remember the user name and password for this server group, then you can configure the Symantec System Center to start with this server group unlocked. Click Automatically unlock this Server Group when I start the Symantec System Center. Click OK.
To stop saving user name and password or to stop automatic unlocking 1 To stop saving your user name and password, and to stop having the Symantec System Center open with this server group unlocked, right-click the server group, and then click Lock Server Group. Right-click the server group again, and then click Unlock Server Group. In the Unlock Server Group dialog box, uncheck Remember this user name and password for me and Automatically unlock this Server Group when I start the Symantec System Center. Click OK.
2 3
53
Server groups and server root certificates

The first time that you try to unlock a server group that does not have its server group root certificate on the same computer as the Symantec System Center, the following dialog box appears:
You can either have the Symantec System Center copy the root certificate to the Symantec System Center computer the first time that you log on to the server group, or copy it by using Windows authentication. If you choose to simply copy the root certificate, you can suppress this message in the future. Select Windows authentication to provide a greater degree of security.
Viewing and filtering server groups

When you run the Symantec System Center console, you see servers that are running managed Symantec AntiVirus products in a tree format. Servers are grouped under server groups. By default, the Symantec System Center console displays all server groups.
View and filter server groups

You can view a single server group and its contents from the Symantec System Center console or you can filter the server group view to show only a subset of your servers. This is helpful if you have too many servers to manage easily from one window. You can monitor and administer only the server groups that appear in the list.
Note: You receive notifications only for displayed server groups. If you filter a server group, you do not receive notifications from that server group. To view a single server group
Right-click the server group, and then click New Window From Here.
To filter the server group view 1 2 In the left pane, right-click System Hierarchy, and then click View > Filter Server Group View. Uncheck the server groups that you want to filter from the server group list.
Renaming server groups

You can rename server groups as necessary. To rename server groups 1 2 3 Unlock the server group that you want to rename, if necessary. Right-click the server group, and then click Rename. Type the new server group name.
Deleting server groups

Before you can delete a server group, you must move its members to a new or existing server group. To delete a server group 1 2 Right-click the server group that you want to delete, and then click Unlock Server Group, if necessary. In the server group that you want to delete, drag any servers into another server group. You can only delete a server group if it is empty. Right-click the empty server group, and then click Delete. Right-click System Hierarchy, and then click Refresh.
3 4
55
Changing primary management servers

You can change primary management servers easily at any time. You can promote secondary management servers as necessary, thereby demoting the primary management server in that group. Note: When changing primary management servers, you may lose the AMS2 alerts that you have set up. You can reconfigure the alerts on the new primary management server, or export the alerts to the new server before you change primary management servers. See Exporting alert actions to other computers on page 98. To change primary management servers 1 2 Double-click the server group icon. Right-click the secondary management server that you are designating as a primary management server, and then click Make Server A Primary Server.
Changing parent management servers

To change the parent management server of a managed client, you can click and drag the client to a new management server, or you can copy the Grc.dat client configuration file and the server group certificate from the new parent to the client, and then restart the client. The Grc.dat client configuration file is a text-format file that acts as a repository of changes that are made to a group of clients. The Grc.dat client configuration file facilitates communication between computers that run Symantec AntiVirus server software and computers that run Symantec AntiVirus client software. They store important information such as parent management server identity and Symantec AntiVirus product configuration settings. The server group root certificate file, xxx.x.servergroupca.cer, contains the server group root certificate for the server group. If you copy the files from the server that you want to act as the parent server and place them on the client, you will distribute all of the client settings for that server and establish communications.
Change a parent management server

You can change the parent management server by using the Symantec System Center or by manually copying files.
To change the parent management server of a client by using the Symantec System Center
Drag the client from the old server to the new server.
To change the parent management server of a client manually when the servers are in the same server group 1 2 On the intended parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus folder. On the client computer, paste the Grc.dat file into the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder. Restart the client.
To change the parent management server of a client manually when the servers are not in the same server group 1 2 On the intended parent management server, copy the Grc.dat configuration file from the Symantec AntiVirus folder. On the client computer, paste the Grc.dat file into the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5 folder. On the intended parent management server, open the pki\roots folder and copy the xxx.x.servergroupca.cer file. On the client computer, paste the xxx.x.servergroupca.cer file into the pki\roots directory, which appears under the directory that contains the Symantec AntiVirus files. Restart the client.
3 4
Moving a server to a different server group

When you move a server, a server configuration file that is named Grcsrv.dat is created on the server automatically. This file synchronizes the new server group settings with the server. The new server group must have a primary management server. The server configuration file is located in the same directory in which Symantec AntiVirus was installed on the server. It has the same format as a Grc.dat client configuration file. It is created when you synchronize a server to a new server groups settings.
57
Note: If you want to add more servers to a server group, and you have archived the private key for the server group, you must copy the server group private key back to the pki\private-keys directory on the primary management server. To move a server to a different group
Drag the server that you want to move into the new server group.
Managing user accounts for server groups

Account management provides secure user accounts and passwords that you use to unlock and configure server groups. Symantec AntiVirus provides several preexisting roles with various levels of privileges for user accounts. You can assign a user to one of these roles when you create user accounts for server groups in the Symantec System Center. Table 2-3 describes the roles and their associated privileges. Table 2-3 Role name
Read-only
User account roles and privileges Description

This role allows the user to lock and unlock the server group, and to view information about the server group. Users have no write access to the server group, so they cannot make any configuration changes to the server group, or to any of its servers and clients. This role gives the user full access to the server group. The user can lock and unlock the server group, and configure both servers and clients in the server group. This role allows the user to do the following:

Administrator
Central Quarantine
Read from and write to virus definitions files. Roll out virus definitions updates to a client or server in the server group. Ping machines in the server group.
Users that are assigned to this role are not allowed to lock and unlock the server group by using the Symantec System Center. Gateway Security This role allows the user to ping computers in the server group. Users that are assigned to this role are not allowed to lock and unlock the server group by using the Symantec System Center.
If the Symantec System Center cannot verify the users role, the user account defaults to Gateway Security, the least privileged of the roles. Symantec AntiVirus also provides one preexisting user who is named admin, and who is assigned to the Administrator role. You cannot delete the admin user account or change its user name, but you can change its password. The following restrictions apply to user accounts:

Passwords that you set must be at least six characters long. Account user names must be unique and are not case-sensitive. Passwords are case-sensitive. User names cannot contain spaces. User names cannot contain the following special characters: "/;\-.+':=
Create, change, and delete user accounts

You can assign multiple user accounts with administrative privileges to a server group. You can manage the accounts for only one server group at a time. To create a user account for a server group 1 2 3 4 Right-click the appropriate server group. Click Account Management. In the Configure Server Group Accounts dialog box, click Add. In the Account Setup dialog box, do the following:

Type the user name. Type the password twice. Under Account Type, select the role that you want to assign to the user: Read-only, Administrator, Central Quarantine, or Gateway Security.
5 6
Click OK. Click Finished. The changes are then sent to the secondary management servers in the server group.
To change a user account for a server group 1 2 3 Right-click the appropriate server group. Click Account Management. In the Configure Server Group Accounts dialog box, select a user account name.
Managing Symantec AntiVirus Enhancing server group security
59
4 5
Click Update. In the Account Setup dialog box, type a new password twice. Under Account Type, if you want to change the users role, select the new role. If you are only changing the role that is under Account Type, you should leave the password options blank. Click OK. Click Finished.
6 7
To delete a user account for a server group 1 2 3 4 5 6 Right-click the appropriate server group. Click Account Management. In the Configure Server Group Accounts dialog box, select a user account name. Click Delete. Click Yes to confirm the deletion. Click Finished.
Enhancing server group security

You can enhance the security that is provided by server group passwords by creating an access list that restricts inbound communication to only the IP addresses that are specified in the access list. For example, you can prevent an attacker who has access to the Symantec System Center console and a valid server group password from making unauthorized changes to the following:

Server and client antivirus and security risk protection settings Auto-Protect settings Client group member assignments Primary management server assignments Grc.dat file distribution Virus and security risks definitions file rollbacks
To implement protection and monitor unauthorized configuration changes, you perform the following tasks:

Choose which computers to protect. Create the access list.
60 Managing Symantec AntiVirus Enhancing server group security
Roll out the access list. Log unauthorized configuration change attempts.
How the access list works

The access list is stored in the Windows registry on every computer that you want to protect. The address for each Symantec System Center console that communicates with the computer is validated against the access list. Symantec System Center consoles with IP addresses that are not included in the access list are limited to read-only access for antivirus and security risk protection and other settings, as shown in Figure 2-1.
61
Figure 2-1
Enhanced server group security
Read Write Authorized Symantec System Center console Read Only Primary Management Server
Read Only
Read Write
Read Only Unauthorized Symantec System Center console Secondary Management Server
Access List
Registry
Access List
Client
Registry
Choosing which computers to protect

The IP address of the computer running the Symantec System Center console should be included in the access list of every server in a server group. If you are only changing client group settings, you only need to include the address for the primary management server. You do not need to include the access list on every client. You can effectively lock down a server group and prevent IP spoofing by creating the access list on each server and leaving it empty. Add IP addresses to the access list only when
you need to allow the Symantec System Center to access the server. Delete the value for an address when you no longer require access.
About the access list

The access list uses a registry subkey that specifies the authorized IP addresses. Add an AccessList subkey to the HKEY_LOCAL_MACHINE\SOFTWARE\ INTEL\LANDesk\VirusProtect6\CurrentVersion registry key. Table 2-4 describes the appropriate format for the addresses of computers that you want to include in the access list. Table 2-4 Protocol/subnet
IP
Access list formats for IP addresses String value format

(IP)-<0.0.0.0> where <0.0.0.0> is the numeric address of the computer. (IP)-<0.0.0.0>/<n> where <0.0.0.0> is the numeric address of the computer and <n> is the subnet notation, for example, 16 or 24.
IP subnet
Forcing the access list to reload

By default, the access list is refreshed every five minutes. If you want a change that you make to the list to take effect immediately, you can force the list to reload by adding a ReadAccessList subkey to the HKEY_LOCAL_MACHINE\ SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ProductControl key. Set the binary data value to 1.
Rolling out the access list

You can roll out the access list by performing the following tasks:
Create a registry script with the information that you want to add to the access list, such as new values to authorize additional computers. Roll out the access list via your preferred distribution tool. Force the Symantec AntiVirus antivirus component to import the access list immediately. See Forcing the access list to reload on page 62.
63
Logging unauthorized configuration change attempts

When the Symantec AntiVirus antivirus component receives communication from an address that is not included in the access list, an event can be written to the Symantec AntiVirus Event Log. When the event occurs on a computer running Symantec AntiVirus, the log event is forwarded to the parent management server. Note: Unauthorized configuration change information is not written to logs by default. You can edit the registry to log unauthorized changes and you can specify the frequency with which these items are logged. Add the subkeys to the HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\AccessList key. Table 2-5 describes the subkeys and their values used to configure the logging of unauthorized configuration change attempts. Table 2-5 Subkey name
LogAccessDenied
Log unauthorized changes and frequency values Data value

1
Description
Enables logging. If you record every incident, the following message appears: Access denied to network communication from unauthorized address: <IP address> <port> where:

<IP address> is the IP address of the computer that was denied access. <port> is the port number that the computer attempted to use.
Table 2-5 Subkey name
Log unauthorized changes and frequency values Data value

0/n
Description
Sets the frequency for logging unauthorized configuration change attempts.

Log AccessDeniedWindowMinutes
0 records every incident. n (in minutes) records all incidents for the next n minutes.
If you record incidents based on a frequency, the following message appears: Access denied to network communication from unauthorized addresses <number> time(s) in the last <number> minute(s). Most recent address: <IP address> <port> where:

<number> is the frequency and the number of minutes. <IP address> is the IP address of the computer that was denied access. <port> is the port number that the computer attempted to use.
Configuring options for Windows Security Center (WSC)

If you use Windows Security Center running on Windows XP Service Pack 2 to monitor security status, you can use the Symantec System Center to configure the following options for Symantec AntiVirus:

The time period after which WSC considers definitions files to be out of date Whether WSC displays antivirus alerts for Symantec products on the host computer
Note: Symantec product status is always available in the Symantec System Center console, regardless of whether WSC is enabled or disabled.
Configuring the out-of-date time for definitions

By default, WSC considers Symantec AntiVirus definitions to be out of date after 30 days. You can change the number of days that definitions can be out of date during installation in the Windows installer or after installation in the Symantec System Center. Symantec AntiVirus checks every 15 minutes to compare the out-of-date time, the date of the definitions, and the current date. Typically, no out-of-date status is reported to WSC because definitions are usually updated automatically. In the case of a manual update, depending on the out-of-date time that is configured,
65
administrators might have to wait up to 15 minutes to view an accurate status in WSC. To configure the out-of-date time for definitions 1 2 3 4 Right-click the server group that you want to change. Click All Tasks > Symantec AntiVirus > Client Administrator Only Options. If the prompt for Symantec AntiVirus Management Snap-In appears, click Yes. In the Client Administrator Only Options dialog box, under Windows Security Center, next to Definition of AntiVirus up-to-date, type the number of days, or use the up or down arrow to select the number of days that the virus and security risk definitions can be out of date. The value must be in the range from 1 to 90. Click OK.
Configuring alerts to appear on the host computer

You can configure WSC to display alerts from Symantec AntiVirus by using the Symantec System Center. To configure alerts to appear on the host computer 1 Right-click the server group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options.
If the prompt for Symantec AntiVirus Management Snap-In appears, click Yes.
In the Client Administrator Only Options dialog box, under Windows Security Center, in the Windows Security Center AntiVirus Alerts dropdown list, select one of the following:
Disable WSC does not display these alerts on the Windows system tray. WSC displays these alerts on the Windows system tray. WSC uses the existing setting to display these alerts.
Enable No action
4 5
Click OK. Restart the clients in each server group to make the changes take effect.
Managing Symantec AntiVirus Optimizing server performance
67
Optimizing server performance

The Symantec System Center allows you to tune server performance in a number of ways. This can be particularly useful in large deployments that include many servers and managed clients.
Optimizing definitions and configuration rollouts

The Symantec System Center provides several options for tuning how servers roll out definitions and configuration changes to clients. You might need to experiment with these settings to optimize them for your environment. Table 2-6 describes the options for tuning server rollouts. Table 2-6 Options
Before attempting rollout, verify that clients havent roamed to another server
Server rollout tuning options Description

Symantec AntiVirus concatenates GUIDs and IP addresses to verify client identity. If you use DHCP and experience parent management server contention for clients with IP addresses that change, and have a highly mobile environment, leave this option checked to reduce parent management server conflict over managed clients. If you have a very static environment in which your clients never or rarely change IP addresses, unchecking this option might result in some improvement in performance.
Skip clients that are late checking in (and are probably offline)
By default, clients are configured to check in for configuration updates every 60 minutes. Configuring clients to be skipped if they are late checking in should result in faster performance during rollouts; if they are not skipped, the thread that is used for each offline client is tied up until it times out. Clients receive the appropriate updates after they check in. Checking this option is not recommended in environments in which multiple clients are offline frequently, such as when many clients use VPN tunnels.
Skip clients that havent checked in since the last failed rollout attempt (and are probably offline)
Enabling this option should increase performance, but is not recommended in environments in which clients might be offline frequently, for example, as when using VPN tunnels.
68 Managing Symantec AntiVirus Optimizing server performance
Table 2-6 Options
Server rollout tuning options Description

Each thread represents a rollout to a single client. The valid range is 1-1200. A reasonable number of threads to use for most singleprocessor computers is 30. Use numbers at the high end only if you are tuning a very powerful server that manages many clients and you have a network that can support the increased bandwidth.
Number of threads to use during rollout
Start a rollout every <number> minutes
More frequent rollouts use more network bandwidth and server resources, but result in more frequent updates to the clients. The valid range is 1-10080 (one week).
For information about the option to manage legacy clients and servers, see Managing legacy clients on page 79. To optimize definitions and configuration rollouts 1 2 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tuning Options. Check or uncheck the following options:
Before attempting rollout, verify that clients havent roamed to another server Skip clients that are late checking in (and are probably offline) Skip clients that havent checked in since the last failed rollout attempt (and are probably offline)
3 4 5
Set the number of threads to use during rollout to a value that is between 1 and 1200. Set the number of minutes to wait between rollouts to a value that is between 1 and 10080. Click OK.
Monitoring clients
Symantec AntiVirus allows you to monitor the following major transitions in the life cycle of a client computer:

The clients initial contact with a parent The times when a client roams from one parent to another
Managing Symantec AntiVirus Optimizing server performance
69
The clients failure to check in after a specified amount of time has elapsed The uninstallation of Symantec AntiVirus software from a client
To log whether or not a client checks in with the server that manages it, Symantec AntiVirus compares the last check-in time for each client to a saved value for that client. If the elapsed time is greater than the configured time, the event is logged in the Event Log as a system event. You can specify how often the Symantec System Center notifies you of these system events. For example, you might want to set the minutes of inactivity before logging a no check-in event to 10080 (one week) before Symantec AntiVirus logs an initial event that a client has not checked in. You might then set the minutes between no check-in events to 1440 (one day) and the maximum number of events to log to 7. You are then notified in the Event Log every day for a week if the client does not reappear on the network. For particularly large environments with many thousands of clients that are managed by a single server, you might want to tune the server parameters to regulate its CPU usage. To set options for monitoring clients 1 2 Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tuning Options. On the Client Tracking tab, under Processing Parameters, type the following information:
The number of minutes that Symantec AntiVirus should wait for information from the client. The number of clients that Symantec AntiVirus should process before pausing. The number of seconds that Symantec AntiVirus should pause when it checks clients.
70 Managing Symantec AntiVirus Using Tamper Protection
Under Log Client Behavior, type values for the following options:
Minutes of inactivity before logging a no check-in event The number of minutes without client activity that Symantec AntiVirus should wait before it logs the first instance of a clients failure to check in. The maximum number of no check-in events to log per client.
Maximum number of no check-in events per client
Minutes between no check-in events The number of minutes without client activity to wait before subsequent no check-in events are logged.
Click OK.
Turning off client monitoring

You can turn client monitoring off by adding a new DWORD value, HKLM\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\ClientTrack\ Enabled, to the servers registry. Set its value to 0 to turn off client tracking; set its value to 1 to turn on client tracking. By default, client tracking is enabled. You must restart the server for a change to take effect.
Using Tamper Protection

Tamper Protection provides real-time protection for Symantec applications. It prevents Symantec processes from being attacked or affected by non-Symantec processes such as worms, Trojan horses, viruses, and security risks.
Enabling, disabling, and configuring Tamper Protection

When Tamper Protection is enabled, you can configure Symantec AntiVirus to block or log attempts to modify Symantec processes. You can also configure a message to appear on affected computers when Symantec AntiVirus detects a tampering attempt.
Managing Symantec AntiVirus Using Tamper Protection
71
To enable, disable, and configure Tamper Protection 1 Do one of the following:
Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Client Tamper Protection Options. Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tamper Protection Options.
2 3
Check or uncheck Enable Tamper Protection. If you enabled Tamper Protection, then under Protection, in the drop-down list, do one of the following:

To block unauthorized activity, click Block. To log unauthorized activity but allow the activity to take place, click Log Only.
4 5
Check or uncheck Keep Tamper Protection enabled even if Symantec AntiVirus is shut down. Under Notifications, check or uncheck Display message on affected computer.
72 Managing Symantec AntiVirus Using Tamper Protection
6 7
If you are configuring Client Tamper Protection Options, lock or unlock each setting as appropriate for your network. If you are configuring Client Tamper Protection Options, or you are configuring Server Tamper Protection Options at the server group level, click Reset All if you want to propagate the settings on this tab to every client that is attached to the server or server group.
Creating Tamper Protection messages

Tamper Protection lets you create a message that appears on clients when Tamper Protection detects attacks against Symantec applications. The message that you create can contain a mix of text that you type and fields that you select. The fields that you select are variables that are populated with values that identify characteristics of the attack. Table 2-7 describes the fields for Tamper Protection messages. Table 2-7 Field
Filename PathAndFilename
Fields for Tamper Protection messages Description

The name of the file that attacked protected processes. The complete path and name of the file that attacked protected processes. The area of the computer hardware or software that was protected from tampering. For Tamper Protection messages, this is Symantec applications. The name of the computer that was attacked. The name of the logged on user when the attack occurred. The date on which the attack occurred. The action that Tamper Protection performed to respond to the attack. The type of tampering that occurred. The type of target that the process attacked. The ID number of the process that attacked a Symantec application. The name of the process that attacked a Symantec application. The location of the target that the process attacked.
Location
Computer User DateFound Action Taken
System Event Entity Type Actor Process ID
Actor Process Name
Target Pathname
Managing Symantec AntiVirus Using Tamper Protection
73
Table 2-7 Field

Target Process ID
Fields for Tamper Protection messages Description

The process ID of the target that the process attacked. The ID of the terminal session on which the event occurred.
Target Terminal Session ID
Use the following format to create messages:

Text that you type: [Field Name 1] [Field Name 2] (Optional and additional text that you type [Field Name x])
The following example illustrates a message that tells you which process attempted to take which action and when:
Date: [DateFound] Process Located At: [PathAndFilename] (Named: [Actor Process Name]) Attacked: [Target Pathname] [Target Process ID]
To create Tamper Protection messages 1 Do one of the following:
Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Tamper Protection Options. Right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Server Tamper Protection Options.
2 3
Under Notifications, check Display message on affected computer and click the lock icon to lock this option. Click Message.
4 5
In the Message box, click to insert a cursor. Use your keyboard to move the cursor, add rows, and type and delete text.
74 Managing Symantec AntiVirus Using client groups to manage
Move the cursor to a position in which you want to insert a field, right-click, click Insert Field, and then select the field to insert. See Table 2-7, Fields for Tamper Protection messages, on page 72. Repeat steps 5 and 6 as necessary. Right-click in the field and use any of the following as necessary: Cut, Copy, Paste, Clear, or Undo.
7 8
Using client groups to manage

You can create as many client groups as you need to manage your clients efficiently.
Creating client groups

All server groups contain a single Groups folder that contains all of the groups for that server group. When you create a new client group, the client group appears inside the Groups folder. By default, client groups inherit their settings from their server group, but you can change this. See Using client group settings instead of server group settings on page 79. To create a client group 1 Under the server group to which you want to add the client group, rightclick the Groups folder, and then click New Group.
2 3 4
In the New Client Group dialog box, type the name for the new client group. The name cannot have more than 15 characters. To apply the settings from an existing client group to the new client group, select the name of the existing client group from the drop-down list. Click Create.
Managing Symantec AntiVirus Using client groups to manage
75
Adding clients to a client group

Computers that are running Symantec AntiVirus server, client, and legacy versions can be added to client groups. All clients are treated identically. If a legacy antivirus client does not have the feature for which a configuration option setting is set, the setting is ignored. A client can belong to only one client group. To add a client to a client group 1 2 Click the server that contains the client. In the right pane, drag the client into the client group.
Configuring settings and running tasks at the client group level

You can set configuration options and run tasks at the client group level. The settings apply to, or the task runs on, all clients in the client group. To configure settings and run tasks at the client group level 1 2 3 4 Right-click the client group. Click All Tasks. Select the product for which you want to set options. Make the appropriate changes for the settings that you want to configure or the task that you want to run.
About client group settings

Client group settings are stored in the primary management servers registry. They are rolled out to each server in a client group configuration file named Grcgrp.dat. The primary management server packages all client group settings into the client group configuration file, and then copies it to each secondary management server in the server group. The secondary management server rolls out the settings to the clients that it manages.
Moving a client to a different client group

You can move clients easily from one client group to another.
To move a client to a different client group
Drag the client that you want to move into the new client group. Once you move the client, it receives the new client groups configuration settings.
Viewing and filtering client groups

When you view client groups, you can do the following:

View a single client group. View information about client groups. Filter the client group view to show only the information that interests you.
Note: Filtering is disabled by default. When you select a client group in the left pane, all of the clients that are assigned to it appear in the right pane. When the Groups folder is selected in the left pane and Default Console View or a Symantec product view is selected from the View menu, the client groups appear in the right pane along with information specific to the view. For example, when the Default Console View is active, the number of clients in each client group appears. The clients must be enumerated to display the client groups accurately. Client group filtering must be enabled in the SSC Console Options Properties dialog box on the Client Display tab for the clients to be enumerated. When you select the Groups folder, the number of clients reported for each client group may not be accurate until a client group is selected. See To filter the client group view on page 77.
View and filter client groups

Filtering improves client viewing performance in the Symantec System Center console. However, if there are many clients and servers in the server group, filtering may have a performance impact. To view a single client group 1 In the Symantec System Center console, in the left pane, right-click the server group that contains the client group, and then click Unlock Server Group. Double-click the server group.
Managing Symantec AntiVirus Using client groups to manage
77
Double-click the Groups folder.
Groups folder Client groups
The client groups appear nested beneath the Groups folder. To filter the client group view 1 On the Tools menu, click SSC Console Options.
In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Group Display Options, check Show client machines when viewing Client Groups. Under Client List Cache Options, check Build client lists when the Server Group is unlocked, if appropriate. This option enumerates all of the clients in the server group when it is unlocked. When this option is unchecked, clients are not added to their client groups until the server is selected. The number of clients in a client group is not accurate until all of the servers in the server group have been selected. This option might affect performance if the server group contains many clients and servers. Under Client Configuration Options, check Indicate when clients are offline to display a unique icon in the Symantec System Center console when a client is not connected to the network. Click OK. On the Action menu, click Refresh.
5 6
Renaming client groups

If you need to change the client group name, you must complete the following tasks:
Create a new client group and import settings from another client group, if appropriate. See Creating client groups on page 74. Move clients from the old client group to the new client group. See To move a client to a different client group on page 76. Delete the old client group. See Deleting client groups on page 78.
Deleting client groups

When a client group is deleted, the clients that are assigned to it retain the settings of the deleted client group. The clients are not assigned new settings until one of the following actions occurs:
The client checks in with its parent management server. The client is then assigned the servers default settings for unassigned clients. The client is assigned to another client group. The client is then assigned the settings of the new client group.
Managing Symantec AntiVirus Managing clients
79
If you delete a client group, and then recreate it before the clients check in with their parent management servers or are reassigned, the clients resume membership in the group automatically. They continue to assume the settings of that group. To delete a client group 1 2 3 4 5 6 In the Symantec System Center console, in the left pane, unlock the server group from which you want to delete the client group. Double-click the server group. Double-click the Groups folder. Right-click the target client group, and then click Delete Group. Click Yes. Click Delete.
Using client group settings instead of server group settings

By default, client groups inherit their settings from the server group that they are in, but you can toggle this on or off at the client group level. To configure a client group to use its own settings
Right-click the client group, and then uncheck Inherit settings from Server Group.
Managing clients
You can perform several client management tasks in the Symantec System Center to manage the clients on your network.
Managing legacy clients

The current version of Symantec AntiVirus uses the Secure Sockets Layer protocol running over TCP to encrypt communications between servers and clients. Symantec AntiVirus versions 9.x and earlier used UDP for such communications. If you migrate version 9.x and earlier servers that manage legacy clients, UDP communications are permitted by default to support the legacy clients. If you perform a new installation (not a migration) of a Symantec AntiVirus server that has no clients, the ability to manage legacy clients is disabled by default. In this instance, if you want to manage clients that run version 9.x or earlier, you must explicitly enable the management of legacy clients on the server. After enabling
80 Managing Symantec AntiVirus Managing clients
this option, you need to restart the server that you configured for the change to take effect. To manage legacy clients 1 2 3 Right-click a server or server group, and then click All Tasks>Symantec AntiVirus>Server Tuning Options. On the Rollout and Management tab, check Allow this server to manage 9.x and earlier clients and servers (requires reboot to take effect). Click OK.
Enabling direct client configuration

You can permit the direct configuration of Symantec AntiVirus clients. The options that you set directly remain in force until a new Grc.dat configuration file is copied to the client. To enable direct client configuration 1 2 Click Tools > SSC Console Options. In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, click Allow direct configuration of individual clients. Click OK.
Handling clients with intermittent connectivity

Each Symantec AntiVirus server stores a list of Symantec AntiVirus clients that it manages, and provides this data to the Symantec System Center. By default, clients check in with their parent management servers once an hour, and parent management servers review their lists of clients once an hour. Parent management servers track client check-in times; if a client fails to check in with its parent management server for more than 30 days, the parent management server removes that client from its list of clients and logs that client as deleted. The next time that the Symantec System Center queries the parent management server for a list of its clients, that client will not appear. You can control this behavior by configuring the following settings:

The client check-in interval The client expiration interval
Managing Symantec AntiVirus Managing clients
81
Changing the client check-in interval

By default, the client check-in interval is set to 60 minutes. You can change the check-in interval by editing the CheckConfigMinutes registry value or by using the Symantec System Center. To change the client check-in interval 1 2 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, under How Clients Retrieve Virus Definitions Updates, check Update virus definitions from parent server. Click Settings. In the Update Settings dialog box, in the Check for updates every box, type the interval in minutes. Click OK until the main Symantec System Center console window appears.
3 4 5
Changing the client expiration interval

On the parent management server, change the client expiration interval by adding a new DWORD, ClientExpirationTimeout, to the HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\ CurrentVersion registry key. Make its value a number greater than 0. Warning: The client expiration interval must be greater than the client check-in interval or the parent management server will delete and add clients continually. Without the use of the ClientExpirationTimeout value, the default time is 720 hours. Use a smaller value to decrease the number of minutes that it takes for the client to be removed from the console, or use a larger value to increase the time. For example, if a large number of your client computers are being removed from the Symantec System Center because people are away from the office and their computers are turned off, you can specify a larger number. If the new client configuration is not immediately received by the parent management server or by the client, the information is updated during the client check-in.
82 Managing Symantec AntiVirus Managing clients
Changing the management mode of a client

You can change an unmanaged client into a managed client, and a managed client into an unmanaged client.
Change a clients management mode

When you change an unmanaged client into a managed client, it appears in and can be configured by the Symantec System Center. Similarly, changing a managed client into an unmanaged client causes the client to disappear from the Symantec System Center. To change unmanaged clients into managed clients 1 2 Open Network Neighborhood or My Network Places. Locate and double-click the computer that you want to act as the parent management server. The Symantec AntiVirus server software must be installed on the computer that you select. Open the VPHOME\Clt-inst\Win32 folder. Copy the Grc.dat configuration file in that folder to the <volume>:\Documents and Settings\All Users\Application Data\ Symantec\Symantec AntiVirus Corporate Edition\7.5 folder on the unmanaged client. On the intended parent management server, open the pki\roots folder and copy the xxx.x.servergroupca.cer file. On the client computer, paste the xxx.x.servergroupca.cer file into the pki\roots directory, which appears under the directory that contains the Symantec AntiVirus files. Restart the client.
3 4
5 6
To change managed clients into unmanaged clients 1 2 3 4 Uninstall Symantec AntiVirus from the client workstation. See the Symantec AntiVirus Installation Guide for more information. Using the registry editor, delete the following subkey: HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6 Begin to reinstall Symantec AntiVirus client software, and when you are prompted to select managed or unmanaged, select unmanaged. Finish the installation.
Chapter
Setting up the Alert Management System


About the Alert Management System How Alert Management System works Configuring alert actions About configuring alert action messages Configuring a default alert message Working with configured alerts Using the Alert Management System Alert Log Forwarding alerts from unmanaged clients
About the Alert Management System

Alert Management System2 (AMS2) provides emergency management capabilities. AMS2 supports alerts on any supported NetWare server or Windows server. You must explicitly install AMS2. It is not installed by default. AMS2 can generate alerts through the following means:

Message box Broadcast Internet mail Page
84 Setting up the Alert Management System How Alert Management System works
Run a program Write to the Windows Event Log Send an SNMP trap Load an NLM
Note: Alerts generated through SNMP traps can be sent to any third-party SNMP management console. To receive SNMP traps from Symantec AntiVirus, you must have the Symantec System Center and AMS2 installed. Install AMS2 on a primary management server if you want SNMP traps generated from that system. You must use the Symantec System Center to designate the primary management server. See Configuring the Send SNMP Trap alert action on page 93.
How Alert Management System works

AMS2 alerts are transferred from Symantec AntiVirus into AMS2 through the Symantec AntiVirus service. On a computer running the Symantec AntiVirus client software, the Symantec AntiVirus service waits for an event thread that requires an alert. These threads can be generated by the following events:

Configuration change Default Alert Symantec AntiVirus startup/shutdown Scan Start/Stop Risk Repair Failed Risk Repaired Virus Definitions File Update Virus Found
If you have configured an alert for any of these events, when the event occurs it will generate a thread. The thread prompts the Symantec AntiVirus service to create a risk information block, which it forwards to the clients parent management server. When the parent management server receives the risk information block, it enters it into its AMS2 log. The risk information is then forwarded to the primary management server, which makes a call to AMS2. AMS2 enters the information into the AMS2 database and acts on it. The action taken depends on how you have the alert configured.
Setting up the Alert Management System Configuring alert actions
85
Communication in AMS2 is carried out through CBA, which is part of the Intel Communication Method.
Configuring alert actions

AMS2 lets you configure many different methods of notificationsuch as pager, SNMP, and emailfor detected viruses or security risks and configuration changes.
Alert configuration tasks

AMS2 alert configuration requires the following related tasks:

Select an alert in the Alert Actions dialog box. Select the alert action that you want to configure for that alert. The alert action is the response AMS2 sends you when an alert parameter is detected. Configure the alert action that you selected.
For example, you can configure the Send Page alert action to notify you if a virus or security risk is detected on a protected server. The pager message can also include information such as virus or security risk name and type, and actions taken. There are no default alert actions for any of the alerts. Until you configure AMS2, no alerts are generated, though virus and security risk events are logged in the AMS2 log file. You can set up more than one action for each alert. Once you have configured alert actions for an alert, a plus (+) or minus (-) sign appears next to each configured alert, depending on whether the entry is collapsed or expanded. Each AMS2 alert action has its own configuration wizard. Once you have configured an alert action, the action appears in the Alert Actions dialog box under the alert for which you configured the action. All alert actions execute on the computer that you select when you configure the action. Actions will not execute if you configure them on a computer that doesnt support that particular action. For example, any computer that you configure the Send Page action on must have a modem.
Speeding up alert configuration

If you have a large network, you may be able to speed up and simplify your configuration of AMS2 by only searching a certain segment of your network for AMS2 computers.
86 Setting up the Alert Management System Configuring alert actions
This is especially useful if you manage a large network with many different servers, and you want to confine your search to one section of the network, or one specific subnet mask. The process is faster when you limit your search, and alerts are contained in the defined network segment. You can get a faster response across a large network if you limit the network segments. You can specify whether you want AMS2 to discover clients only within a certain octet or subnet mask. To speed up alert configuration 1 2 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Options.
In the Options dialog box, in the Add IP address box, type the TCP/IP network broadcast address where you want to search for AMS2 computers. This is the first three segments of the computers IP address followed by an all-inclusive segment. For example, if you enter a search broadcast address of 192.168.0.255, any of the 256 computers with AMS2 in the subnet will receive the broadcast. So if you are searching for an AMS2 computer that has an IP address of 192.168.0.50, you will find it. Click Add to add this net address to the Current discovery broadcast addresses list. Only broadcast networks listed here are searched to discover new AMS2 computers. If you have not specified any broadcast networks, the entire network is searched each time that you start a Discovery.
87
To remove a net address that is no longer needed from the Current discovery broadcast addresses list, select the address, and then click Remove. When you remove a net address from this list, it doesnt disable that section of the network. Removing a net address only prevents AMS2 from searching that section of the network for AMS2 computers. Click OK to save the list and return to the Alert Actions dialog box.
Configuring the Message Box alert action

The Message Box alert action displays a message box on the computer from which you configure the action. You can select whether the message box sounds a beep when it appears and whether the message box always appears on the screen until cleared. To configure the Message Box alert action 1 2 3 4 5 6 7 8 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Message Box, and then click Next. Select a computer to execute the action, and then click Next. Select whether you want an error beep and whether you want the dialog box to always appear on top until it is cleared. Click Next. Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. In the Message box, type any message text that you want to display and move available parameters that you want from Alert Parameters to the Message box. See About configuring alert action messages on page 95.
10 Click Finish.
Configuring the Broadcast alert action

The Broadcast alert action sends a message to all computers logged on to the server that generates the alert.
To configure the Broadcast alert action 1 2 3 4 5 6 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Broadcast, and then click Next. Select a computer to execute the action, and then click Next. In the Message box, type any message text that you want to display and move available parameters you want from Alert Parameters to the Message box. See About configuring alert action messages on page 95. Type an action name. The action name and the action computer name will appear in the Alert Actions dialog box beside this action. Click Finish.
Configuring the Run Program alert action

The Run Program alert action runs a program on the computer for which you configure the alert action. You must complete two fields in the Run Program dialog box. The Program box should contain the full path to the program that you want to run. The Command Line box should contain any command-line options for that program. The program that you select should be on the computers local drive to ensure that AMS2 can find it. If you are running the program on a remote computer, you must enter the path to the program from that computer. If you are running a Windows program, you can select whether that program runs in a normal, minimized, or maximized state. This option has no effect on MS-DOS programs. To configure the Run Program alert action 1 2 3 4 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Run Program, and then click Next.
89
5 6 7 8 9
Select a computer to execute the action, and then click Next. Type the full path name to the program that you want to run, including the program name. Type any command-line options that you want the program to use. Select a Windows execution state of normal or minimized. Click Finish.
Configuring the Load An NLM alert action

The Load An NLM alert action loads a NetWare Loadable Module (NLM) on a selected NetWare server when the AMS2 alert occurs. You must configure this alert to determine which NLM is loaded, and the server onto which it loads. This alert action is similar to the Run Program alert action for a Windows computer. For example, if you were running the Symantec AntiVirus management snap-in, you could configure the Load An NLM alert action to load an NLM that you or a third party created on a selected NetWare server when Symantec AntiVirus detects a risk. This NLM could monitor who accesses the server and who is using the infected file. It could also back up files should the server crash because of the infection. To configure the Load An NLM alert action 1 2 3 4 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Load An NLM, and then click Next. The first time that you configure this action, AMS2 needs to search the network for NetWare computers that can perform this action. When completed, the NetWare computers appear in tree format. If the computer that you are looking for does not appear in the list, click Options. See Speeding up alert configuration on page 85. Select the computer on which the NLM should load, and then click Next. Type or select the NLM to load. NLMs are usually stored in the SYS:\SYSTEM directory on NetWare servers. Type any command-line options you want the program to use. Click Finish.
6 7 8 9
Configuring the Send Internet Mail alert action

The Send Internet Mail alert action sends an Internet mail message to the user that you specify. When using the Send Internet Mail alert action, you need to also specify the SMTP Internet mail server through which the alert action will send the message. If you specify the mail server by name, you need to have a DNS server configured so that the Send Internet Mail alert action can resolve the servers IP address. If you do not have a DNS server, you can enter the mail servers IP address directly. If you do not have access to an SMTP Internet mail server at your site, this alert action wont work. To configure the Send Internet Mail alert action 1 2 3 4 5 6 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Send Internet Mail, and then click Next. Select the computer to execute the action, and then click Next. In the To Internet Mail Address, Return Internet Mail Address, Subject, and SMTP Mail Server boxes, type or select information as appropriate. It is preferable to provide the mail servers IP address rather than its name. The Return Internet Mail Address box must contain a valid Internet email address. Most email servers will not send a message if the server cant validate the senders email address. Click Next. In the Message box, type any message text you need and move available parameters you want from Alert Parameters to the Message box. See About configuring alert action messages on page 95. Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action.
7 8
10 Click Finish.
91
About paging services

You can access a paging service either directly or indirectly. Direct paging refers to dialing the service provider network access phone number and accessing the service providers computer network directly to enter the pager identification number. The paging service network then sends the message to the pager. AMS2 alerting does not work with indirect paging. Indirect paging involves calling a paging service, speaking with an operator, and giving the operator the pagers identification number. The paging service operator enters the information into the paging network, and then sends the message to the pager. The indirect paging method that is often used when contacting the network directly may be a toll call, and the pager service offers toll-free service through the operator.
Configuring the Send Page alert action

The Send Page alert action sends a pager message to the number that you specify. You need to configure the Pager alert action for your paging service. At a minimum, this information includes the paging service phone number and the name of the paging service that you are using. Note: Any computer on which you configure a Send Page action needs to have a modem. See Testing configured alert actions on page 98. To configure the Send Page alert action 1 2 3 4 5 6 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Send Page, and then click Next. Select a computer to execute the action, and then click Next. Type the access telephone number that you are calling to reach the paging service. Be sure to include any numbers necessary to access an outside line from your site. Type the pager ID number and password that you use to access the paging service network. If your paging service doesnt use a password, leave the Password box blank.
Select your service type. If your paging service is not in the Service drop-down list in the Send Page dialog box, try to use the Standard Numeric or the Standard Alpha/Numeric service. Select the one that most closely matches the type of pager that you use. If the generic service that you select doesnt work with your pager, you must configure the communication parameters that the Send Page alert action needs to use. You can get this information from your paging service. If necessary, do the following:

Click Settings.
In the drop-down lists, select the baud rate, data and stop bits, parity, and the paging protocol that your paging service uses, and then click OK. If your paging service is in the Service drop-down list, these parameters are configured automatically when you select the service. 9 Click Next. If youre creating a message for an alphanumeric pager, in the Message box type any message text you want to display and move available parameters from Alert Parameters to the Message box. See About configuring alert action messages on page 95. If youre creating a message for a numeric pager, you can only type numbers in the Message box. The Send Page alert action supports both alphanumeric and numeric-only pagers (numeric-only pagers are sometimes called beepers). If youre paging an alphanumeric pager, the message can include any text that you type in and information from the alert that generated the message. This message should not exceed the maximum number of characters that your paging service supports; otherwise, you could get a truncated message. If youre paging a numeric-only pager, you may want to create a system of server numbers and numeric error codes that correspond to alerts that you configure. For instance, you could create a system where 1 refers to your main production server and number 101 means some specific event has occurred. If you received the message 1 101, then you would know that the event had occurred on your main production server.
10 Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. 11 Click Finish.
93
Configuring the Send SNMP Trap alert action

Simple Network Management Protocol (SNMP) is a message-based protocol based on a manager/agent model consisting of Get, GetNext, and Set messages and responses. SNMP uses traps to report exception conditions such as component failures and threshold violations. AMS2 can generate an SNMP trap when an alert occurs. You can configure systems generating alerts to send these traps to a management console, such as HP OpenView, Tivoli Enterprise Console, or Computer Associates Unicenter. You must specify the IP address of the computers to which you want SNMP traps sent. To configure the Send SNMP Trap alert action 1 2 3 4 5 6 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Send SNMP Trap, and then click Next. Select a computer to execute the action, and then click Next. In the SNMP trap, type any message text that you want to display and move the parameters that you want from Alert Parameters to the Message box. See About configuring alert action messages on page 95. Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. Click Finish.
Configuring trap destinations for Windows 2000/2003 Server

You can configure SNMP traps for Windows 2000/2003 Server. To configure trap destinations for Windows 2000/2003 Server 1 2 3 4 5 On the Windows taskbar, click Start > Settings > Control Panel. Double-click Administrative Tools. Double-click Computer Management. Click Services and Applications. Click Services.
6 7 8
In the right pane, click SNMP Service. On the Action menu, click Properties. On the Traps tab, under Community name, type the case-sensitive community name to which this computer will send trap messages, and then click Add to List. In Trap destinations, click Add.
10 In Host name, IP address, type information for the host, and click Add. 11 Repeat steps 8 through 10 until you have added all the communities and trap destinations you want.
Configuring trap destinations for NetWare

You can configure SNMP traps for NetWare 5.x and 6.x servers. To configure trap destinations for NetWare 1 2 3 4 5 In the NetWare server console, type: load inetcfg Select Protocols and press Enter. Select TCP/IP and press Enter. Select SNMP Manager Table, and then press Enter to display the SNMP Manager Table. Do one of the following:

To modify an existing address, select it, and then press Enter. To add a new address, press Insert, type an IP address, and then press Enter. To delete an address, select it, press Delete, and then press Enter to confirm the deletion.
6 7
Press the Esc key to close the dialog box. Press Enter to confirm the change to the database.
Configuring the Write To Event Log alert action

The Write To Event Log alert action creates an entry in the Windows Event Logs Application Log. This entry is logged on the server from which the alert came. This alert action is available only on supported Windows computers.
Setting up the Alert Management System About configuring alert action messages
95
To configure the Write To Event Log alert action 1 2 3 4 5 6 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert for which you want to configure alert actions. Click Configure. Click Write To Event Log, and then click Next. Select a computer to execute the action, and then click Next. In the Message box, type any message text that you want to display and move parameters that you want from Alert Parameters to the Message box. See About configuring alert action messages on page 95. Type an action name. The action name and the action computer name appear in the Alert Actions dialog box beside this action. Click Finish.
About configuring alert action messages

For alert actions that generate messages (for example, Message Box, Broadcast, Send Page, and Send Internet Mail), you can include additional information from the alert that generated the message. The additional types of information available vary, depending on the type of alert action that you configure. The additional types of information appear in Table 3-1. Table 3-1 Alert parameter
<Actual Action> <Alert Name>
Alert message parameters Description

The actual action that was taken on the threat or security risk. The name of the alert; for example, Symantec AntiVirus Startup/Shutdown. The name of the computer on which the alert originated. The actions that were taken to correct the risk. The date when the notification was generated. More information about the nature of the notification; for example, Symantec AntiVirus services shutdown was successful. The name of the alert that failed. This parameter is available for default alerts.
<Computer Name> <Corrective Actions> <Date> <Description>
<Failed Alert Name>
96 Setting up the Alert Management System About configuring alert action messages
Table 3-1 Alert parameter

<File Path>
Alert message parameters Description

The location of the file that was infected by the threat or security risk. The type of scan that found and logged the alert. The primary action that was configured for this threat or security risk. The level of severity assigned to the alert; for example, Critical or Non-Critical. The product source of the notification; for example, Symantec AntiVirus. The name of the threat or security risk that triggered the alert. The time when the notification was generated. The name of the user who was logged in when the alerttriggering event occurred. The name of the virus or security risk that triggered the alert.
<Logger> <Requested Action>
<Severity>
<Source>
<Risk Name> <Time> <User>
<Virus Name>
The Message dialog box includes a text box in which you can enter as many as 256 characters to be used as the text of the message that you want to send. You can use the variables in Alert parameters to insert information generated by the alert. Parameters are delimited by < and > characters. Each parameter placeholder that you add to the Message text box is substituted with corresponding alert information when an alert occurs.
Alerting System Notification
See Testing configured alert actions on page 98.
Setting up the Alert Management System Configuring a default alert message
97
Configuring a default alert message

If the AMS2 alerting system detects a message larger than 1 KB, the message will not be delivered. If you have configured a default alert message, it will be delivered instead. You can configure this default alert to notify you when a message exceeds 1 KB. To configure a default alert message 1 2 3 4 5 6 7 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Default Alert, and then click Configure. Click Message Box, and then click Next. Select a computer on which to execute the action, and then click Next. Select whether you want an error beep and whether you want the dialog box to always appear on top until it is cleared. Click Next. Type the action name that describes the message that you are configuring. The action name and the action computer name appear in the Alert Actions dialog box beside this action. In the Message box, do one of the following:
Type custom message text that you want to display and move available parameters that you want from Alert Parameters to the Message box.
Click Default to use the default message information for this alert action, and then type custom message text that you want to display. See About configuring alert action messages on page 95.
Click Finish.
Working with configured alerts

Once you have configured alert actions, you can do the following:

Test them to make sure they work as expected. Delete them. Export them to other computers.
98 Setting up the Alert Management System Working with configured alerts
Testing configured alert actions

After you configure alert actions, you can test them in the Alert Actions dialog box. When you select an alert and then click Test Action, all alert actions configured for that alert execute. When you select a specific alert action and click Test Action, only that alert action executes. To test an alert
In the Alert Actions dialog box, select an alert, and then click Test Action.
Deleting an alert action from an alert

You can delete actions associated with an alert as necessary. To delete an alert action from an alert 1 2 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Select the alert action you want to delete, and then click Delete.
Exporting alert actions to other computers

Each computer that generates AMS2 alerts stores its alert information in a local AMS2 database. Typically, the alerts and actions stored in one database are not visible to AMS2 databases on other computers. There may be times when you want to duplicate configurations of AMS2 alert actions on a computer across multiple computers so you do not have to repeat your work. The AMS2 export option lets you export alert actions to other computers that generate AMS2 alerts. Alert actions, such as a Send Page alert action configuration or a Message Box alert action configuration, only export if the alert for which you configured the action exists on both computers. In most cases, you can ensure this is the case by installing the same application on both computers. This way, both applications will register their alerts with their respective AMS2 databases. When you export alert actions from one computer to another, you have the choice of exporting a single alert action or all alert actions. Once AMS2 exports alert actions to a computer, AMS2 displays the Export Status dialog box to let you know the results of the export.
Setting up the Alert Management System Working with configured alerts
99
If the export option cannot export an alert action because the alert for which the action was configured doesnt exist on the target computer (or for any other reason), the Export Status dialog box indicates that the alert action couldnt be exported. Alert actions also may fail to export if the target computers AMS2 installation is not working correctly. To export alert actions to other computers 1 2 3 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > Configure. Click Symantec AntiVirus Corporate Edition, and then click Export. In the Select Actions dialog box, check the actions that you want to export, and then click Next. To select all configured actions, click Symantec AntiVirus Corporate Edition. In the Select Computers dialog box, check the computers that you want to receive the alert actions that you selected. If the computer you want has AMS2 active on it and it is not in the Available Computers list, click Options. See Speeding up alert configuration on page 85. Click Finish. In the Export Status dialog box, verify that the alert actions were exported successfully, and then click Close.
4 5
6 7
Viewing export status

After AMS2 exports alert actions to the computers that you selected in the Select Computers dialog box, AMS2 displays the export results in the Export Status dialog box. The Export Status dialog box displays alert actions that do not export successfully. If alerts do not export successfully, it may be for the following reasons:
AMS2 is not up or working correctly on the target computer. Verify AMS2 by testing a configured alert action on that computer from the Alert Actions dialog box. The alert for which the action was configured doesnt exist on the target computer. Make sure that the application that registered the alert with AMS2 on the source computer is installed on the target computer.
100 Setting up the Alert Management System Using the Alert Management System Alert Log
Using the Alert Management System Alert Log

You can use the Alert Log to view a list of all alerts generated by network computers running Symantec AntiVirus. You can configure the Alert Log to do one of the following:

Display only the alerts that match the conditions that you specify. Display a specified number of entries.
The Alert Log displays a list of alerts with the following information about each alert:

Alert Name Source Computer Date Time Severity
You can view more detailed information about each alert in the Alert Information dialog box. Each server stores its own copy of the Alert Log locally. When you select a server and view its Alert Log, youre actually retrieving a copy of that servers Alert Log to your local console. Therefore, if that server is not powered on or available, you wont able to retrieve its Alert Log for viewing.
View and interact with the Alert Log

You can view the Alert Log and interact with it in the following ways:

Change the number of entries displayed in the log Delete entries Copy the contents to the clipboard
Setting up the Alert Management System Using the Alert Management System Alert Log
101
To view the Alert Log
Right-click the server group, and then click All Tasks > AMS > View Log.
To change the number of entries displayed in the Alert Log 1 2 In the Alert Log window, right-click, and then click Options. On the Settings tab, specify the maximum number of log entries that you want the log to store. You can independently configure the number of entries that an Alert Log stores on each server.
To delete a single entry
Right-click the log entry, and then click Delete > Selected Entries.
To delete multiple log entries 1 2 Press Ctrl and select the multiple log entries. In the Alert Log window, right-click, and then click Delete > Selected Entries. To select a range, click the first entry, and then press Shift and click the last entry.
To delete all visible log entries
In the Alert Log window, right-click, and then click Delete > Filtered Entries.
102 Setting up the Alert Management System Using the Alert Management System Alert Log
To copy Alert Log contents to the Clipboard 1 2 Press and hold the Ctrl key, and then select the multiple log entries. In the Alert Log window, right-click, and then click Copy. Only the alerts visible in the log are copied. If you want to limit the number of entries that the Alert Log copies to the Clipboard, apply filters to limit the number of visible log entries. See Filtering the Alert Log display list on page 103.
Viewing detailed alert information

You can view detailed information about each alert that the Alert Log displays. The Alert Information dialog box displays a list of parameters such as Alert name, Source, Date, Severity, and Description, as well as values for the selected alert action. The Alert Information dialog box also displays the types of status that appear in Table 3-2. Table 3-2 Action Status
Action Name Action Type
Action Status types Description

A name given to the specific action. The type of action generated by the alert, such as Message Box, Pager, Internet Mail, Execute Program, or Broadcast. The name of the computer that generates the alert. The status of the alert. The status type can include Pending, Processing Action, Error, Completed Successfully, and Failed To Complete.
Action Host Status
To view the alert information and Action Status 1 2 In the Alert Log window, double-click the alert for which you want to display detailed information. When you finish viewing the alert information, click Close. The computer listed in the Alert Log is the primary management server that recorded the action because it records all events for the Symantec server group. Look at the Alert Information dialog box to see which computer actually generated the alert.
Setting up the Alert Management System Using the Alert Management System Alert Log
103
Filtering the Alert Log display list

You can configure the Alert Log to display only those alerts that match specified criteria. You can filter which alerts display according to the parameters that appear in Table 3-3. Table 3-3 Filter
Computer Source
Alert Log filters Description

Displays alerts from a specific computer. Displays alerts from the same type of alert source on one or more computers. Displays all alerts with a specific alert name. Displays only alerts matching the severity levels that you select. You can specify the following severity levels: Monitor, Information, OK, Warning, Critical, and Fatal. Displays only alerts that occurred between the specified from and to dates and times.
Alert Severity
Date
To specify which alerts appear in the Alert Log 1 In the Symantec System Center console, right-click the server group, and then click All Tasks > AMS > View Log.
104 Setting up the Alert Management System Forwarding alerts from unmanaged clients
In the Alert Log window, right-click, and then click Options.
3 4
Select the filters you want to apply to the Alert Log list. Click OK.
Forwarding alerts from unmanaged clients

Unmanaged Symantec AntiVirus clients can be configured to forward their alerts to an AMS2 server. The AMS2 client software is not installed as part of the client installation. If you want to use the alerting features that AMS2 provides for unmanaged clients, you can install the AMS2 client program that is included on the Symantec AntiVirus CD. For the alert to be sent, the client computer must be connected to the network and must be able to connect to the AMS2 server.
Setting up the Alert Management System Forwarding alerts from unmanaged clients
105
To forward alerts to an AMS2 server 1 2 Use a text editor such as Notepad to create a new text file. Add the following lines:
[KEYS] !KEY!=$REGROOT$\Common AMSServer=S<AMSServerName> AMS=D1 !KEY!=$REGROOT$\ProductControl LoadAMS=D1
In the <AMSServerName> line, do one of the following:

Type the IP address for the intended AMS2 server. Type the name of the intended AMS2 server (make sure that the client can resolve the server name). Be sure to include the S that precedes <AMSServerName>. Do not include the brackets.
Save the file as Grc.dat to the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus folder on the client computer. After you create the Grc.dat configuration file, you can copy it to other unmanaged clients. These unmanaged clients then forward alerts to the same AMS2 server.
106 Setting up the Alert Management System Forwarding alerts from unmanaged clients
Section
Configuring Symantec AntiVirus

Scanning for viruses and security risks Updating definitions Responding to virus outbreaks Managing roaming clients Working with Histories and Event Logs
108
Chapter
Scanning for viruses and security risks


About viruses and security risks About Symantec AntiVirus scans Configuring Auto-Protect Configuring manual scans Creating and configuring scheduled scans Managing the client user experience
About viruses and security risks

Symantec AntiVirus can scan for both viruses and for security risks, such as spyware, adware, and other files that can put a computer, as well as a network, at risk. By default, Symantec AntiVirus does the following:
Detects, removes, and repairs the side effects of viruses, worms, Trojan horses, and blended threats. Detects, removes, and repairs the side effects of security risks such as adware, dialers, hack tools, joke programs, remote access programs, spyware, trackware, and others.
110 Scanning for viruses and security risks About viruses and security risks
Symantec AntiVirus can scan for the following types of risks:

Viruses Programs or code that attach a copy of themselves to another computer program or document when it runs. Whenever the infected program runs or a user opens a document containing a macro virus, the attached virus program activates and attaches itself to other programs and documents. Viruses generally deliver a payload, such as displaying a message on a particular date. Some viruses specifically damage data by corrupting programs, deleting files, or reformatting disks. Worms Programs that replicate without infecting other programs. Some worms spread by copying themselves from disk to disk, while others replicate only in memory to slow a computer down. Programs that contain code that is disguised as or hiding in something benign, such as a game or utility. Threats that blend the characteristics of viruses, worms, Trojan horses, and code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. Blended threats use multiple methods and techniques to spread rapidly and cause widespread damage throughout the network. Stand-alone or appended programs that secretly gather personal information through the Internet and relay it back to another computer. Adware may track browsing habits for advertising purposes. Adware can also deliver advertising content. Adware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through email messages or instant messenger programs. Often a user unknowingly downloads adware by accepting an End User License Agreement from a software program. Dialers Programs that use a computer, without the users permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges. Programs used by a hacker to gain unauthorized access to a users computer. For example, one hack tool is a keystroke logger, which tracks and records individual keystrokes and sends this information back to the hacker. The hacker can then perform port scans or vulnerability scans. Hack tools may also be used to create viruses. Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or frightening. For example, a program can be downloaded from a Web site, email message, or instant messenger program. It can then move the Recycle Bin away from the mouse when the user attempts to delete it or cause the mouse to click in reverse. Other security risks that do not conform to the strict definitions of viruses, Trojan horses, worms, or other security risk categories, but that might present a risk to a users computer and data. Programs that allow access over the Internet from another computer so that they can gain information or attack or alter a users computer. For example, a program may be installed by the user, or installed as part of some other process without the user's knowledge. The program can be used for malicious purposes with or without modification of the original remote access program.
Trojan horses
Blended threats
Adware
Hack tools
Joke programs
Other
Remote access programs
Scanning for viruses and security risks About Symantec AntiVirus scans
111
Spyware
Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay it back to another computer. Spyware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through email messages or instant messenger programs. Often a user unknowingly downloads spyware by accepting an End User License Agreement from a software program.
Trackware
Stand-alone or appended applications that trace a user's path on the Internet and send information to the target system. For example, the application can be downloaded from a Web site, email message, or instant messenger program. It can then obtain confidential information regarding user behavior.
By default, Auto-Protect scans for viruses, Trojan horses, worms, and security risks when it runs and when you perform a scan of any type. Some risks, such as Back Orifice, were detected as viruses in earlier versions of Symantec AntiVirus. They remain detected as viruses so that Symantec AntiVirus can continue to provide protection for legacy computers.
About Symantec AntiVirus scans

You can configure the following types of scans from the Symantec AntiVirus view in the Symantec System Center console:
Auto-Protect scans

Auto-Protect File System scans Auto-Protect email attachment scanning for Lotus Notes, Microsoft Exchange, and Outlook (MAPI and Internet) Auto-Protect scanning for Internet email messages and attachments that use the POP3 or SMTP communications protocols; Auto-Protect scanning for Internet email also includes outbound email heuristics scanning
Manual scans Virus sweep scans Scheduled scans
By default, all types of Symantec AntiVirus scans detect viruses and security risks, such as adware and spyware, and quarantine them and remove or repair their side effects.
112 Scanning for viruses and security risks About Symantec AntiVirus scans
Note: In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. To avoid leaving the computer in an unstable state, Symantec AntiVirus waits until the application installation is complete before it quarantines the risk. It then repairs the risks effects. You can perform scans on the following:

Individual and multiple Symantec AntiVirus servers and clients Groups of Symantec AntiVirus servers and clients, using server groups
Understanding Auto-Protect scans

Auto-Protect continuously scans files and email data for viruses and for security risks, such as spyware and adware, as they are read from or written to a computer. Auto-Protect scans email data only on Symantec AntiVirus clients. Auto-Protect includes the SmartScan feature, which, when enabled, can determine a files type even when a virus changes the files extension. You can use Symantec AntiVirus to set Auto-Protect options for servers at the server group or individual server level, and clients at the server group, individual server, or client group level. When you configure Auto-Protect, the configuration pages look slightly different depending on whether you set options for servers or clients. When you configure Auto-Protect, you can lock Auto-Protect options on clients if you want to enforce a company security policy for viruses and security risks. Users cannot change options that you lock. Note: You must lock the Auto-Protect client settings that you configure in the Symantec System Center console before the Symantec System Center can propagate them to the clients. If you make a change but do not lock the setting, the change is not propagated to clients. See Configuring Auto-Protect on page 123. Auto-Protect is enabled by default. You can view Auto-Protect status in the Symantec System Center. To view Auto-Protect status
Right-click a server or client, and then click All Tasks > Symantec AntiVirus > Auto-Protect Status.
113
Understanding manual scans

Manual or on-demand scans inspect selected files and folders on selected computers. Manual scans provide immediate results from a scan on an area of the network or a local hard drive. Manual scans inspect files for viruses and security risks, such as spyware and adware. See Configuring manual scans on page 154.
Understanding virus sweep scans

A virus sweep scan scans at the system hierarchy, server group, or individual server level. A virus sweep scans for both viruses and security risks. You can name a virus sweep and view its history in a Virus Sweep History log. Note: Once you start a virus sweep it must complete; you cannot stop it. See Running a virus sweep on page 212.
Understanding scheduled scans

From the Symantec System Center console, you can schedule scans to run at certain times on Symantec AntiVirus servers and clients. Users can also schedule scans for their computers from Symantec AntiVirus clients, but they cannot change or disable scans that you schedule for their computers. Symantec AntiVirus runs one scheduled scan at a time. If more than one scan is scheduled at the same time, they run sequentially. When you create and save a scheduled scan, Symantec AntiVirus remembers the server group, server, or computer on which to run the scan and the settings that you chose for that scan. If a computer is turned off during a scheduled scan, the scan does not run unless the computer is configured to run missed scan events. See Setting options for missed scheduled scans on page 167. Scheduled scans inspect files for viruses and security risks, such as spyware and adware. See Creating and configuring scheduled scans on page 164.
Selecting computers to scan

In the Symantec System Center console, you select the computers that you want to scan, determine the types of scans that are available, decide where the scans are performed, and set the scan options. Table 4-1 lists the types of scans that are available for each type of object in the Symantec System Center navigation tree. Table 4-1 Object selected
System Hierarchy
What you can scan Scans available

Virus sweep scanning of all Symantec AntiVirus servers and clients in the network. A virus sweep also scans for security risks.
Multiple server groups
Virus sweep scanning of all Symantec AntiVirus servers and their clients in the selected server groups. Scheduled scanning for the selected Symantec AntiVirus servers. Virus sweep scanning of all Symantec AntiVirus servers and their clients in the selected server group. Scheduled scanning for the Symantec AntiVirus servers in the selected server group. Virus sweep scanning of the selected Symantec AntiVirus servers. Manual scanning of the selected Symantec AntiVirus server. Virus sweep scanning of the Symantec AntiVirus server and all of its Symantec AntiVirus clients. Manual scanning of the Symantec AntiVirus server. Scheduled scanning of the Symantec AntiVirus server or its Symantec AntiVirus clients.
Server group
Selected servers in a server group
Single server
Selected Symantec AntiVirus clients for a single Symantec AntiVirus server An individual Symantec AntiVirus client
Manual scanning of the selected Symantec AntiVirus clients that are managed by the Symantec AntiVirus server.
Manual scanning of the selected Symantec AntiVirus client. Scheduled scanning of the selected Symantec AntiVirus client.
115
Determining scan options for multiple computers

When you view Auto-Protect, virus sweep, or manual scan options for multiple selected computers, the configuration check boxes and options have a tri-state feature that is apparent only when the computers have different options configured. To toggle through an options available states, click the option repeatedly. Table 4-2 describes the possible states for options. Table 4-2 Symbol

Check box and option symbols and their meaning Description

Means that the option is selected for all of the computers in that group. Setting an option to a state other than the dimmed state resets that option for selected computers. Means that the option is not selected for any computer in that group. Setting an option to a state other than the dimmed state resets that option for selected computers. Means that some of the computers in the group have that option selected and some do not. Setting an option to a state other than the dimmed state resets that option for selected computers.
A solid black check mark in a check box A solid black bullet in an option
A blank check box
A dimmed check mark in a dimmed box A blank series of options A blank box
Note: Some options, such as excluding files and folders, are not available when you select multiple computers because the option applies only to a specific computer.
Scan option precedence

Scan configuration changes that you make at the server group level override any changes that you make at the client group or server level, unless you configure a client group so that it does not inherit its server group settings. See Using client group settings instead of server group settings on page 79. Note: Auto-Protect options work differently from the other scan options. AutoProtect options must be locked at the server group or server level before they can be propagated to clients. If you make a change but do not lock the setting, the change is not propagated to clients.
See Understanding Auto-Protect scans on page 112.
About inclusions and exclusions in scans

Inclusions and exclusions help you to balance the amount of protection that your network requires with the amount of time and resources that are required to provide that protection. For example, if you choose to scan all file types, you might want to exclude certain folders that contain only data files that are not subject to viruses. Or, you might want to scan only the files with extensions that are likely to contain a virus or other risk. When you select to scan only certain extensions, you automatically exclude all files with other extensions from the scan. These choices decrease the overhead that is associated with scanning files. Depending on the type of scan and the objects of your scan, you can exclude by files, folders, file extensions, or file types. You can include only certain file types or extensions in a scan. You can include and exclude items from scans that you initiate from the Symantec AntiVirus client or server user interface, or from the Symantec System Center console. Table 4-3 describes the types of exclusions that you can configure by the object type in the Symantec System Center console navigation tree. Table 4-3 Object type
Server group Server
Exclusions by object type Exclusions available

Server scans: File extensions and named folders.

Server scans: File extensions, drives, files, and folders. Client scans: File extensions, drives, and named folders.
Client group NetWare servers
Client scans: File extensions, drives, and named folders. Files by drives and named folders; you cannot exclude files by file extension. Note: If you use the iFolder feature in NetWare 6, you should exclude the iFolder directory from virus scans. The default directory to exclude is sys:\iFolder. Configure this option by using the Server Auto-Protect Options dialog box in the Symantec System Center. See Configuring inclusions and exclusions on page 121.
117
About excluding named files and folders

You can exclude named files and folders from Auto-Protect, virus sweep, manual (Quick, Full, and Custom), and scheduled scans. For example, you might want to exclude scans of the path C:\Temp\Install or you might want to exclude folders that contain an allowable security risk if your companys security policy allows users to run a particular adware program. Warning: Because excluded files and folders are not scanned, they are not protected from viruses and security risks. To maintain security, you cannot view or exclude specific files from the Symantec System Center console. You can, however, exclude specific files using the Symantec AntiVirus client or server user interface. You may want to exclude files that trigger false positive alerts. For example, if you used another virus scanning program to clean infected files and the program did not completely remove the virus code, the file may be harmless but the disabled virus code might cause Symantec AntiVirus to register a false positive. Check with Symantec Technical Support if you are not sure if a file is infected. The status of the files and folders you choose to exclude is reflected by the icons in the Symantec AntiVirus tree. The meanings of the icons is listed in Table 4-4. Table 4-4 Icon Tree view icons and their meaning
Description
Symantec AntiVirus scans all of the files in this folder and also all of the files in subfolders. Symantec AntiVirus scans one or more items that you have selected in the folder or one of the subfolders. Symantec AntiVirus scans the selected file. This is available only from the client or server interface. Symantec AntiVirus does not scan the folder or subitems.
About including and excluding files by file type or extension

By default, Symantec AntiVirus scans all files during a virus scan, but you can configure Symantec AntiVirus to do the following:

Scan only files of a specific file type or with specific extensions. Exclude from the scan files of a specific file type or with specific extensions.
You can use the Symantec System Center to set inclusions and exclusions for specific file types and extensions. Scans by file type or extension are available when you select the following objects and scan types:

Client object: Manual scan, scheduled scan, and client Auto-Protect Server object: Virus sweep, manual scan, scheduled server scan, and server Auto-Protect (Windows only)
When you scan by file type, Symantec AntiVirus reads each files header to determine the file type. For example, if you enable document scanning, Symantec AntiVirus scans all documents even if you name them with nonstandard extensions, such as Document3.mlt instead of Document3.doc. Note: The file type option doesnt apply to NetWare servers; it applies only to Windows-based computers. When you scan by file extension, Symantec AntiVirus does not read the file header to determine the file type and scans only files with the extensions that you specify. Table 4-5 describes the recommended extensions for scanning. Note: A question mark (?) in a file extension in Table 4-5 means that the letter in the file extension might vary, depending on the version of the program or application that produces it. Table 4-5 File extension
386 ACM ACV ADT AX BAT BTM BIN CLA
Recommended file extensions for scanning Description

Driver Driver; audio compression manager Driver; audio compression/decompression manager ADT file; fax AX file Batch Batch Binary Java Class
119
Table 4-5 File extension

COM CPL CSC DLL DOC DOT DRV EXE HLP HTA HTM HTML HTT INF INI JPEG JPG JS JSE JTD MDB MP? MSO OBD OBT OCX OV?

Executable Applet Control Panel for Microsoft Windows Corel Script Dynamic Link Library Microsoft Word Microsoft Word Driver Executable Help file HTML application HTML HTML HTML Installation script Initialization file Graphics file Graphics file JavaScript JavaScript Encoded Ichitaro Microsoft Access Microsoft Project Microsoft Office 2000 Microsoft Office binder Microsoft Office binder Microsoft object linking and embedding custom control Overlay
Table 4-5 File extension

PIF PL PM POT PPT PPS RTF SCR SH SHB SHS SMM SYS VBE VBS VSD VSS VST VXD WSF WSH XL?

Program information file PERL program source code (UNIX) Presentation Manager Bitmaps Graphics Microsoft PowerPoint Microsoft PowerPoint Microsoft PowerPoint Rich Text Format document Fax/screensaver/snapshot, script for Faxview/Microsoft Windows Shell Script (UNIX) Corel Show Background file Shell scrap file Lotus AmiPro Device driver VESA BIOS (Core Functions) VBScript Microsoft Office Visio Microsoft Office Visio Microsoft Office Visio Virtual device driver Windows Script File Windows Script Host Settings File Microsoft Excel
121
Configuring inclusions and exclusions

Symantec AntiVirus exclusions behavior is as follows:
When Symantec AntiVirus applies exclusions, the excluded items are not scanned. If the file is not excluded, it is scanned. For virus sweep, manual, Auto-Protect, and scheduled scans, Symantec AntiVirus takes no action on excluded files.
Enabling and disabling exclusions can improve performance depending on the situation. For example, if you copied a large folder that was in the exclusions list and the exclusions setting was enabled, the copying process would not take as long since the folders contents would be excluded. Files that you exclude appear with various icons in the Symantec AntiVirus tree. See Table 4-4, Tree view icons and their meaning, on page 117. To configure exclusions for scans 1 2 3 4 Open the Scan Options dialog box for the type of scan that you want to configure: Auto-Protect, Manual, Virus Sweep, Scheduled. Click Exclude files and folders. Click Exclusions. Depending on the types and numbers of computers that you are configuring, you can do the following:
Click Extensions and select file extensions to exclude. You can use wildcards when you exclude by extension. Select files to exclude within specific folders by extension or file type. Click Files/Folders or Folders, as available, and select folders to exclude from the scan.
Click OK until the Symantec System Center console appears.
Select extensions, file types, folders, and files to include in scans

For all scan types, you can select files to include in a scan by extension or by type. For scheduled and manual scans, you can also select files to scan by extension and type at the folder level. To select files to include in scans by extension 1 2 In the Scan Options dialog box for the scan that you want to configure, under File Types, click Selected file extensions. Click Extensions.
In the Selected Extensions dialog box, you can do any of the following:

To add your own extensions, type the extension, and then click Add. To add all document extensions, click Documents. To add all program extensions, click Add. To add all extensions and program types, click Use Defaults.
To select files to include in scans by type 1 2 3 In the Scan Options dialog box for the scan that you want to configure, under File Types, click Selected file types. Click Types. In the Selected Types dialog box, select one of the following:

Document files: Scan document files regardless of their extensions. Program files: Scan MS-DOS and Windows program files.
To select files to include in manual scans by folder 1 2 3 4 Right-click the object that you want to scan, and then click All Tasks > Symantec AntiVirus > Start Manual Scan. In the Select Items dialog box, select the folders to scan. Click Options and select the extensions and types to scan for the selected folders. Click OK until the Symantec System Center console appears.
To select files to include in a scheduled scan by folder 1 2 3 4 5 6 7 Right-click the object that you want to scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. On the Server Scans tab, in the Server scans list, select a scan. Click Edit. In the Scheduled Scan dialog box, click Scan Settings. In the Select Items dialog box, select the folders to scan. Click Options and select the extensions and types to scan for the selected folders. Click OK until the Symantec System Center console appears.
Scanning for viruses and security risks Configuring Auto-Protect
123
About actions for viruses and security risks that scans detect
Many of the same scan options are available in different types of scans. For example, when you configure manual, scheduled, or Auto-Protect scans, you can assign first and second actions for Symantec AntiVirus to take when it finds viruses and security risks. You can assign individual first and second actions for Symantec AntiVirus to take when it discovers the following:

Macro viruses Non-macro viruses All security risks (adware, spyware, joke programs, dialers, hack tools, remote access programs, trackware, and others) Individual categories of security risks, such as spyware Custom actions for a particular instance of a security risk
For viruses, by default, Symantec AntiVirus first attempts to clean the file. If Symantec AntiVirus cannot clean the file, it moves the file to the Quarantine on the infected computer, denies access to the file, and logs the event. For security risks, by default, Symantec AntiVirus moves any infected files to the Quarantine on the infected computer and attempts to remove or repair the risks side effects. For security risks, by default, Quarantine contains a record of all actions that Symantec AntiVirus performed so that if needed, the computer can be returned to the state that existed before Symantec AntiVirus attempted the removal and repair. If it is not possible to quarantine and repair a security risk, the second action is to log the risk. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137.
Configuring Auto-Protect
Configuring Auto-Protect consists of the following tasks:

Configuring Auto-Protect for files Configuring Auto-Protect email scanning
124 Scanning for viruses and security risks Configuring Auto-Protect
About propagating Auto-Protect settings

Using the Symantec System Center, you can configure Auto-Protect settings at the server group, individual server, and client group levels. When you configure Auto-Protect settings, follow these guidelines to propagate the settings to the computers that you want to receive them:
Changing server Auto-Protect settings for an individual server allows you to push a specific configuration to that server, which overrides settings that are made at the server group level. Resetting server Auto-Protect settings at the server group level allows you to reset previous settings made at the individual server level. Changing client Auto-Protect settings at the parent management server or client group level allows you to push a specific configuration to the clients of that parent management server or client group.
Resetting client Auto-Protect settings at the server group level resets previous settings made at the parent management server or client group level, for all clients. Changing client Auto-Protect settings at the parent management server level changes the settings for clients not assigned to client groups; clients assigned to a client group retain their settings.
Warning: You must lock Auto-Protect options that you want to propagate to clients or the options are not propagated. The buttons in the Auto-Protect Options dialog box affect settings propagation as follows:

Clicking OK propagates the settings that you change. Clicking Reset All propagates all settings in the dialog box, regardless of whether you change or visit them.
See How settings propagate on page 48.
Locking and unlocking Auto-Protect options

You can lock or unlock Auto-Protect options for clients to control the user experience in the Symantec AntiVirus user interface.
125
Table 4-6 describes the Auto-Protect lock icons. Table 4-6 Icon Auto-Protect lock icons What it means
Users can change this setting in the Symantec AntiVirus user interface.
Users cannot change this setting in the Symantec AntiVirus user interface.
To lock or unlock Auto-Protect options 1 In the Symantec System Center console, do one of the following:
To change server Auto-Protect settings, right-click a server group or server, and then click All Tasks > Symantec AntiVirus > Server AutoProtect Options. To change client Auto-Protect settings, right-click a server-group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
2 3
In the Auto-Protect Options dialog box, click the lock icon next to the option that you want to lock or unlock to change its current state. Click OK.
Configuring File System Auto-Protect

When you configure Auto-Protect for files, you select a server group or server, configure scan settings, and configure other settings that define how AutoProtect and its associated features behave. You specify whether you want to scan floppy disk drives, network drives, or both. Note: When you configure Client Auto-Protect options, you can click the lock icon next to the Auto-Protect settings to lock the settings so that users cannot change them.
Table 4-7 describes the Auto-Protect scan options. Table 4-7 Section or option name
Enable Auto-Protect File types
Auto-Protect scan options
Available options
Check to enable Auto-Protect. You can configure Symantec AntiVirus to scan all file types, to include files that have only the selected extensions in the scan, or to use SmartScan. The following options are available:

All Types Select this option to scan all files on the computer, regardless of type. Selected Extensions Select this option to scan only the files that have certain extensions. You can add more extensions for programs and documents, if you have files that use extensions that are not already in the list. You can also reset this option to its default value. SmartScan SmartScan scans a specific, configurable group of file extensions that contain executable code, and all .exe and .doc files. SmartScan reads each files header to determine its file type. It scans .exe and .doc files even if the file extensions for the .exe and .doc files are changed by a virus. SmartScan is enabled by default.
Options
Uncheck Scan for Security Risks to stop Auto-Protect from scanning for security risks. Scanning for security risks is enabled by default. Check Exclude selected files and folders to exclude certain files and folders from being scanned by Auto-Protect. Click Exclusions to select the file extensions and paths for folders to exclude.
Drive types
Drive types provides the following options:
Network If you enable Auto-Protect on network drives, Symantec AntiVirus can scan files as theyre written from a client computer to a server or from a server to another server. This option is not necessary if you enable Auto-Protect on your servers. For example, if you enable the scanning of network drives on client A and also have Auto-Protect enabled on server B, when client A writes a file to a network drive on server B, Symantec AntiVirus scans the file on client A and scans the file again on server B. This could reduce network performance on the client computer. Floppy Symantec AntiVirus can scan files as they are read from or written to floppy disks. Floppy disks are common sources of virus infections because users might bring infected disks from home. CD-ROM If you enable Auto-Protect on CD-ROM drives, Symantec AntiVirus can scan files as they are read from or written to CD-ROM disks.
127
Table 4-7 Section or option name

Advanced
Auto-Protect scan options
Available options
Click this button to set advanced Auto-Protect scan options, including startup, file cache, backup, and so on. See Configuring advanced File System Auto-Protect options on page 129.
Actions
Click this button to set the kind of actions that you want Symantec AntiVirus to take when it finds a virus or a security risk. See Configuring actions for File System Auto-Protect on page 136.
Notifications
Click this button to set the notifications that you want to appear when Auto-Protect finds a virus or a security risk. See Configuring notifications for File System Auto-Protect on page 142.
Reset All
This option is available only for server Auto-Protect options at the server group level and client Auto-Protect options at the server level. To ensure that all computers use the same Auto-Protect scanning configuration that you set at a higher level, click Reset All when you set the options.
For server Auto-Protect, when you click Reset All at the server group level, the server group settings overwrite any scan options that were previously set at the server level. All options are propagated to all of the servers that belong to the server group. For client Auto-Protect, when you click Reset All at the server group level, the server group settings overwrite any scan options that were previously set at the server and client level. When you click Reset All at the server level, any scan options that were previously set at the client level are overwritten by the server settings.
To configure File System Auto-Protect 1 Do one of the following:
Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click an individual server or multiple selected servers, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Right-click the server group or the servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. The Symantec System Center configures all of the clients that are associated with the server or the server group.
Right-click an individual client or multiple selected clients for a server, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
In the Auto-Protect Options dialog box, enable Auto-Protect, set the file types to include, enable or disable scanning for security risks, exclude files by extension and folders, and set drive types, as needed. See Table 4-7, Auto-Protect scan options, on page 126. To set advanced scan options, click Advanced. See Table 4-8, Advanced scan options for File System Auto-Protect, on page 129. To set the actions that you want Symantec AntiVirus to take when it finds macro viruses, non-macro viruses, and individual or categories of security risks, click Actions. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137. To set the notifications (messages) that you want to display on infected computers when risks are found, click Notifications. See Table 4-10, Notifications options for File System Auto-Protect and manual scans, on page 142.
129
If you are configuring client Auto-Protect options, click the lock icon next to each Auto-Protect option that you want to lock to propagate the option to clients. If you are configuring Auto-Protect options for a server group, click Reset All to ensure that all of the computers are using the Auto-Protect scanning configuration that you set at this level. See About propagating Auto-Protect settings on page 124. Click OK.
Configuring advanced File System Auto-Protect options

Table 4-8 describes the advanced scan options for File System Auto-Protect. Table 4-8 Advanced scan options for File System Auto-Protect
Section or option name Available options

Startup options Startup options include the following options:
System start Load Auto-Protect when the computers operating system starts and unload it when the computer shuts down. This option can help protect against some viruses, such as Fun Love. If Auto-Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine directory. Auto-Protect then detects the virus on startup and creates an alert notification. Symantec AntiVirus start Load Auto-Protect when Symantec AntiVirus starts.
Note: If you disable Auto-Protect on a computer that has this option set to System start, Auto-Protect still functions briefly each time that the computer restarts until the main Symantec AntiVirus service starts and disables Auto-Protect. Changes requiring AutoProtect reload Changes requiring Auto-Protect reload provides the following options:

Wait until system restart Stop and reload Auto-Protect when the computer restarts. Stop and reload Auto-Protect Stop and reload Auto-Protect immediately.
Table 4-8
Advanced scan options for File System Auto-Protect

Scan files when Scan files when provides the following file system protection options for monitoring and acting on files:
Modified (scan on create) Scans files when they are written, modified, or copied. Use this option for slightly faster performance, because Auto-Protect scans files only when they are written, modified, or copied. Accessed or modified (scan on create, open, move, copy, or run) Scans files when they are written, opened, moved, copied, or run. Use this option for more complete file system protection. This option might have a performance impact, because Auto-Protect scans files during all types of file operations. Opened for backup (not applicable to Windows 9x or NetWare) Scans files when they are accessed during a backup operation. Use this option if you havent run a virus check on files that you want to back up. Do not enable this option if you want to bypass Auto-Protect for files that are being backed up. By using this option, you can significantly slow backup operations, because Auto-Protect scans each file that is included in the backup. The setting applies only to files that are backed up. Files that are being restored from a backup are scanned regardless of this setting. For Leave Alone (Log only), delete infected files on creation Enable this option if you want the Modified option or the Accessed or modified option to delete a newly created infected file when you configure Leave alone (log only) as the action. For an existing infected file, Scan on Access and Modify detects the infected file and the Leave alone action applies. The file is denied access and logged, but it is not deleted. When you disable this option, Symantec AntiVirus permits the infected file to be created. Preserve file times Enable this option if you do not want the file system to change the last access time. Preserving the last access time prevents backup software from backing up unchanged files.
131
Table 4-8

File cache File caching decreases Auto-Protects memory usage and can help you to track problems. The file cache includes an index of files that were scanned and determined to be clean. Symantec AntiVirus adds a 16-byte ID to the cache index, which remains until Symantec AntiVirus detects a change to the file. The following options are available:

Disable file cache Disable the file cache. This option is useful during troubleshooting. Use default file cache size Use the default file cache size setting for desktop computers and use as close to the maximum setting as possible for servers. The default file cache size is based on the computer's operating system and the amount of available disk space. File caching decreases Auto-Protects memory usage and can help you to track problems. Symantec AntiVirus adds a 16-byte entry to the cache index, which remains until Symantec AntiVirus detects a change to the file. Custom file cache entries Select the number of custom file cache entries to include. This option is useful for file servers or Web servers on which you want to cache a large number of files.
Threat Tracer
Threat Tracer provides the following options for identifying the source of network share-based virus infections from computers that run supported Windows operating systems:

Enable Threat Tracer Ensure that this option is checked to use Threat Tracer. Resolve source computer IP address If this option is checked, Symantec AntiVirus looks up and records only the computers NetBIOS name. When it is checked, it also reports who was logged on to the computer at delivery time. This feature is supported on Windows XP systems only. Poll for network sessions every <number> milliseconds Symantec AntiVirus polls once every second (1000 milliseconds) by default. Lower values use greater amounts of CPU and memory, but also increase the possibility that Symantec AntiVirus can record the network session information before the threat can shut down network shares. Higher values decrease system overhead, but also decrease Threat Tracers ability to detect infections. See About Threat Tracer on page 135. Client firewall auto blocks IP address This option applies only to Symantec Client Security, which includes Symantec Client Firewall.
Table 4-8

Automatic enabler Check this option to re-enable Auto-Protect automatically after <number> number of minutes. Valid values range from 3 to 60. This option is useful if your end users need to disable Auto-Protect on occasion. When scanning compressed files This option is available when you configure Server Auto-Protect Options. If you check this option, Symantec AntiVirus scans the container, such as Files.zip, and the contents of the container, which are the individual compressed files. Symantec AntiVirus supports a maximum depth of eight levels of nested compressed files for NetWare servers. Symantec AntiVirus scans compressed files during Auto-Protect and scheduled scans. To scan the contents of a compressed file, Symantec AntiVirus extracts each file, one file at a time, from the container and copies it to the SYS volume where it is scanned. The SYS volume must have enough space available to accommodate the largest file in the container. Note: You cannot stop a scan that is in progress on a compressed file. If you click Stop Scan, Symantec AntiVirus stops the scan only after it has finished scanning the compressed file. Backup options As a data safety precaution, before you attempt to repair a file, check Back up file before attempting repair. This is checked by default. The original virus-infected file is encrypted and then copied into the Quarantine directory. If needed, you can use this unrepaired backup file to return the file to its original, but infected state. Note: Uncheck this option with caution, since it means that files containing viruses are not going to be backed up before repairs are attempted. This setting applies only to virus-infected files, as files quarantined and repaired for security risks are always backed up regardless of this setting. Additional advanced options: Heuristics Change the level of protection that Bloodhound Heuristic Scanning provides. Select the Minimum, Default, or Maximum level of protection. Bloodhound can detect a high percentage of unknown viruses by isolating and locating the logical regions of a file. Bloodhound then analyzes the program logic for virus-like behavior.
133
Table 4-8

Additional advanced options: Floppies The following options are available for floppy disk scans:
Check floppies for boot viruses upon access Symantec AntiVirus scans the floppy disk in the floppy drive for boot viruses when the drive is first accessed. When Symantec AntiVirus finds a boot virus, select whether to clean a virus from the boot record or leave it alone. If you click Leave alone (log only), an alert is sent when a virus is detected but no action is taken. Use this option if you want to control the virus cleaning and handling process. Do not check floppies upon system shutdown Symantec AntiVirus skips the scan of any floppy disk in the floppy drive when the computer is shut down normally.
Additional advanced options: Monitor
These options are available when you configure Client Auto-Protect Options. You might want to monitor virus-like activities, which are activities that viruses perform when they attempt to infect your files. The listed activities might be legitimate, depending on the work context. You can set each activity to be allowed, not allowed, or to alert the user before the activity is performed.
Low-Level Format Of Hard Disk All information on the drive is erased and cannot be recovered. This type of formatting is generally performed at the factory only. If this activity is detected, it usually indicates an unknown virus at work. This is not an option for NEC PC98xx computers. Write To Hard Disk Boot Records Very few programs write to hard disk boot records. If this activity is detected, it could indicate an unknown virus at work. Write To Floppy Disk Boot Records Only a few programs, such as the operating system Format command, write to floppy disk boot records. If this activity is detected, it could indicate an unknown virus at work. Remove the alert dialog after <number> seconds If you selected Prompt to alert the user for any of the activities, you can set the number of seconds that you want the alert to appear.
To configure advanced File System Auto-Protect options 1 Do one of the following:
In the Auto-Protect Options dialog box, on the File System tab, click Advanced.
135
In the Auto-Protect Advanced Options dialog box, set the following options:

Startup options Changes requiring Auto-Protect reload Scan files when File cache Threat Tracer Automatic enabler When scanning compressed files (if configuring Server Auto-Protect Options)
Backup options, and additional advanced options, if needed See Table 4-8, Advanced scan options for File System Auto-Protect, on page 129.
If you are configuring Client Auto-Protect Options, in the Monitor dialog box, set one or more of the following options for virus-like activities:
Low-Level Format Of Hard Disk Write To Hard Disk Boot Records Write To Floppy Disk Boot Records Allow, Prompt, or Dont Allow Allow, Prompt, or Dont Allow Allow, Prompt, or Dont Allow
If you selected Prompt for any of the options, check Remove the alert dialog after <number> seconds and type the number of seconds that you want the alert to last. In the Auto-Protect Advanced Options dialog box, when you have finished configuring Auto-Protect Advanced Options, click OK. If you want to propagate all the settings in the dialog box, regardless of whether you changed or visited them, click Reset All. In the Auto-Protect Options dialog box, click OK.
6 7 8
About Threat Tracer

You can use Threat Tracer to identify the source of network share-based virus infections on computers that run Windows XP operating systems. When Auto-Protect detects an infection, it sends information to Rtvscan, the main Symantec AntiVirus service. Rtvscan determines if the infection originated locally or remotely. If the infection came from a remote computer, Rtvscan can look up and record the computers NetBIOS computer name and its IP address, and who was logged on to the computer at delivery time, and then display this information in the Risk properties dialog box.
Rtvscan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information, which you can configure in the Auto-Protect Advanced Options dialog box, maximizes the frequency with which Threat Tracer can successfully identify the infected remote computer. For example, a threat may close the network share before Rtvscan can record the network session. Threat Tracer then uses the secondary source list to try to identify the remote computer. Threat Tracer information appears in the Risk properties dialog box, and is available only for the risk entries that the infected files cause. When Threat Tracer determines that the infection came from local host activity, it lists the source as the local host. Threat Tracer lists a source as unknown in the Risk properties dialog box when the following conditions are true:

It cannot identify the remote computer. The authenticated user for a file share refers to multiple computers. This can occur when a user ID is associated with multiple network sessions. For example, multiple computers might be logged on to a file sharing server with the same server user ID.
To record the full list of multiple remote computers that are infecting the current computer, set the HKEY_LOCAL_MACHINE\Software\Intel\LANDesk \VirusProtect6\CurrentVersion\ProtectControl\Debug string value to THREATTRACER X on the current computer. The THREATTRACER value turns on the debug output and the X ensures that only debug output that is related to Threat Tracer appears. You can also add an L to ensure that the logging goes to the <SAV_Program_Folder>\vpdebug.log log file. To ensure that the debug window does not appear, add XW. Use the test virus file Eicar.com, available from www.eicar.org, if you want to experiment with this feature.
Configuring actions for File System Auto-Protect

Actions allow you to set how Symantec AntiVirus responds when it detects a virus or a security risk. You can assign a first action and, in case the first action is not possible, a second action for Symantec AntiVirus to take when it discovers a virus or a security risk such as adware or spyware. Types of viruses and security risks are listed in the tree. You can configure options on the tabs to the right. Note: For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality.
137
Table 4-9 describes the options that you can configure for File System AutoProtect and manual scan actions. Table 4-9 Tab
Actions tab
Actions for File System Auto-Protect and manual scans Options

You can configure a first action to take and a second action to take if the first action fails. Actions for viruses include the following:

Type of risk
Macro virus Non-macro virus
Clean threat (default first action): Attempts to clean the infected file when a virus is found. Quarantine threat (default second action): Attempts to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, no user can execute it until you take an action, such as clean, and move the file back to its original location. Delete threat: Attempts to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy because the file is permanently deleted and cannot be recovered from the Recycle Bin. If Symantec AntiVirus cannot delete the file, detailed information about the action that Symantec AntiVirus took appears in the Notification dialog box and the Symantec AntiVirus Event Log. Leave alone (log only): Denies access to the file, displays a notification, and logs the event. Use this option to take manual control of how Symantec AntiVirus handles a virus. When you are notified of a virus, open the Risk History for the computer, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.
Table 4-9 Tab

Actions tab

You can configure Symantec AntiVirus security risk actions as follows:

Type of risk
Security risks

Adware Dialers Hack Tools Joke Programs
Configure the same actions to take for all security risks. Configure the same actions for a whole category of security risks. Configure individual security risk exceptions to the actions that you set for specific categories.
Other (programs that might pose a You can configure a first action to take and a second action to take if security risk but the first action fails. Actions for security risks include the following: do not fit into Quarantine risk (default first action): Attempts to move any other security infected files to the Quarantine on the infected computer as soon risk categories) as the security risk is detected or completes its installation. Remote Access Symantec AntiVirus removes or repairs any side effects of the Spyware risk, such as deleting registry keys that were added, reverting Trackware registry key values that were changed, and deleting additions to .ini or .bat files. You can restore security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.
Delete risk: Attempts to delete infected files. Use this option only if you can replace the files with a security risk-free backup copy because files are permanently deleted and cannot be recovered from the Recycle Bin. Use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality. If Symantec AntiVirus cannot delete files, detailed information about the actions that Symantec AntiVirus took appear in the Notification dialog box and the Symantec AntiVirus Event Log. Leave alone (log only) (default second action): The risk is left alone and its detection is logged. Use this option to take manual control of how Symantec AntiVirus handles a security risk. When you are notified of a security risk, open the Risk History for the computer, right-click the name of the infected file or files, and select one of the following actions: Delete Permanently or Move To Quarantine.
Note: In some instances, a security risk such as adware or spyware is installed as part of another desired application. Symantec AntiVirus waits until that application installation is complete before it performs the configured action on the security risk so that it does not leave the computer in an unstable state.
139
Table 4-9 Tab

Exceptions tab

You can configure exceptions to the actions that you set for security risk categories. You can select specific instances of each category to exclude from the actions that you set for other instances in the same category. In the category list, select and add the security risks for which you want to configure custom actions, or edit or remove risks that are already in the list.
Type of risk
Available only for security risks
Warning: If you configure Symantec AntiVirus to delete files that are infected by a security risk such as adware or spyware, it cannot restore those files. To back up files that contain security risks such as adware or spyware, configure Symantec AntiVirus to quarantine them. To configure actions for File System Auto-Protect 1 Do one of the following:
In the Auto-Protect Options dialog box, on the File System tab, click Actions.
In the Actions dialog box, in the tree, select a type of virus or security risk. By default, each security risk subcategory, such as Spyware, is automatically configured to use the actions that are set at the top level for the entire Security Risks category. To configure a category or specific instances of a category to use different actions, check Override actions configured for Security risks, and then set the actions for that category only. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137. Select the first and second actions that you want Symantec AntiVirus to take when it detects that category of virus or security risk. For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. If you selected a security risk category, click the Exceptions tab to configure custom actions for one or more specific instances of that security risk category. If you are configuring Client Auto-Protect Options, you can lock Exceptions that you configure on the Actions tab. Click Add.
141
In the Select risks dialog box, select the specific risks in the list for which you want to configure custom actions, and then click Next.
In the Configure risks dialog box, select the first and second actions that you want Symantec AntiVirus to take when it detects the specific risks that you selected, and then click Finish.
Repeat step 4 for each category for which you want to set actions (viruses and security risks).
10 Repeat steps 5 through 8 for all security risk categories in which you want to set custom actions for individual risks. 11 Click OK.
Configuring notifications for File System Auto-Protect

When you configure notifications, you set how Symantec AntiVirus notifies users when the following occurs:

Symantec AntiVirus finds a virus or a security risk. Symantec AntiVirus needs to stop a process or service to remove or repair the effects of a virus or security risk.
You can suppress all or some user notifications. On clients, users are notified and processes and services are not terminated automatically by default. This allows users to save data before Symantec AntiVirus initiates actions to remove or repair a virus or security risk. On servers, notifications are turned off and processes and services are terminated automatically by default. Note: Notifications options are the same for File System Auto-Protect and for all types of manual scans with one exception. The Display Auto-Protect results dialog on infected computer option is available only for File System AutoProtect. Table 4-10 describes the notifications options for File System Auto-Protect and manual scans. Table 4-10 Option
Detection options
Notifications options for File System Auto-Protect and manual scans
Description
Check Display message on infected computer to display a message on the computer when a virus or security risk is found. Right-click in the text field to insert new fields or type or edit directly in the field to alter the message. See Table 4-11, File System Auto-Protect and manual scan message fields, on page 143. Uncheck Display Auto-Protect results dialog on infected computer to suppress the dialog box that displays the results on the infected computer when Auto-Protect finds viruses and security risks. This option is available only when you configure File System Auto-Protect.
143
Table 4-10 Option

Remediation options
Notifications options for File System Auto-Protect and manual scans
Description
If you check both remediation options, then users are not notified when Symantec AntiVirus needs to terminate a process or application, such as a Web browser, or stop a service on the users computer to complete the removal or repair of a risk. Symantec AntiVirus automatically takes the necessary action without notifying users.
Automatically terminate processes Check this if you do not want users to be notified when Symantec AntiVirus must terminate a process to remove or repair a risk. Automatically stop services Check this if you do not want users to be notified when Symantec AntiVirus must stop a service to remove or repair a risk.
Note: Users will always be notified when a restart is required. They will be allowed to save data and close open applications or to opt out of restarting.
You can construct a custom message to appear on infected computers when a virus or a security risk is found. You can type directly in the message field to add your own text, and you can right-click in the field to select variables. Table 4-11 describes the variable fields that are available for File System AutoProtect and manual scan notification messages. Table 4-11 Field
SecurityRiskName ActionTaken
File System Auto-Protect and manual scan message fields Description

The name of the virus or security risk that was found. The action that was taken in response to detecting the virus or security risk. This can be either the first action or second action that was configured. The state of the file: Infected, Not Infected, or Deleted. This message variable is not used by default. To display this information, manually add this variable to the message.
Status
Filename PathAndFilename
The name of the file that the virus or security risk infected. The complete path and name of the file that the virus or security risk infected. The drive on the computer on which the virus or security risk was located. The name of the computer on which the virus or security risk was found.
Location
Computer
Table 4-11 Field

User
File System Auto-Protect and manual scan message fields Description

The name of the user who was logged on when the virus or security risk occurred. The type of event, such as Risk Found. The type of scan, manual, scheduled, and so on, that detected the virus or security risk. The date on which the virus or security risk was found. The affected area of the application, for example, File System Auto-Protect or Lotus Notes Auto-Protect. A full description of the actions that were taken in response to detecting the virus or security risk.
Event LoggedBy
DateFound StorageName
ActionDescription
To configure notifications for File System Auto-Protect 1 Do one of the following:
Right-click the server group or the Symantec AntiVirus servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options. If you select a server group, the Symantec System Center configures all of the servers that are in the server group. Right-click a server group, an individual server, or multiple selected servers that manage the Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
145
In the Client or Server Auto-Protect Options dialog box, on the File System tab, click Notifications.
In the Notification Options window, under Detection Options, check Display notification message on infected computer if you want a message to appear on the infected computer when a virus or security risk is found. In the message box, do any or all of the following to construct the message that you want:

Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. See Table 4-11, File System Auto-Protect and manual scan message fields, on page 143. Right-click, and then select Cut, Copy, Paste, Clear, or Undo.
Under the message box, uncheck Display Auto-Protect results dialog on infected computer if you want to suppress the dialog box that displays results when Auto-Protect finds viruses and security risks.
Under Remediation Options, check each option that you want to set. Your options are as follows:
Automatically terminate processes If checked, Symantec AntiVirus automatically terminates processes when it needs to do so to remove or repair a virus or security risk. Users are not prompted to save data before Symantec AntiVirus terminates the processes. If checked, Symantec AntiVirus automatically stops services when it needs to do so to remove or repair a virus or security risk. Users are not prompted to save data before Symantec AntiVirus stops the services.
Automatically stop services
Use these options with caution on clients, because users can potentially lose data when Symantec AntiVirus terminates processes or applications or stops services. 7 Click OK.
User interaction with notifications

If you allow users to be notified when Symantec AntiVirus finds a virus or a security risk, the Auto-Protect Results dialog box appears:
147
If Symantec AntiVirus needs to terminate a process or application or stop a service, the Remove Risk button is active. When users click Remove Risk, the following message appears:
If Symantec AntiVirus needs to restart the computer to complete the removal or repair, the Reboot button is active. When users click Reboot, the following message appears:
If users click No and close the message box without restarting, the removal or repair will not be complete until the computer is restarted the next time. And finally, if users opt to close the message box without taking an action to complete the removal or repair, the following message appears:
If the user clicks Yes and closes the dialog box without taking any action, the risk can be removed or repaired at a later time in the following ways:
The user can open the Risk History, right-click the risk, and then take an action. The user can run a scan to redetect the risk and reopen the results dialog.
The actions that users can take depend on the actions that are configured for the particular type of virus or security risk that was found.
If the user clicks No, the user is returned to the dialog box so that the user can take the appropriate action.
Disabling security risk scanning in File System Auto-Protect

By default, Auto-Protect and all types of scans check for security risks. At times, you might need to disable scanning for security risks in File System AutoProtect temporarily, and then re-enable it. Note: You cannot disable security risk scanning for other types of scans. However, you can configure Symantec AntiVirus to leave the security risk alone and only log the detection. To disable security risk scanning in File System Auto-Protect 1 2 Right-click a server, a server group, or a client group. Do one of the following:

Click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. Click All Tasks > Symantec AntiVirus > Server Auto-Protect Options.
3 4
In the Auto-Protect Options dialog box, under Options, uncheck Scan for Security Risks. If you selected Client Auto-Protect Options, then lock the option if you want this setting to propagate to clients.
Configuring Auto-Protect email scanning for groupware applications

Auto-Protect scans can scan email attachments for the following applications:

Lotus Notes 4.5x, 4.6, 5.0, and 6.x Microsoft Outlook 98/2000/2002/2003 (MAPI and Internet) Microsoft Exchange client 5.0 and 5.5
When Auto-Protect is enabled for email, attachments are immediately downloaded to the computer that is running the email client and scanned when the user opens the message. If you are downloading a large attachment over a slow connection, mail performance is affected. You may want to disable this feature for users who regularly receive large attachments. Symantec AntiVirus supports email scanning only for Symantec AntiVirus clients. It can coexist on Microsoft Exchange Server 5.0 and 5.5, but does not actually scan the Exchange Server files. See the Symantec Client Security Reference Guide.
149
Note: If Lotus Notes or Microsoft Outlook is already installed on the computer when you perform a client software installation from the Symantec System Center, then Symantec AntiVirus detects the email application and automatically installs the correct Auto-Protect plug-in for it. Both plug-ins are installed if you select a complete installation when you perform a manual Symantec AntiVirus installation. To configure email scanning 1 2 Right-click the server group or the servers to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Lotus Notes or Microsoft Exchange tab, check Enable Auto-Protect. You can use the Microsoft Exchange tab to configure Auto-Protect options for both Microsoft Exchange and Microsoft Outlook. To set Auto-Protect options, do any of the following:

Select all types or select file types or extensions to scan. Insert a warning into an email message. Send an email message to the sender of an infected attachment. Send an email message to selected recipients when a virus is detected.
Click Advanced to disable the scanning of compressed files or to change the number of levels of compression to scan when there are compressed files within compressed files, and then click OK. Click Actions to configure the detection and remediation actions you want Symantec AntiVirus to take when it finds a virus or security risk, and then click OK. Actions options are the same as those for File System Auto-Protect. For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. See Configuring actions for File System Auto-Protect on page 136. Click Notifications to configure the type of notification you want Symantec AntiVirus to provide users when it finds a virus or security risk, and then click OK. Notifications options are the same as those for File System Auto-Protect, except that the Display Auto-Protect results dialog on infected computer option is not available. See Configuring notifications for File System Auto-Protect on page 142.
7 8
Lock or unlock options as needed. Click Reset All to ensure that all of the computers are using the AutoProtect scanning configuration that you have specified immediately. See About propagating Auto-Protect settings on page 124.
If your email program is not supported

If your email program is not one of the supported data formats, you can still protect your network by enabling Auto-Protect on your file system. For example, if you are running a Novell GroupWise email system and one of your users receives a message with an infected attachment, Symantec AntiVirus can detect the virus as soon as the user tries to open the attachment. This is because most email programs, such as GroupWise, save attachments to a temporary directory when users launch attachments from the email program. If you enable AutoProtect on your file system, Symantec AntiVirus detects the virus as it is written to the temporary directory. Symantec AntiVirus also detects the virus if the user tries to save the infected attachment to a local drive or network drive.
Configuring Auto-Protect scanning for Internet email

Auto-Protect scanning for Internet email protects both incoming and outgoing email messages that use the POP3 or SMTP communications protocol. When Auto-Protect scanning for Internet email is enabled, Symantec AntiVirus scans both the body text of the email and any attachments that are included. Note: Internet email scanning is not supported for 64-bit computers. Symantec AntiVirus also provides outbound email heuristics scanning that uses Bloodhound Virus Detection to identify risks that may be contained in outgoing messages. Scanning outgoing email messages helps to prevent the spread of risks such as worms that can use email clients to replicate and distribute themselves across a network. When Auto-Protect scanning for Internet email is enabled, attachments are immediately downloaded to the computer that is running the email client and scanned when the user opens the message. If you are downloading a large attachment over a slow connection, mail performance is affected. You may want to disable this feature for users who regularly receive large attachments. Email scanning does not support the following email clients:

IMAP clients AOL clients
151
POP3 that uses Secure Sockets Layer (SSL) HTTP-based email such as Hotmail and Yahoo! Mail
To configure Auto-Protect scanning for Internet email 1 2 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, check Enable Internet E-mail Auto-Protect. The settings that you choose apply to both the POP3 and SMTP protocols. To set Auto-Protect options, do any of the following:

Select all types, or select file types or extensions to scan. Insert a warning into an email message. Send an email message to the sender of an infected attachment. Send an email message to selected recipients when a virus is detected. Enable the scanning of compressed files. Change the number of levels of compression that you want to scan when there are compressed files within compressed files. Change the POP3 and SMTP ports that are scanned. See Changing the POP3 and SMTP ports that are scanned on page 152. Set outbound mail heuristics. See Enabling outbound email heuristics scanning on page 152. Set options to display a progress notification window when you send email, and to display a tray icon.
Click Advanced to set options for the following:

5 6
When you have finished setting advanced options, click OK. Click Actions to configure the detection and remediation actions you want Symantec AntiVirus to take when it finds a virus or security risk, and then click OK. Actions options are the same as those for File System Auto-Protect. See Configuring actions for File System Auto-Protect on page 136. Click Notifications to configure the type of notification you want Symantec AntiVirus to provide users when it finds a virus or security risk, and then click OK. Notifications options are the same as those for File System Auto-Protect, except that the Display Auto-Protect results dialog on infected computer option is not available.
See Configuring notifications for File System Auto-Protect on page 142. 8 9 On the Internet E-mail tab, lock or unlock options as needed. Click Reset All to ensure that all of the computers are using the AutoProtect scanning configuration that you have specified immediately. See About propagating Auto-Protect settings on page 124.
Changing the POP3 and SMTP ports that are scanned

Auto-Protect scanning for Internet email uses the standard POP3 and SMTP email ports by default. However, if you have configured your network to use a different port for either protocol, you must change the port setting in Symantec AntiVirus to match the port that you have selected. To change the POP3 and SMTP ports that are scanned 1 2 3 4 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, check Enable Internet E-mail Auto-Protect. Click Advanced. In the Internet E-mail Advanced Options dialog box, under Server Port Numbers, change the port number to match the port that you are using for each protocol. If you want to reset the port numbers to the default setting, click Use Defaults. Click OK. Click Reset All to ensure that all of the computers are using the AutoProtect scanning configuration that you have specified. See Configuring Auto-Protect on page 123.
5 6 7
Enabling outbound email heuristics scanning

Auto-Protect scanning for Internet email provides outbound email protection against risks such as worms that can distribute themselves using email applications. Symantec AntiVirus uses Bloodhound Virus Detection technology to successfully identify risks in outbound email messages. To enable outbound email heuristics scanning 1 Right-click the server group or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
153
2 3 4
In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, check Enable Internet E-mail Auto-Protect. Click Advanced. In the Internet E-mail Advanced Options dialog box, check Outbound Worm Heuristics, and then set a first and second action for Symantec AntiVirus to take, or leave the default settings. Click OK. Click Reset All to ensure that all of the computers are using the AutoProtect scanning configuration that you have specified. See Configuring Auto-Protect on page 123.
5 6
Disabling email scanning for SSL connections

If you have problems sending email messages over SSL connections when you have Symantec AntiVirus installed, you might need to disable email AutoProtect scanning. File System Auto-Protect continues to protect computers from viruses and security risks in attachments even after you disable email client scanning. File System Auto-Protect scans email attachments when you save the attachment to the hard drive. After you disable the email scanner, be sure that Auto-Protect is enabled, and run LiveUpdate regularly to ensure that Auto-Protect has been optimally configured. Auto-Protect provides real-time virus protection from any source, including the Internet, and automatically scans email attachments whenever they are accessed. To disable email scanning for SSL connections 1 2 3 Right-click the server group, or the servers that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the appropriate email tab, uncheck Enable <email> Auto-Protect. Click OK.
154 Scanning for viruses and security risks Configuring manual scans
Configuring manual scans

You can configure a manual scan on a Symantec AntiVirus server or client. Table 4-12 describes the types of manual scans that you can configure. Table 4-12 Type
Quick Scan
Types of manual scans Description

Scans system memory, and all the common virus and security risk locations on the computer very quickly. Scans the entire computer for viruses and security risks, including the boot sector and system memory. Scans the files and folders that you select for viruses and security risks.
Full
Custom
Note: If you want to scan all servers and clients in a server group, run a virus sweep or create a scheduled scan instead. See Running a virus sweep on page 212. See Creating and configuring scheduled scans on page 164. Some of the manual scan options are the same as the scan options for AutoProtect scans. Table 4-13 describes the options for manual scans. Table 4-13 Section or option
File types
Manual scan options
Available options
You can configure Symantec AntiVirus to scan all file types, to scan by selected extensions, or to scan by selected file types. The following options are available:
All types Select this option to scan all files that are found on the computer, regardless of type. Selected extensions Select this option to scan only the files that have certain extensions. You can add more extensions for programs and documents if you have files that use extensions that are not already in the list. You can also reset this option to its default value. Selected file types Select this option to scan only Microsoft Word, Excel, and other OLE document files, or only MS-DOS and Microsoft Windows application program files.
Scanning for viruses and security risks Configuring manual scans
155
Table 4-13 Section or option

Scan Enhancements
Manual scan options
Available options
Select the following options to find viruses and security risks more quickly. These commonly infected locations are scanned before the files and folders that you have selected are scanned. The following options are available:

Scanning program files loaded into memory Scanning common infection locations (load points) Scanning for traces of well-known viruses and security risks
Enable detection of security risks Exclude files and folders
This option applies only to detecting security risks on version 9.x legacy clients. Note: Risks on legacy clients are detected, not repaired. Check this option to exclude certain files or folders from being scanned by AutoProtect. Click Exclusions, and then select one of the following:

Extensions: Exclude files by their extensions. Files/Folders: Exclude folders by their paths.
This option is not available for multiple clients or servers. Note: When you exclude a folder, Symantec AntiVirus cannot protect an infected computer from infected files in the folder. Advanced Click this button to set advanced scan options, including backup, remote, compressed files, and so on. See Table 4-14, Advanced manual scan options, on page 157. Actions Click this button to configure the actions that you want Symantec AntiVirus to take when it detects macro viruses, non-macro viruses, and security risks. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137.
Table 4-13 Section or option

Throttling
Manual scan options
Available options
Click this button to set CPU utilization options. Set the sliders to configure the scan priority when the computers are idle and not idle. Check Throttle NetWare Load and set its slider, if applicable. For scheduled and manual scans, Symantec AntiVirus allows you to control the scans CPU priority. Giving a scan a lower priority means that the scan takes longer to complete, but also frees the CPU to work on other tasks. You may want to set a lower priority in some situations. For example, if you have scans running at lunch time during the work week, you might want to lower the scan priority to minimize the impact on user productivity. You can specify a scan priority for the following:
Windows computers: Priority differs depending on whether the computer is idle or not idle. The idle setting specifies the priority that is assigned to scans when the computer is idle. The not idle setting specifies the priority that is assigned to scans when the computer is actively working. NetWare computers: Symantec AntiVirus can throttle its load on NetWare servers. A lower load setting means that the server scan takes longer to complete.
Notifications
Click this button to set the detection and remediation options for notifications that you want to appear on the infected computer when Auto-Protect finds a virus or a security risk. See Table 4-10, Notifications options for File System Auto-Protect and manual scans, on page 142.
157
Table 4-14 describes advanced options for manual scans. Table 4-14 Section or Available options option
When scanning compressed files If you check this option, Symantec AntiVirus scans the container, such as Files.zip, and the contents of the container, which are the individual compressed files. Symantec AntiVirus supports a maximum depth of ten levels of nested compressed files for Window computers. NetWare servers are limited to eight levels. Options for scanning compressed files options are as follows:
Advanced manual scan options
Windows Symantec AntiVirus scans compressed files during manual, email, and scheduled scans. Because of the significant processing overhead, Auto-Protect does not scan files that are within compressed files on Windows computers. However, the files are scanned as they are extracted from compressed files. NetWare Symantec AntiVirus scans compressed files during Auto-Protect and scheduled scans. To scan the contents of a compressed file, Symantec AntiVirus extracts each file, one file at a time, from the container and copies it to the SYS volume where it is scanned. The SYS volume must have enough space available on the volume to accommodate the largest file in the container.
Note: You cannot stop a scan that is in progress on a compressed file. If you click Stop Scan, Symantec AntiVirus stops the scan only after it has finished scanning the compressed file. Backup options As a data safety precaution, before you attempt to repair a file, check Back up file before attempting repair. This is checked by default. The original virus-infected file is encrypted and then copied into the Quarantine directory. If needed, you can use this unrepaired backup file to return the file to its original, but infected state. Note: Uncheck this option with caution, since it means that files containing viruses are not going to be backed up before repairs are attempted. You might want to turn it off if performance is an issue, for example on a file server, where the files are backed up regularly by other means This setting applies only to virus-infected files, as files quarantined and repaired for security risks and are always backed up regardless of this setting. Remote options Use this option to display a progress dialog box on the computer while the scan runs, to display a progress dialog box on the computer while the scan runs only if a risk is detected, or to not display a progress dialog box on the computer at all. You can also do the following:

Configure the progress dialog box to close automatically when the scan has completed. Allow a user to stop the scan. When this option is enabled, a Stop button appears on the remote computer. When this option is disabled, the scan cannot be stopped from the remote computer.
Table 4-14 Section or Available options option
Fine-tune scans of the files that Hierarchical Storage Management (HSM) and offline backup systems maintain. An HSM system migrates files to secondary storage such as CD-ROM, tape jukebox, SAN storage, and so on, but might leave parts of the original file on the disk. Performance and disk space issues arise during scans if Symantec AntiVirus opens all of the stubs and the HSM system places the Note: Does files back on the original disk. For all these options, consult your HSM or backup vendor to select not apply to appropriate settings. Storage migration options are as follows: Windows Open files using backup semantics. 2000 and Skip offline files: If the offline bit is set, Symantec AntiVirus skips the file. A small clock over a later. For files icon in Windows Explorer indicates that the offline bit is set. Any application can set the those offline bit without actually placing the file offline. systems, Storage migration options consult your HMS vendor.
Skip offline and sparse files: Some applications set the file sparse bit to indicate that part of the file is not present on the disk. Some HSM products set this bit and others dont. With a sparse file, a stub of the file remains on the disk, and the majority of the file is moved to offline storage. Skip offline and sparse files with a reparse point (default): Some vendors use reparse points. Applications that use reparse points also use an appropriate device driver to manage reparse points in the files. This is the default setting because it is the most reliable for vendors that use reparse points. With a reparse point, a portion of the file remains on disk, and the remainder is transparently accessed through the device driver. Scan resident portions of offline and sparse files: Symantec AntiVirus identifies resident portions of a file. If the file is sparse, Symantec AntiVirus scans only the resident portion; the nonresident portion remains in secondary storage. Some vendors support this capability. Scan all files, forcing demigration (fills drive): Symantec AntiVirus scans the entire file, which forces demigration from secondary storage if necessary. Because the size of the secondary storage is usually greater than the size of the local volume, this setting might fill the local volume and cause further files that are opened for scanning to fail. Scan all files without forcing demigration (slow): Symantec AntiVirus copies a file from secondary storage to the local hard drive as a temp file for scanning, but the HSM application leaves the original file on the secondary storage. This method is slow and is not supported by all HSM vendors. Because a file is copied from secondary storage to a disk for scanning, resource demand is high. Processor and network performance might further degrade as Symantec AntiVirus detects infected content when a repair or deletion is returned to secondary storage. Scan all files recently touched without forcing demigration: To reduce some of the resource demand issues with the Scan all files without forcing demigration option, this option lets you specify that only files that have been migrated recently and might still reside on faster secondary storage are scanned. You might want to scan files if they still reside on the faster secondary disk, and skip demigration and scanning if the files reside on the slow, long-term storage. For example, files might be migrated to a remote disk after 30 days of no access. After 60 days of no access, the file is migrated to CD-ROM or remote SAN storage. In many cases, this method might still be slow because accessing files without forcing demigration is a relatively slow operation. Select the type of access and the number of days to define recently touched.
159
Table 4-14 Section or Available options option

Storage migration options (NetWare)
Check Scan NetWare compressed or migrated files to scan NetWare compressed or migrated files.
To configure manual scans 1 Do one of the following:

Right-click a server or client computer. Select one or more servers that are in the same server group, and then right-click the servers. Select one or more clients that are managed by the same server, and then right-click the clients.
2 3
Click All Tasks > Symantec AntiVirus > Start Manual Scan. In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-12, Types of manual scans, on page 154.
If you selected a single computer to scan and select Custom Scan, you can select the drives and folders that you want to scan. If you are scanning multiple computers, this option is not available. Skip to step 6.
Click Save Settings if you want Symantec AntiVirus to remember your selections for future manual scans on this computer. Symantec AntiVirus also remembers the settings of the other options for future scans when multiple computers are selected. Click Options.
6
.
In the Scan Options dialog box, you can select file types or extensions to scan, enable scan enhancements, enable security risk scanning for legacy clients, and exclude files and folders from the scan. See Table 4-13, Manual scan options, on page 154. 7 Click Advanced. In the Scan Advanced Options dialog box, you can set options for scanning compressed files, back up files infected by viruses or blended threats before attempting to repair them, set options on the remote computer, set storage migration options for Windows computers, and enable scans of compressed or migrated files on NetWare servers. See Table 4-14, Advanced manual scan options, on page 157. Set the options you that you want, and then click OK to save advanced options.
161
In the Scan Options dialog box, click Save Settings if you want Symantec AntiVirus to remember these options for future manual scans on this computer. Symantec AntiVirus also remembers these settings for future scans when you select multiple computers.
10 Click OK. 11 Click Start.
Configuring actions for manual scans

The action options for manual scans are the same as those for File System AutoProtect. Table 4-9 describes the action options for manual scans and for File System Auto-Protect. Note: For security risks, use the delete action with caution, because in some cases, deleting security risks can cause applications to lose functionality. To configure actions for manual scans 1 Do one of the following:

2 3
Click All Tasks > Symantec AntiVirus > Start Manual Scan. In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-12, Types of manual scans, on page 154. Click Options. In the Scan Options dialog box, click Actions.
4 5
In the Actions dialog box, in the tree, select a type of virus or security risk. By default, each security risk subcategory, such as Spyware, is automatically configured to use the actions that are set at the top level for the entire Security Risks category. To configure a category or specific instances of a category to use different actions, check Override actions configured for Security Risks, and then set the actions for that category only. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137. Select each category of virus and security risk that you want to configure, and repeat step 6 for each. If you selected a security risk category, click the Exceptions tab to configure custom actions for one or more specific instances of that security risk category. Click Add.
7 8
10 In the Select risks dialog box, select the specific risks in the list for which you want to configure custom actions, and then click Next. 11 In the Configure risks dialog box, select the first and second actions that you want Symantec AntiVirus to take when it detects the specific risks that you selected, and then click Finish. 12 Repeat steps 8 through 11 for each individual security risk for which you want to set specific actions. 13 Click OK, and then click Start.
Configuring notifications for manual scans

The notifications options for manual scans are the same as those for File System Auto-Protect. Table 4-10 describes the notifications options for manual scans and for File System Auto-Protect. To configure notifications for manual scans 1 Do one of the following:

163
2 3
Click All Tasks > Symantec AntiVirus > Start Manual Scan. In the Select Items dialog box, select the type of manual scan that you want to perform: Quick, Full, or Custom. See Table 4-12, Types of manual scans, on page 154. Click Options. In the Scan Options dialog box, click Notifications. In the Notifications Options window, under Detection Options, check Display notification message on infected computer if you want a message to appear on the infected computer when a virus or security risk is found. In the message box, do any or all of the following to construct the message that you want:

4 5 6
Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. See Table 4-11, File System Auto-Protect and manual scan message fields, on page 143. Right-click, and then select Cut, Copy, Paste, Clear, or Undo.
To set Remediation Options, check each option that you want to set. Your options are as follows:
Automatically terminate processes Check this if you do not want users to be notified when Symantec AntiVirus must terminate a process to remove or repair a risk. Users are not prompted to save data before Symantec AntiVirus terminates the processes. Check this if you do not want users to be notified when Symantec AntiVirus must stop a service to remove or repair a risk. Users are not prompted to save data before Symantec AntiVirus stops the services.
Automatically stop services
Click OK until you return to the Select Items dialog box, and then click Start.
164 Scanning for viruses and security risks Creating and configuring scheduled scans
Creating and configuring scheduled scans

You can schedule scans for one or more server groups as well as for individual Symantec AntiVirus servers. You can also schedule scans for individual servers or for clients. You can schedule Symantec AntiVirus client scans at the Symantec AntiVirus server or client level. Scheduled scans have settings that are similar to Auto-Protect scan settings, but each type of scan is configured separately. Exclusions that are set for AutoProtect scanning only affect Auto-Protect scanning; they do not affect scheduled scanning.
Creating scheduled scans

Table 4-15 describes the options for scheduled scans. Table 4-15 Option category
Name Scan Settings
Scheduled scan options Available options

Type a name for the scan. Click Scan Settings to set the type of scan that you want to schedule:

A Quick Scan is a fast scan of system memory, and all the common virus and security risk locations on the computer. A Full Scan scans the entire computer for viruses and security risks, including the boot sector and system memory. A Custom Scan scans the drives and folders that you select. When you configure client scans, you cannot select individual files and folders to include in the scan.
Enable scan
Make sure that this option is checked so that the scan occurs as you configured it. Determines how often the scan runs. Select Daily, Weekly, or Monthly. Determines the time at which the scan runs. You can type any time in increments of 1 minute, or use the drop-down list to select a time in increments of 15 minutes.
Frequency
When
Scanning for viruses and security risks Creating and configuring scheduled scans
165
Table 4-15 Option category

Advanced
Scheduled scan options Available options

Click Advanced to set Advanced scan options. Under Missed Event Options, enable Handle missed events within <number> hours of the scheduled time. Then, set the number of hours within which you want the scan to run. For example, you might want a weekly scan to run only if it is within three days of the scheduled time for the missed event. See Setting options for missed scheduled scans on page 167.
To create scheduled scans 1 2 Select one or more servers, groups, or clients. Do one of the following:
If you right-clicked a server group or multiple server groups, click All Tasks > Symantec AntiVirus > Server Scheduled Scans. If you right-clicked an individual server or client, click All Tasks > Symantec AntiVirus > Scheduled Scans. In the <Servername> Scheduled Scans dialog box, on the Server Group Scans tab, click New. In the <Servername> Scheduled Scans dialog box, on either the Server Scans or the Client Scans tab, click New.
In the <Servername> Scheduled Scan dialog box, type a name for the scan, ensure that Enable scan is checked, and then set the frequency and time at which the scan should run. See Table 4-15, Scheduled scan options, on page 164. Click Advanced to set how to handle missed events, and then click OK. See Table 4-15, Scheduled scan options, on page 164. In the <Servername> Scheduled Scan dialog box, click Scan Settings. Select the type of scan that you want to schedule: Quick, Full, or Custom. In the Select Items dialog box, do one of the following:
5 6 7 8
If you selected multiple servers, clients, or a server group, click Options. If you selected an individual server, select the drives or folders that you want to scan, and then click Options. In the tree view, files and folders appear with various icons. See Table 4-4, Tree view icons and their meaning, on page 117.
In the Scheduled Scan Options dialog box, you can select all types, file types, or extensions to scan, enable and disable scanning enhancements, enable security risk scanning on legacy clients, and exclude files and folders from the scan. If you selected an object that contains multiple computers, you can exclude files and folders from the scan by typing the full path names. The scheduled scan options are the same as the scan options for manual scans. See Table 4-13, Manual scan options, on page 154.
10 Click Advanced. In the Scan Advanced Options dialog box, you can set options for scanning compressed files, back up files that are infected by viruses or blended threats before you attempt to repair them, set options on the remote computer, set storage migration options for Windows computers, and enable scans of compressed or migrated files on NetWare servers. The Advanced scan options are the same as the Advanced scan options for manual scans. See Table 4-14, Advanced manual scan options, on page 157. 11 Under Scheduled Scan Options, click Actions. You can configure the same actions as for File System Auto-Protect and manual scans. See Table 4-9, Actions for File System Auto-Protect and manual scans, on page 137.
167
12 Under Scheduled Scan Options, click Throttling. You can configure the same throttling options as for manual scans. See Table 4-13, Manual scan options, on page 154. 13 Under Scheduled Scan Options, click Notifications. You can configure the same notifications as for File System Auto-Protect and manual scans. See Table 4-10, Notifications options for File System Auto-Protect and manual scans, on page 142. 14 Click OK until you return to the main window in the Symantec System Center console.
Configuring scheduled scans

To configure scheduled scans, you can do the following:
If a computer does not run a scheduled scan for some reason, you can set options for how Symantec AntiVirus handles this situation. See Setting options for missed scheduled scans on page 167. You can edit, delete, or disable scheduled scans. See Editing, deleting, or disabling scheduled scans on page 168. For convenience, you can run a scheduled scan on demand. This can save you from having to configure a manual scan. See Running scheduled scans on demand on page 169.
Setting options for missed scheduled scans

If a computer misses a scheduled scan for some reason, Symantec AntiVirus attempts to perform the scan for a specific time interval. If Symantec AntiVirus cannot start the scan within the time interval, it does not run the scan. Table 4-16 lists the default time intervals for missed scheduled scans. Table 4-16 Scan frequency
Daily scans Weekly scans Monthly scans
Default time intervals Default interval

8 hours 3 days 11 days
If you do not want to use the default setting, you can specify a different time interval in which to attempt a scheduled scan.
To set options for missed scheduled scans 1 2 3 4 Right-click a Symantec AntiVirus server, server group, client group, or client, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. In the <Servername> Scheduled Scans dialog box, select a scan in the list of scans, and then click Edit. In the <Servername> Scheduled Scan dialog box, under Start Scan, click Advanced. In the Advanced Schedule Options dialog box, click Handle Missed Events Within, and then specify the time interval for reattempting the scheduled scan. Click OK until the main Symantec System Center console window appears.
Editing, deleting, or disabling scheduled scans

If you want to modify the properties of an existing scheduled scan, you can edit it. If you want to stop a scheduled scan from occurring, you can delete or disable it.
Edit, delete, or disable scheduled scans

You can edit, delete, or disable a scheduled scan. To edit or delete scheduled scans 1 Right-click one or more server groups, a server, or a client for which you want to edit or delete the scheduled scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. In the Scheduled Scans dialog box, select one of the following:
Server Scans Edit or delete scans for servers. This option is not available if you selected a client computer in step 1. Edit or delete scans for clients. This option is not available if you selected a server group in step 1.
Client Scans
Select an existing scan, and then click Edit. Change any properties that you want. Select an existing scan, and then click Delete.
Click OK until you return to the Symantec System Center main window.
169
To disable scheduled scans 1 Right-click one or more server groups, a server, or a client for which you want to disable the scheduled scan, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. The scans that you can disable depend on the object that you select. In the Scheduled Scans dialog box, select one of the following:
Server Scans Disable scans for servers. This option is not available if you selected a client computer in step 1. Disable scans for clients. This option is not available if you selected a server group in step 1.
Client Scans
3 4
Uncheck the previously scheduled scan. Click OK.
Running scheduled scans on demand

When you create and save a scheduled scan, Symantec AntiVirus remembers the server group, server, or computer on which to run the scan and also remembers all of the settings that you chose for that specific scan. After you configure a scheduled scan and all of its scan properties, you might want to run it on demand at some time other than when you originally scheduled it. This can save you the effort of configuring and running a manual scan with similar properties. To run scheduled scans on demand 1 2 3 Right-click a server group or a server, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. In the Scheduled Scans dialog box, select an existing scheduled scan. Click Start Scan.
170 Scanning for viruses and security risks Managing the client user experience
Managing the client user experience

Symantec AntiVirus allows you to control several aspects of the Symantec AntiVirus client user experience. You can do any of the following:

Allow users to pause or stop a scheduled scan. Display a scan progress window. See To enable users to stop scans on page 172. Prevent or allow users to unload Symantec AntiVirus services. Change the password that is required before users can uninstall Symantec AntiVirus. Display and customize warning messages that appear on computers when their virus and security risk definitions are outdated or missing. Display and customize a warning message on an infected computer. For example, if users have a spyware program installed on their computers, you can notify them that they have violated your corporate policy and must uninstall the application immediately. Add an infection warning to an infected email message. Notify the sender of an infected email message. Notify others about the receipt of an infected email message.
Scanning for viruses and security risks Managing the client user experience
171
Enabling users to pause, snooze, or stop scheduled scans

You can allow users to pause or snooze a scheduled scan temporarily, as well as stop the scan entirely. The results are as follows:
Paused scan When a user pauses a scan, the Scan Results dialog box remains open, waiting for the user to either continue or abort the scan. If the computer is shut off, the paused scan does not continue. When a user snoozes a scheduled scan, the user has the option of snoozing the scan for one hour, or depending on the configuration, for three hours. In addition, the number of snoozes is configurable. When a scan is snoozing, the Scan Results dialog box closes, and reappears when the snooze period ends and the scan resumes. When a user stops a scan, the scan stops immediately, unless Symantec AntiVirus is scanning a compressed file. In this case, the scan stops as soon as the compressed file in progress has been scanned. A stopped scan does not restart.
Snoozed scan
Stopped scan
Enable users to pause, snooze, or stop scans

A paused scan automatically restarts after a specified time interval elapses. To enable users to pause or snooze scans 1 2 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. In the Scheduled Scans dialog box, do one of the following:

Select a scheduled scan, and then click Edit. Click New to create a new scan.
3 4 5 6 7 8 9
In the Scheduled Scan dialog box, click Scan Settings. In the Select Items dialog box, click Options. In the Scheduled Scan Options dialog box, click Advanced. In the Scan Advanced Options dialog box, under Remote options, click Show scan progress. Uncheck Allow user to stop scan. Check Allow user to pause/snooze scan. Click Pause Options.
10 In the Pause Options dialog box, do one of the following:
To limit the number of minutes that a user may pause a scan, check Limit the time this scan may be paused and type a number of minutes. To limit the number of times a user may pause a scan, in the Number of times it can snooze box, type a number between 1 and 8. To display a three-hour snooze button, check Enable the 3 hour snooze button. By default, a user can pause a scan for one hour. You must enable this option to allow a user to pause a scan for three hours.
11 Click OK until the main Symantec System Center console window appears. To enable users to stop scans 1 2 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Scheduled Scans. In the Scheduled Scans dialog box, do one of the following:

Select a scheduled scan, and then click Edit. Click New to create a new scan.
3 4 5 6 7 8 9
In the Scheduled Scan dialog box, click Scan Settings. In the Select Items dialog box, click Options. In the Scheduled Scan Options dialog box, click Advanced. In the Scan Advanced Options dialog box, in the drop-down list, select Show scan progress. Check Allow user to stop scan. If you want to automatically close the scan progress indicator after the scan completes, check Close scan progress when done. Click OK until the main Symantec System Center console window appears.
Preventing or allowing users to unload Symantec AntiVirus services

You can prevent or allow users to unload (uninstall) Symantec AntiVirus services. To prevent or allow users to unload Symantec AntiVirus services 1 2 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. Click the Security tab.
173
3 4
Change the setting for Lock the ability of users to unload Symantec AntiVirus Services. Click OK.
Changing the password that is required to uninstall

Symantec AntiVirus requires client users to provide a password before they can uninstall Symantec AntiVirus. By default, this password is set to symantec. To change the password that is required to uninstall 1 2 3 4 5 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. Click the Security tab. Under User disable/uninstall, click Change. In the Configure Password dialog box, type a new password, and then confirm by typing the password again. Click OK until the main window in the Symantec System Center console appears.
Changing the password that is required to scan mapped drives

Symantec AntiVirus requires client users to provide a password before they can scan a mapped drive. By default, this password is set to symantec. To change the password that is required to scan mapped drives 1 2 3 4 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. On the Security tab, under Scan network drive, click Change. In the Configure Password dialog box, type a new password, and then confirm by typing the password again. Click OK until the main window in the Symantec System Center console appears.
Displaying a warning when definitions are out of date or missing

You can display and customize warning messages to appear on client computers when their virus and security risk definitions are outdated or missing.
To display a warning about definitions 1 2 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options. On the General tab, under Actions, select one or both of the following:

Display message when definitions are outdated Display message when Symantec AntiVirus is running without virus definitions
3 4
For outdated virus and security risk definitions, set the number of days that definitions can be outdated before the warning is displayed. For missing virus and security risk definitions, set the number of attempts that Symantec AntiVirus can make to retrieve definitions after the computer is restarted, before the warning is displayed. Click Warning Message for each option that you checked, and then customize the default message. Click OK until the main Symantec System Center console window appears.
5 6
Managing warnings and notifications about infected files

You have several user options related to infected files.
Customizing and displaying warnings on infected computers

When you run a remote scan on a users computer, you can immediately notify the user of a problem by displaying a warning message on the infected computers screen. You can customize the warning message by including information such as the name of the risk, the name of an infected file, the status of the risk, and so on. For example, a warning message might look as follows:
Scan type: Scheduled Scan Event: Risk Found SecurityRiskName: Stoned-C File: C:\Autoexec.bat Location: C: Computer: ACCTG-2 User: JSmith Action taken: Cleaned
Customizing messages for manual scans is covered under manual scans. See Configuring notifications for manual scans on page 162.
175
Adding warnings to infected email messages

For supported email software, you can configure Auto-Protect to automatically insert a warning into the body of an infected email message. This type of warning can be important if Symantec AntiVirus is unable to clean the virus from the message, and if an infected attachment file is moved, left alone, deleted, or renamed. The warning message tells you which virus was found and explains the action that was taken. Symantec AntiVirus appends the following text to the top of the email message that is associated with the infected attachment: Symantec AntiVirus found a virus in an attachment from [EmailSender]. For each infected file, the following information is also added to the email message:

Name of the file attachment Name of the virus Action taken: cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected
You can customize the subject and body of the message. The email message contains a field called [EmailSender]. All fields in brackets contain variable information. You can customize the default message by rightclicking the body of the message and selecting a field to insert into the message. The message would look as follows to the recipient: Symantec AntiVirus found a virus in an attachment from John.Smith@mycompany.com. To add email warnings to infected messages 1 2 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Internet E-mail, Lotus Notes, or Microsoft Exchange tab, click Insert warning into email message. Do one of the following:

Click OK to accept the default message. Click Warning and customize the text.
Click OK until the Client Auto-Protect Options dialog box disappears.
Notifying senders of infected email messages

For supported email software, you can configure Auto-Protect to respond automatically to the sender of an email message that contains an infected attachment.
Notify senders of infected email messages

For groupware email applications, Symantec AntiVirus can be configured to send a default reply email message with the following subject: Virus Found in message [EmailSubject] The body of the message informs the sender of the infected attachment: Symantec AntiVirus found a virus in an attachment you ([EmailSender]) sent to [EmailRecipientList]. For each infected file, the following information is also added to the email message:

Name of the file attachment Name of the virus Action taken: such as cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected
You can also customize this message. To notify senders of infected messages in groupware email applications 1 2 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect. Click Send e-mail to sender. Click Compose. Do one of the following:

3 4 5
Click OK to accept the default message. Click Message and customize the text.
Click OK until the Client Auto-Protect Options dialog box disappears.
177
To notify senders of infected messages in Internet email applications 1 2 3 4 5 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, click Enable Internet E-mail Auto-Protect. Click Send e-mail to sender. Click Settings. In the E-mail Notifications Settings dialog box, on the E-mail Server tab, type the mail server name and port, the user name and password, and the reverse path for the mail. Click the Message tab and type a subject line, message body, and infection information to appear in each message, and then click OK. Click OK until the Client Auto-Protect Options dialog box disappears.
6 7
Notifying users of infected email messages

For supported email software, you can configure Auto-Protect to notify users whenever an email message that contains an infected attachment is opened.
Notify users of infected email messages

For groupware email applications, Symantec AntiVirus sends an email message to the selected recipients with the following subject: Virus Found in message [EmailSubject] The body of the message includes information on the sender of the infected attachment: Symantec AntiVirus found a virus in an attachment from [EmailSender]. For each infected file, the following information is also added to the email message:

Name of the file attachment Name of the virus Action taken: such as cleaned, moved to the Quarantine, deleted, or left alone File status: infected or not infected
You can also customize this message.
To notify others of infected messages in groupware email applications 1 2 Right-click a server group, Symantec AntiVirus server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on either the Lotus Notes or Microsoft Exchange tab, click Enable Lotus Notes (Microsoft Exchange) Auto-Protect. Click Send e-mail to selected. Click Settings. In the E-mail Notifications Settings dialog box, on the Addresses tab, provide one or more email addresses to which notification should be sent. Click the Message tab and type a subject line, message body, and infection information to appear in each message. Click OK until the Client Auto-Protect Options dialog box disappears.
3 4 5 6 7
To notify others of infected messages in Internet email applications 1 2 3 4 5 Right-click a server group, server, or client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options. In the Client Auto-Protect Options dialog box, on the Internet E-mail tab, click Enable Internet E-mail Auto-Protect. Click Send e-mail to selected. Click Settings. In the E-mail Notifications Settings dialog box, on the E-mail Server tab, type the mail server name and port, the user name and password, and the reverse path for the mail. Click the Addresses tab and provide one or more email addresses to which notification should be sent. Click the Message tab and type a subject line, message body, and infection information to appear in each message. Click OK until the Client Auto-Protect Options dialog box disappears.
6 7 8
Chapter
Updating definitions

About definitions Ensure that all definitions are current Definitions files update methods Updating definitions files on servers Updating definitions files on clients Controlling definitions file deployment Testing definitions files Scenarios for definitions updates About scanning after updating definitions files
About definitions
Virus and security risks definitions contain sample code for thousands of threats and security risks. When Symantec AntiVirus scans for threats and security risks, it attempts to find matches between your files and sample code that is inside of the definitions. If Symantec AntiVirus finds a match, one or more files might be infected by threats or security risks. Every server and client that runs Symantec AntiVirus has a copy of the definitions. These definitions can become outdated as new viruses and security risks are discovered. Symantec updates definitions about once a week, or more frequently if needed. It is important to keep definitions current to maintain the highest level of protection for your network.
180 Updating definitions Ensure that all definitions are current
Ensure that all definitions are current

In the previous version of Symantec AntiVirus, the definitions files contained only the information that was needed to detect and eliminate viruses, and to detect security risks. The definitions updates for the current version contain detection and repair information for viruses as well as security risks. Management servers that run legacy versions of Symantec AntiVirus can update their clients only with the definitions files that the legacy release supports. Thus, management servers that run 9.x versions of Symantec AntiVirus download and distribute updates that provide detection and elimination of viruses, and detection of security risks, but do not contain information that is needed to repair the side effects of either viruses or security risks. Management servers that run the current version of Symantec AntiVirus can distribute the proper definitions files to clients that run either legacy or current Symantec AntiVirus software.
Definitions files update methods

There are several methods that are available for downloading definitions and setting up servers and clients to retrieve them. Table 5-1 describes the definitions update methods. Note: All the methods described update both virus and security risk definitions simultaneously in the current version of Symantec AntiVirus. Table 5-1 Method
Virus Definition Transport Method
Definitions update methods When to use it

Use the Virus Definition Transport Method when you want to control the virus and security risk definitions updates from the Symantec System Center. In addition, use this method during a virus outbreak to push the latest definitions files to the computers on your network immediately.
Description
A push operation starts when new virus and security risk definitions are received via the Symantec FTP site or LiveUpdate server by a primary management server on your network. The primary management server passes a definitions package to all of the secondary management servers in the server group. Secondary management servers extract the definitions and place them in the appropriate directory. Clients receive the package from their parent management servers. Clients extract the definitions and place them in the appropriate directory.
Updating definitions Definitions files update methods
181
Table 5-1 Method

LiveUpdate
Definitions update methods When to use it

Use LiveUpdate when you want protected computers to pull virus and security risk definitions updates from an internal LiveUpdate server, or directly from Symantec.
Description
A scheduled pull operation starts when a client or server that runs LiveUpdate requests new virus and security risk definitions. LiveUpdate may be configured on each computer to request the update from a designated internal LiveUpdate server or directly from the Symantec LiveUpdate server.
Intelligent Updater
Intelligent Updater is a self-extracting executable Use Intelligent Updater when you file that contains virus and security risk definitions need to distribute virus and security files. risk definitions updates to users who do not have active network connections. The Central Quarantine Server periodically polls the Digital Immune System gateway for new virus and security risk definitions files. When new definitions are available, the Central Quarantine Server can push the new definitions to the computers that need it automatically. Use Central Quarantine when you want to automate the distribution of definitions file updates across your network. For information about using Central Quarantine, see the Symantec Central Quarantine Administrators Guide.
Central Quarantine polling
Note: 64-bit computers receive definitions files using LiveUpdate. All other methods of updating these files are not supported.
Best practice: Using the Virus Definition Transport Method and LiveUpdate together
You can use the Virus Definition Transport Method and LiveUpdate together. Using the Virus Definition Transport Method allows you to schedule and push virus and security risk definitions updates from the Symantec System Center. In addition, you can use the Virus Definition Transport Method as an emergency system for distributing new virus definitions quickly when the network is threatened by a new virus. Although the Virus Definition Transport Method is used more often, some large networks depend on LiveUpdate. These installations do not permit direct access to the Symantec site by a large number of servers and clients. One or more servers act as an internal LiveUpdate server to all of the other servers on the network, and in some installations, to all clients.
182 Updating definitions Updating definitions files on servers
Best practice: Using Continuous LiveUpdate on 64-bit computers

To ensure that each managed 64-bit computer maintains the latest virus and security risk definitions, you can use Continuous LiveUpdate to require each computer to check for updates after a specified interval has expired. If you have more than one 64-bit computer on your network and you are using the Symantec System Center console, you can group these computers into a client or server group and manage the definitions from the console. If you are not using the console, you can enable this feature and set the interval on the client computer. See Enabling and configuring Continuous LiveUpdate for managed clients on page 198.
Updating definitions files on servers

You can update the virus and security risk definitions files on Symantec AntiVirus servers by using the following methods:

Virus Definition Transport Method LiveUpdate Intelligent Updater Central Quarantine polling
See Table 5-1, Definitions update methods, on page 180.
Updating and configuring servers using the Virus Definition Transport Method
Update Symantec AntiVirus servers manually when you need to force an immediate update. Schedule automatic updates to handle routine definitions files updating without requiring further interaction.
Update servers manually or automatically using the Virus Definition Transport Method
You can update servers manually or automatically. Updates occur only when the virus and security risk definitions files on a server are older than the definitions that are available on the LiveUpdate server. To update all unlocked servers in the system 1 In the Symantec System Center console, right-click System Hierarchy, and then click Symantec AntiVirus > Update Virus Defs Now.
Updating definitions Updating definitions files on servers
183
2 3
In the confirmation dialog box, click Yes. In the status dialog box, click OK.
To update servers manually 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. Select one of the following:
Update The Primary Server Of This Server Group Only Update Each Server In This Server Group Individually To update all servers in the group from the primary management server To update servers individually
The option that you select affects all of the servers in the server group, whether you right-click a server group or an individual server. 3 4 Click Configure. Click Update Now. A message appears with information about how you can view the date of the new virus and security risks definitions file. Read the information that appears, and then click OK until the Symantec System Center console reappears.
To update servers automatically 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. Select one of the following:
Update The Primary Server Of This Server Group Only To update all servers in the group automatically from the primary management server To update servers individually
Update Each Server In This Server Group Individually
The option that you select affects all servers in the server group, whether you right-click a server group or an individual server. 3 Click Configure.
4 5 6
Ensure that Schedule For Automatic Updates is checked, and then click Schedule. Select options to determine when the definitions file updates (for example, every Tuesday at 10:00 P.M.). Click OK until you return to the Symantec System Center main window.
Updating a master primary management server

Configure a master primary management server to limit your networks exposure to the Internet. To configure a master primary management server 1 2 3 4 5 6 In the Symantec System Center console, right-click a server, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Update the Primary Server of this Server Group only. Click Configure. In the Configure Primary Server Updates dialog box, click Source. In the Setup Connection dialog box, in the Update definition file via list, click Another Protected Server, and then click Configure. In the Configure Update From Server dialog box, select the server that you want to use as the master primary management server from the list of servers that appears. Click OK until you return to the Configure Primary Server Updates dialog box. In the Configure Primary Server Updates dialog box, do one of the following:
7 8
Click Update Now to retrieve the definitions file from the master primary management server immediately. Click Schedule For Automatic Updates, and then click Schedule. Set a frequency and time when the server checks for updates on the master primary management server.
185
Updating NetWare servers using the Virus Definition Transport Method

Updating a NetWare server is similar to updating other types of servers with the following differences:
You can designate a NetWare server as the primary management server for your network, or designate a supported Windows computer as the primary management server. If your NetWare servers are running on faster computers or have a higher bandwidth connection than your Windows servers, you can designate a NetWare server as a primary management server for increased performance. NetWare primary management servers must have TCP/IP and FTP running and must be able to connect to the Internet. FTP is enabled by default on NetWare 5.x servers and later. In addition, NetWare environments require a supported Windows computer to run the Symantec System Center console. NetWare servers do not store the addresses of supported Windows servers in their address caches. As a result, if your NetWare server is not running TCP/IP and is not using a domain naming system (DNS) server, you might have difficulty updating a NetWare server from a Windows server that resides in a different server group.
Virus Definition Transport Method scenarios

Figure 5-1 shows one way that you could configure virus and security risk definitions file updates for your computers if you have a small network of six file servers that are divided into two server groups.
Figure 5-1
Definitions file updating using the Virus Definition Transport Method

ftp.symantec.com or Symantec LiveUpdate server
Server group A
Primary management server 1
Symantec AntiVirus server
Client
Client
Client
Client
Client
Client
IP
Server group B
Primary management server 2
Client
Client
Client
Client
Client
Client
Configure a primary management server to retrieve the latest virus and security risk definitions file updates; you can download through HTTP, FTP, or another computer. Configure primary management server 2 to retrieve the latest update from primary management server 1. This makes primary management server 1 a master primary management server. Symantec AntiVirus servers in server group B receive updates from their primary management server. Clients automatically receive updates from their Symantec AntiVirus parent servers.
187
Figure 5-2 illustrates how you might configure definitions file updates if your organization has multiple sites that are linked over a wide area network (WAN). Figure 5-2 Definitions file updating for multiple sites over a WAN
ftp.symantec.com or Symantec LiveUpdate server
Central region
East region
West region
Server group primary management servers on separate WANs retrieve the update from the Symantec FTP site or LiveUpdate server. Primary management servers distribute the update to primary management servers in other server groups in their local networks. The primary management servers distribute the update to other protected servers and clients in their server group.
Updating servers using LiveUpdate

Depending on the size of your network, you can use LiveUpdate to update virus and security risk definitions files in the following ways:
For smaller networks (less than 1000 nodes), configure managed servers to directly retrieve updates from the Symantec FTP site, Symantec LiveUpdate server, or an internal LiveUpdate server. For larger networks (greater than 1000 nodes), set up an internal LiveUpdate server, download updates to that server, and have your managed servers retrieve updates from the internal LiveUpdate server.
Updating servers from the Symantec FTP site or LiveUpdate server

You need to configure updating for the Symantec AntiVirus primary management server in each server group to ensure that its virus and security risk definitions files are current. You can also configure individual servers to update directly from Symantec.
Update Symantec AntiVirus servers directly from the Symantec FTP site or LiveUpdate server
You can update all of the Symantec AntiVirus servers in a server group from a primary management server, or update each server in the group individually. To update primary management servers 1 2 3 4 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Update The Primary Server Of This Server Group Only. Click Configure. In the Configure Primary Server Updates dialog box, do one of the following:

Click Update Now to launch a LiveUpdate session immediately. Click Schedule For Automatic Updates, and then click Schedule to set a frequency and time when the server runs a LiveUpdate session.
5 6
Click OK. In the Configure Primary Server Updates dialog box, click Source.
189
7 8
In the Update definition file via list, click LiveUpdate (Win32)/ FTP(NetWare). Click OK until you return to the Symantec System Center main window.
To update individual servers 1 2 3 4 5 6 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Update Each Server In This Server Group Individually. Click Configure. In the Configure Server Updates dialog box, click Source. Click LiveUpdate (Win32)/FTP (NetWare). Click OK. If you are configuring a NetWare server, make sure that the server is running FTP. Do one of the following:

Click Update Now to launch a LiveUpdate session immediately. Click Schedule For Automatic Updates, and then click Schedule to set a frequency and time when the server runs a LiveUpdate session.
Updating servers from an internal LiveUpdate server

You can set up an internal LiveUpdate server on a computer whether Symantec AntiVirus server software is installed or not. In either case, you should use the LUAdmin Utility to update the LiveUpdate server. The LUAdmin Utility pulls the definitions updates down from a Symantec LiveUpdate server, then places the packages on a Web server, an FTP site, or a location that is designated by a UNC path. You must then configure your Symantec AntiVirus servers to pull their definitions updates from this location. See Updating servers using LiveUpdate on page 188. For more information, see the LiveUpdate Administrators Guide, which is available on the product CD or on the Symantec Support Web site. Note: To compensate for unavailable internal LiveUpdate servers, Symantec AntiVirus supports multiple internal LiveUpdate servers for failover support.
To update servers from an internal LiveUpdate server 1 2 3 In the Symantec System Center console, right-click a server group, and then click All Tasks > LiveUpdate > Configure. In the Configure LiveUpdate dialog box, click Internal LiveUpdate Server. Set the following internal LiveUpdate server options:
Name The name of the server. This name will appear when you run LiveUpdate. This box is optional. You can type descriptive information that is related to the server. For example, you can type the name of the site. The logon name that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information. The logon password that is associated with the server. Leave this box blank so that users can log on and retrieve the files without typing information.
Location
Login Name
Login Password
URL or IP Address
If you are using the FTP method (recommended), under Type, you can click FTP, and then type the FTP address for the server. For example: ftp.myliveupdateserver.com If you are using the HTTP method, under Type, you can click HTTP, and then type the URL for the server. For example: http:\\myliveupdateserver.com or 192.168.133.11\Export\Home\LUDepot If you are using the LAN method, under Type, you can click LAN, and then type the server UNC path name. For example: \\Myserver\LUDepot In the Login box, type the name and password to access the server.
If you leave the Login Name and Login Password boxes empty, an anonymous logon is used. This requires that anonymous logons be enabled on the FTP server. If your policy prohibits anonymous logons on FTP servers, type the logon name and password for the FTP server and directory to be accessed. 4 Click OK until you return to the Symantec System Center main window.
191
Updating servers with Intelligent Updater

To distribute updated virus and security risk definitions, download a new Intelligent Updater, and then use your preferred distribution method to deliver the updates to your managed servers and clients. Intelligent Updater is available as a single file or as a split package, which is distributed across several smaller files. The single file is for computers with network connections. The split package can be copied to floppy disks and used to update computers that do not have network connections, Internet access, or a CD-ROM drive.
Update servers with Intelligent Updater files

Download Intelligent Updater from the Symantec Web site, and then install Intelligent Updater to servers that need the latest virus and security risk definitions files. Note: Make sure to use Intelligent Updater files for Symantec AntiVirus rather than the consumer version of the product. To download Intelligent Updater 1 2 3 4 5 6 7 Using your Web browser, go to: http://securityresponse.symantec.com Click Download Virus Definitions. Click Download Virus Definitions (Intelligent Updater Only). Select the appropriate language and product. Click Download Updates. Click the file with the .exe extension. When you are prompted for a location in which to save the files, select a folder on your hard drive.
To install the virus and security risk definitions files 1 2 Locate the Intelligent Updater file that you downloaded from Symantec. Double-click the file and follow the on-screen instructions.
About using Central Quarantine polling to update servers

If you use Symantec Central Quarantine, you can configure the Central Quarantine Server to periodically poll the Digital Immune System gateway for new virus and security risk definitions files. When new definitions are available, the Central Quarantine Server can automatically push the new definitions to the computers that need it, using the Virus Definition Update Method. For more information, see the Symantec Central Quarantine Administrators Guide.
Minimizing network traffic and handling missed updates

LiveUpdate provides advanced scheduling options for minimizing network traffic and handling missed updates. Table 5-2 describes LiveUpdate scheduling options. Table 5-2 Option
Randomization options
LiveUpdate scheduling options Description

Randomizes updates:
When to use
Use when you want to stagger updates for multiple computers to minimize the impact on network traffic. By default, Symantec AntiVirus randomizes LiveUpdate sessions to minimize bandwidth spikes.
Plus or minus a specified number of minutes of the scheduled time Any day of the week within a specified time interval Any day of the month plus or minus a specified number of days of the scheduled date
Missed Event options
Determines how missed LiveUpdate events are handled. An event might be missed if a computer is turned off when the LiveUpdate session is scheduled to run. You can set options so that scheduled LiveUpdate events that were missed run at a later time.
Use to ensure that computers that are unavailable for a regularly scheduled LiveUpdate event attempt to pull definitions at a later time.
193
Minimize network traffic and handle missed updates

You can set separate randomization schedules for Symantec AntiVirus servers and clients on your network to minimize the impact on network traffic. You can specify separate policies for handling missed LiveUpdate events for Symantec AntiVirus servers and clients. To randomize the LiveUpdate schedule for servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Configure. In the Configure Primary Server Updates dialog box, check Schedule For Automatic Updates. Click Schedule. Set the frequency and time when the server checks for updates. In the Virus Definition Update Schedule dialog box, click Advanced. In the Advanced Scheduled Options dialog box, under Randomization Options, check the options that you want, and then set the minutes, day of the week, or day of the month options. Click OK until you return to the Symantec System Center main window.
2 3 4 5 6 7
To randomize the LiveUpdate schedule for clients 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Schedule Client For Automatic Virus Definition Updates Using LiveUpdate. Click Schedule. Set the frequency and time when the clients will check for updates. Click Advanced. In the Advanced Schedule Options dialog box, under Randomization Options, check the options that you want, and then set the minutes, day of the week, or day of the month options. Click OK until you return to the Symantec System Center main window.
2 3 4 5 6
To handle missed LiveUpdate events for servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Configure. Click Schedule for Automatic Updates. In the Configure Primary Server Updates dialog box or the Configure Server Updates dialog box, click Schedule. In the Virus Definition Update Schedule dialog box, click Advanced. In the Advanced Schedule Options dialog box, check Handle Missed Events Within. Set the time limit within which you want the scan to run. For example, you might want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. Click OK until you return to the Symantec System Center main window.
2 3 4 5 6 7
To handle missed LiveUpdate events for clients 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, click Schedule Client For Automatic Virus Definition Updates Using LiveUpdate. Click Schedule. In the Virus Definition Update Schedule dialog box, click Advanced. In the Advanced Schedule Options dialog box, check Handle Missed Events Within. Set the time limit within which you want the scan to run. For example, you may want a weekly LiveUpdate event to run only if it is within three days after the scheduled time for the missed event. Click OK until you return to the Symantec System Center main window.
2 3 4 5 6
Updating definitions Updating definitions files on clients
195
Updating definitions files on clients

You can update the virus and security risk definitions files on Symantec AntiVirus clients by using the following methods:

Virus Definition Transport Method LiveUpdate Intelligent Updater See Updating servers with Intelligent Updater on page 191. Central Quarantine polling See About using Central Quarantine polling to update servers on page 192.
See Table 5-1, Definitions update methods, on page 180.
Update definitions files on Symantec AntiVirus clients

You can update Symantec AntiVirus clients using the Virus Definition Transport Method, LiveUpdate, or both. Note: LiveUpdate is the only method for updating definitions files that is supported on 64-bit computers. To update clients using the Virus Definition Transport Method 1 2 3 4 5 6 7 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Update Virus Definitions From Parent Server. Click Settings. In the Update Settings dialog box, set the frequency with which the parent management server will push updates. Click OK. In the Virus Definition Manager dialog box, uncheck Schedule Client for Automatic Updates using LiveUpdate. Click OK until you return to the Symantec System Center main window.
196 Updating definitions Updating definitions files on clients
To update clients using LiveUpdate 1 2 3 4 5 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Schedule Client For Automatic Updates Using LiveUpdate. Click Schedule. In the Virus Definition Update Schedule dialog box, select the frequency, day, and time that you want the update to occur. Click OK until you return to the Symantec System Center main window.
To update clients using both the Virus Definition Transport Method and LiveUpdate 1 2 3 4 5 6 7 8 9 In the Symantec System Center console, right-click a server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Update Virus Definitions from Parent Server. Check Schedule Client For Automatic Updates Using LiveUpdate. Click Schedule. In the Virus Definition Update Schedule dialog box, select the frequency, day, and time that you want the update to occur. Click OK. Click Settings. In the Update Settings dialog box, set the frequency with which the parent management server pushes updates. Click OK until you return to the Symantec System Center main window.
Forcing definitions files on clients to update immediately

You can force clients to update virus and security risk definitions files immediately using LiveUpdate. This feature is available for clients that normally receive updates using LiveUpdate or the Virus Definition Transport Method. This feature provides a good way to update definitions files when one or more clients on which LiveUpdate is installed are using outdated files for some reason, for example, when an update operation that was performed at the server group level succeeded on all but several clients.
197
Warning: Updating a large number of clients immediately can result in slow performance. Once you start this operation, you cannot cancel it. Do not use this feature to update definitions files during a virus outbreak. See Handling a virus outbreak on your network on page 211.
Update definitions files on clients immediately

Before you can update virus and security risk definitions files, you must specify the number of clients to update. When the number of selected clients exceeds this number, a confirmation dialog box appears to verify that you want to exceed the administrator-specified number. To specify the number of clients to update immediately 1 2 In the Symantec System Center console, on the Tools menu, click SSC Console Options. In the SSC Console Options Properties window, on the Client Display tab, select the number of clients that you want to update before you see a confirmation dialog box. Click OK.
To update one or more clients immediately with LiveUpdate 1 In the Symantec System Center console, right-click one or more clients in the right pane, and then click All Tasks > Symantec AntiVirus > Update Virus Defs Now. If you selected more than the administrator-specified number of clients, in the confirmation dialog box, select one of the following:

Yes
Cancel If a client is configured to update using the Virus Definition Transport Method, Symantec AntiVirus prompts you to allow LiveUpdate to run. 3 Click OK in the status dialog box.
Configuring managed clients to use an internal LiveUpdate server

You can configure LiveUpdate settings for managed computers running Symantec AntiVirus client from the Symantec System Center. For unmanaged Symantec AntiVirus clients, use the LiveUpdate Administration Utility to create a custom .hst file.
For information on configuring LiveUpdate for unmanaged Symantec AntiVirus clients, see the LiveUpdate Administrators Guide. To configure a managed Symantec AntiVirus client to use an internal LiveUpdate server 1 2 3 4 Right-click a parent management server or a server group, and then click All Tasks > LiveUpdate > Configure. In the Configure LiveUpdate dialog box, click Internal LiveUpdate Server. If you are using an FTP or HTTP server, type the appropriate data in the Login Name and Password boxes. In the Connection box, type one of the following:

The Universal Naming Convention (UNC) path to your shared folder The URL or IP address for your FTP or HTTP server LAN FTP HTTP
In the Type list, select one of the following:

6 7
To configure individual clients to use an internal LiveUpdate server as well, check Apply settings to clients not in Groups. Click OK until you return to the Symantec System Center main window. If you are using multiple parent management servers, repeat steps 1 through 7 for each parent management server so that all Symantec AntiVirus clients and servers receive the changes.
Enabling and configuring Continuous LiveUpdate for managed clients

If a managed Symantec AntiVirus client infrequently connects to its parent management server (for example, a laptop computer that is used remotely), it might not receive the most current virus and security risk definitions updates. For these computers, Continuous LiveUpdate offers a backup option for receiving updates directly from Symantec whenever the computer connects to the Internet. With Continuous LiveUpdate, you can specify a maximum number of days that the definitions files on a Symantec AntiVirus computer can be out of date before an update is forced. When the Symantec AntiVirus client determines that its definitions files exceed the maximum age, it initiates a silent (no user interaction required) LiveUpdate session when it connects to the Internet.
199
You can enable Continuous LiveUpdate by using the Symantec System Center. You can also enable Continuous LiveUpdate by changing the client registry.
Enabling Continuous LiveUpdate by using the Symantec System Center

You can enable Continuous LiveUpdate by using the Symantec System Center. To enable Continuous LiveUpdate 1 In the Symantec System Center console, right-click a server group, a Symantec AntiVirus server, a client group, or an individual Symantec AntiVirus client, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, check Enable Continuous LiveUpdate. Click OK until you return to the Symantec System Center main window.
2 3
Enabling and configuring Continuous LiveUpdate by changing the client registry

You can enable Continuous LiveUpdate through the client registry by adding a new subkey, EnableAdminForcedLU, to HKEY_LOCAL_MACHINE\ SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\PatternManager. Set its value to 1 to enable Continuous LiveUpdate. You can configure additional Continuous LiveUpdate options by adding other values to the clients registry. Table 5-3 describes the registry subkeys that you use to configure Continuous LiveUpdate. Table 5-3 Subkey name
EnableAdminForcedLU MaxDefsDaysOldAllowed
Configuration values for Continuous LiveUpdate Data value

0/1 n
Description
Disable or enable Continuous LiveUpdate. Specify the age (in days) that the definitions can be before Symantec AntiVirus runs a silent LiveUpdate. Specify the interval (in minutes) to check for old definitions.
AdminForcedLUCheckInterval
Table 5-3 Subkey name

AFLUDelay
Configuration values for Continuous LiveUpdate Data value

n
Description
Set the startup delay time (between 10 and 180 minutes) of the Continuous LiveUpdate feature. This delay time is valid only if the feature is enabled. The actual delay time is a random number between 8 and n+8 where n is the value in the registry key. The default value is 30 minutes.
Note: Set the MaxDefsDaysOldAllowed value to 8 days or higher. Lower settings may cause problems if you need to perform a definitions rollback, since the age of the definitions files that you want to roll back to may exceed the maximum number of days that Continuous LiveUpdate allows before forcing an update.
Setting LiveUpdate usage policies

You can set LiveUpdate usage policies for managed clients. When these policies are enabled, they are dimmed on the client. The policies determine whether the following activities can be performed at the client level:

Change the LiveUpdate schedule. Manually launch LiveUpdate.
To set LiveUpdate usage policies 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, do one of the following:
Check Do Not Allow Client To Modify LiveUpdate Schedule to prevent the LiveUpdate schedule from being modified on the client. (Schedule Client For Automatic Updates Using LiveUpdate must be checked or this box is dimmed.) When this option is unchecked, LiveUpdate can run on the client at any time. Uncheck Do Not Allow Client To Manually Launch LiveUpdate to prevent LiveUpdate from being manually launched on the client. When this option is unchecked, LiveUpdate can run on the client at any time.
Updating definitions Controlling definitions file deployment
201
Uncheck Download Product Updates Using LiveUpdate to prevent application updates.
Controlling definitions file deployment

The Symantec System Center console provides a set of tools for controlling the deployment of virus and security risk definitions files on your network. Use these tools to do the following:
Verify the version numbers of definitions files on servers. See Verifying the version number of definitions files on page 201. View the risk lists on servers and clients. See Viewing the risk list on page 202. Roll back to a previous definitions file (network-wide). See Rolling back definitions files on page 202.
If new definitions files are causing false positives or other problems for a server, you can verify the version number of the definitions file on that computer and then deploy an earlier definitions set from the Symantec System Center console. All servers and clients in that server group will roll back to the specified definitions file. You can also control the version of the definitions file that is used on all servers and clients in a server group. Users who download a definitions file that was not approved for company use can be forced to use the virus and security risks definitions file that you specify. Because you can easily undo a definitions file rollout, you can release new definitions files in less time.
Finding computers with outdated definitions files

The Symantec System Center displays a warning icon if a definitions file is outof-date on one or more computers that are managed by a parent management server, server group, or client group. To find computers with outdated definitions files
Expand the server, server group, or client group and look for warning icons.
Verifying the version number of definitions files

Using the Symantec System Center console, you can view the version number of the definitions files at the Symantec AntiVirus server, server group, client group, and individual Symantec AntiVirus client level.
202 Updating definitions Controlling definitions file deployment
To verify the version number of definitions files
In the Symantec System Center console, right-click a server group, client group, Symantec AntiVirus server, or client, and then click Properties. On the Symantec AntiVirus tab, in the Virus Definitions box, the file version is listed as a numerical date, followed by a version number. After a definitions file is updated on a computer, it might take several minutes before the information is available from the console.
Viewing the risk list

You can view a list of the viruses and security risks, such as adware and spyware, that are detectable on a selected server or client. The risk list ensures that the selected computer is protected from a specific virus or security risk. To view the risk list 1 2 In the Symantec System Center console, right-click a server or client, and then click All Tasks > Symantec AntiVirus > View Risk List. Click Close.
Rolling back definitions files

You can roll back a virus and security risk definitions file for a server group. For example, if the most recent file generated false positive virus or security risks detections, you might want to roll back to a previous file. Before you attempt to roll back definitions, make sure that you restart all of the computers that run the antivirus client and server programs after the initial installation. If you do not do this, some clients might not roll back to the earlier definitions. Note: When you roll back definitions files, virus and security risks definitions that are newer than those in the rolled back version are deleted. To roll back definitions files 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Virus Definition Manager. In the Virus Definition Manager dialog box, ensure that Update The Primary Server Of This Server Group Only is selected, and then click Configure. In the Configure Primary Server Updates dialog box, click Definition File.
Updating definitions Testing definitions files
203
4 5 6
In the Select Virus Definition File dialog box, select the definitions file that you want to roll back to, and then click Apply. Click Yes to change the current file. Click OK until you return to the Symantec System Center main window.
Testing definitions files

Many administrators prefer to test virus and security risk definitions files on a test network before making them available on a production server. To test definitions files 1 2 3 4 Install Symantec AntiVirus server to a primary management server on the test network. From the primary management server on your test network, run LiveUpdate to download the definitions file. Go to www.eicar.org and download the antivirus test file to test the operation of the definitions file. Once testing is complete, copy the definitions file from the \Program files\Sav folder on the test server to a folder with the same name on the primary management servers on your production network. Once the definitions files are on the primary management servers, they flow to other servers in the server group. Clients are configured to automatically retrieve definitions from their parent management servers if Update Virus Definitions From Parent Server in the Virus Definition Manager dialog box is checked.
204 Updating definitions Scenarios for definitions updates
Scenarios for definitions updates

The following scenarios show how administrators at two different companies perform updates:
At Company A, the administrator downloads the new virus and security risk definitions file from the Symantec FTP site or Symantec LiveUpdate server to a primary management server on the test network. He tests the definitions file. When testing is completed, he copies the definitions file to the master primary management server on his production network. He has configured other primary management servers so that they retrieve the update from the master primary management server. All of the other connected computers use the Virus Definition Transport Method. Secondary management servers retrieve the update from their primary management server. Clients retrieve the update from their parent management server. At Company B, the administrator downloads the virus and security risk definitions file from the Symantec FTP site or Symantec LiveUpdate server to a test network. She tests the definitions file. When testing is completed, she downloads the new definitions file from the Symantec FTP site or Symantec LiveUpdate server to the internal LiveUpdate server on her production network. Some low-risk users are allowed to go outside of the firewall. When LiveUpdate runs on their computers, the definitions file is downloaded directly from the Symantec FTP site or Symantec LiveUpdate server.
About scanning after updating definitions files

If Auto-Protect is enabled, Symantec AntiVirus begins scanning with the updated definitions files immediately. Once definitions files are updated, Symantec AntiVirus offers to attempt to repair files that are stored in Quarantine. See Scanning for viruses and security risks on page 109.
Chapter
Responding to virus outbreaks


Preparing for virus outbreaks Handling a virus outbreak on your network
Preparing for virus outbreaks

Responding to virus outbreaks requires preparing before an outbreak occurs, and having a strategy in place for handling an outbreak should one occur. In addition to installing Symantec AntiVirus on the servers and workstations in your network, preparing for a virus outbreak consists of the following tasks:
Creating and reviewing a virus outbreak plan. See Creating a virus outbreak plan on page 206. Defining Symantec AntiVirus actions for handling viruses. See Defining Symantec AntiVirus actions for handling suspicious files on page 208. A strategy for handling virus outbreaks includes the following:
Enable virus alerts and messages. See Using virus alerts and messages on page 211.
206 Responding to virus outbreaks Preparing for virus outbreaks
Run a virus sweep of your network. See Running a virus sweep on page 212. Track viruses using logs. See Tracking virus alerts using Event Logs and Histories on page 212. Use the Central Quarantine Console to track infected computers on your network, and submit suspicious file samples to Symantec Security Response for analysis and cure. See Tracking submissions to Symantec Security Response with Central Quarantine Console on page 213.
Creating a virus outbreak plan

An effective response to a virus outbreak on your network requires a plan that allows you to respond quickly and efficiently. You should create a virus outbreak plan and define actions for handling suspicious files. Table 6-1 outlines the tasks for creating a virus outbreak plan. Table 6-1 Task
Ensure that definitions files are current.
A model virus outbreak plan Description

Verify that infected computers have the latest definitions files, and use the Virus Definition Transport Method to push new definitions if needed. See Updating definitions files on servers on page 182.
Map your network topology.
Prepare a network topology map so that you can systematically isolate and clean computers by segment before you reconnect them to your local network. Your map should contain the following information:

Server names and addresses Client names and addresses Network protocols Shared resources
Responding to virus outbreaks Preparing for virus outbreaks
207
Table 6-1 Task
A model virus outbreak plan Description

In addition to understanding your network topology, you need to understand your implementation of Symantec AntiVirus as well as the implementation of any other security products that are used on your network. Consider the following questions:

Understand security solutions.
What security programs are protecting network servers and workstations? What is the schedule for updating definitions? What alternative methods of obtaining updates are available if the normal channels are under attack? What log files are available for tracking viruses on your network?
Have a backup plan.
In the event of a catastrophic virus infection, you may need to restore servers and clients to be sure that your network has not been compromised. Having a backup plan in place to restore critical computers is essential. Blended threats such as worms can travel via shared resources without user interaction. When you respond to an infection by a computer worm, it can be critical to isolate the infected computers by disconnecting them from the network. Symantec AntiVirus logs are a good source of information about viruses on your network. If you can identify a virus from the logs, you can use the Symantec Security Response Virus Encyclopedia to learn how to remove the virus. If you cannot identify a suspicious file as a virus by examining the logs, and the latest virus definitions files do not clean the file, go to http:// securityresponse.symantec.com and look at the Latest Virus Threats and Security Advisories areas for news.
Isolate the infected computers.
Identify the virus.
Respond to unknown viruses.
Defining Symantec AntiVirus actions for handling suspicious files

By default, Symantec AntiVirus performs the following actions when it identifies a file that it suspects is infected by a virus:

Symantec AntiVirus attempts to repair the file. If the file cannot be repaired with the current set of definitions files, the infected file is moved to the Quarantine on the local computer. In addition, the Symantec AntiVirus client makes a log entry of the risk event in its log. The Symantec AntiVirus client data is forwarded to a primary management server. You can view log data from the Symantec System Center console.
You can perform the following additional actions to complete your virus handling strategy:
Define different repair actions based on virus type. For example, you can have Symantec AntiVirus automatically fix macro viruses, but ask what action to take when a program file virus is detected. Assign a backup action for files that Symantec AntiVirus cannot repair, such as deleting the infected file. See About actions for viruses and security risks that scans detect on page 123. See Configuring actions for File System Auto-Protect on page 136. Receive virus alerts, such as a page or email message, if you are using AMS2. See About the Alert Management System on page 83. Configure the local Quarantine to forward infected files to the Central Quarantine. You can configure the Central Quarantine to attempt a repair based on its set of virus definitions (which may be more up-to-date than the definitions on the local computer), or automatically forward samples of infected files to Symantec Security Response for analysis. For more information, see the Symantec Central Quarantine Administrators Guide.
Purging suspicious files from local Quarantine folders automatically

When Symantec AntiVirus scans a suspicious file, it places the file in the local Quarantine folder on the infected computer. The Quarantine purge feature automatically deletes files in the Quarantine that exceed a specified age. Registry settings for Quarantine purge are located in the \HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Quarantine registry key.
Responding to virus outbreaks Preparing for virus outbreaks
209
Table 6-2 lists the possible Quarantine purge settings. Table 6-2 Subkey name
QuarantinePurgeEnabled QuarantinePurgeAgeLimit
Quarantine purge settings Data value

0/1 n
Description
Disables/enables purge Specifies the maximum number of days to keep a file in the Quarantine directory Sets the frequency value for purging: 0=Days, 1=Months, 2=Years Disables/enables purging backup files Specifies the maximum number of days to keep a backup file in Quarantine Sets the frequency value for purging backup files: 0=Days, 1=Months, 2=Years Disables/enables purging repaired files Specifies the maximum number of days to keep a repaired item in Quarantine Sets the frequency value for purging repaired files: 0=Days, 1=Months, 2=Years
QuarantinePurgeFrequency
BackupItemPurgeEnabled BackupItemPurgeAgeLimit
0/1 n
BackupItemPurgeFrequency
RepairedItemPurgeEnabled RepairedItemPurgeAgeLimit
0/1 n
RepairedItemPurgeFrequency
Forwarding items to the Quarantine Server

You can enable items in Quarantine on a client or server to be forwarded to the Quarantine Server. You can also apply these settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group. To enable forwarding items to the Quarantine Server 1 2 3 4 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. In the Quarantine Options dialog box, check Enable Quarantine or Scan and Deliver. Type the name of the Quarantine Server or click the network icon to browse, and then select a server in the network. Type the port number to use, select the number of seconds to retry connecting, and then select the protocol to use.
5 6
Click Apply settings to clients not in Groups. Click OK.
Enabling scan and deliver

You can enable Symantec AntiVirus to allow users to submit infected or suspicious files and likely related side effects to Symantec Security Response for further analysis. Submitting items allows Symantec to better refine its detection and repair. Files submitted to Symantec Security Response become the property of Symantec Corporation. In some cases, files may be shared with the antivirus community. When this occurs, Symantec uses industry-standard encryption and may anonymize data to help protect the integrity of the content and your privacy. In some cases, Symantec might reject a file for some reason, for example, because the file does not seem to be infected. If you have reason to believe that there is a problem with the file, you can resubmit one such file per day. Enable the resubmission of files if you want users to be able to resubmit selected files. You can apply these same settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group. To enable scan and deliver 1 2 3 4 5 6 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. In the Quarantine Options dialog box, check Enable Quarantine or Scan and Deliver. Click Allow submissions via scan and deliver. Click Allow files to be resubmitted to Symantec Security Response. Click Apply settings to clients not in Groups, if appropriate. Click OK.
Configuring actions to take when new definitions arrive

You can configure the actions that you want to take on servers and client computers when new definitions arrive on the computer. You can apply these same settings to the selected clients that are not members of client groups. These clients appear under the selected server or server group.
Responding to virus outbreaks Handling a virus outbreak on your network
211
To configure actions for new definitions 1 2 Right-click a server, server group, or client group, and then click All Tasks > Symantec AntiVirus > Quarantine Options. Under When new virus definitions arrive, select one of the following actions:

Automatically repair and restore silently Repair silently without restoring Prompt user Do nothing
3 4
Click Apply settings to clients not in Groups, if appropriate. Click OK.
Handling a virus outbreak on your network

Symantec AntiVirus provides the following tools for handling a virus outbreak on your network:
Alerts Virus sweep Sends AMS2 and built-in alerts Forces a virus scan at the system hierarchy, server group, or individual server level Tracks viruses and Central Quarantine submissions at the server group, individual server, or client level Tracks submissions to Symantec Security Response
Event Logs and Histories
Central Quarantine Console
Using virus alerts and messages

You can use alerts and messages to learn about suspicious files that Symantec AntiVirus discovers on your network. Symantec AntiVirus offers the following notification mechanisms:
AMS2: If configured, Symantec AntiVirus clients can send risk events to an AMS2 server. You can configure AMS2 servers to send alerts to a pager, email address, and other notification mechanisms. See About the Alert Management System on page 83. Custom messages: From the Symantec System Center console, you can have a custom message appear on Symantec AntiVirus clients when they encounter a suspicious file. See Customizing and displaying warnings on infected computers on page 174.
212 Responding to virus outbreaks Handling a virus outbreak on your network
Running a virus sweep

If you discover several suspicious files, you might not know if the problem is on the computer or server on which the suspicious files were detected, or if the problem has spread to other areas of the network. You might want to begin a virus sweep using the Symantec System Center. The number of computers that you scan depends on how you start the sweep. If a Symantec AntiVirus client is not accessible during a virus sweep, it scans the computer as soon as it is turned on. The computer does not have to log on to the network. Depending on the object that you select in the Symantec System Center console, you can run a virus sweep on your entire network, a server group, or an individual server. A virus sweep scans for viruses and security risks. Warning: A virus sweep can create considerable network traffic, the amount and duration of which depend on the size of your network. Once you start a virus sweep it must complete; you cannot stop it. To run a virus sweep 1 In the Symantec System Center console, right-click the network, a server group, or a server, and then click All Tasks > Symantec AntiVirus > Start Virus Sweep. In the Name box, type a name for the sweep. If appropriate, click Options and set Scan Options, Advanced Scan Options, Actions, Throttling, and Notifications Options. The same configuration options are available for running a virus sweep as are available for manual scans. See Configuring manual scans on page 154. Click Start.
2 3
Tracking virus alerts using Event Logs and Histories

You can track Risk Found alerts from the Symantec System Center console. By default, Risk Found alerts appear for three days. You can change the number of days for which Risk Found alerts appear.
Responding to virus outbreaks Handling a virus outbreak on your network
213
Tracking submissions to Symantec Security Response with Central Quarantine Console

The Symantec System Center logs an event when a Symantec AntiVirus client submits a suspicious file to Symantec Security Response. In addition to the logged event, you can track the Auto-Protect status of submissions to Symantec Security Response from the Central Quarantine Console. For information on using the Central Quarantine Console, see the Symantec Central Quarantine Administrators Guide.
214 Responding to virus outbreaks Handling a virus outbreak on your network
Chapter
Managing roaming clients


About roaming clients Roaming client components How roaming works Implementing roaming Command-line options Registry values
About roaming clients

A roaming client can do the following:
Automatically identify its best parent management server, based on speed and proximity, and become a managed client of that parent management server. For example, when a mobile user who is based in New York travels to California, the roaming client detects the new network address and reassigns the users laptop to the best parent management server. Connect to the nearest appropriate parent management server whenever its network address changes. Connect to a different parent management server if the current parent management server becomes unavailable. Periodically recheck for the nearest parent management server to adjust for changes in servers and server load. Attempt to balance the load among a pool of equivalent servers when selecting a parent management server.
216 Managing roaming clients Roaming client components
Automatically identify the best parent management server when the client connects to the network (for unmanaged clients that are converted to managed clients). For example, a corporation may have a distribution center for new computers. Administrators enable roaming on the computers before they are sent to branch offices. This entails specifying all of the possible roam servers for the new computers. When end users connect the new computers to the network, Symantec AntiVirus automatically assigns the best parent management server.
Roaming client components

Table 7-1 lists roaming client components. Table 7-1 Component Roaming client components Description
List of level 0 servers Lists the level 0 of servers that are available as possible roam servers for a specific roaming client. Roaming clients store this data in their registries. See Analyzing and mapping your Symantec AntiVirus network on page 218. See Creating a list of level 0 Symantec AntiVirus servers on page 219. Hierarchical list of servers Lists all roam servers, grouped by hierarchical level. Roaming servers store this data in their registries. See Analyzing and mapping your Symantec AntiVirus network on page 218. See Creating a hierarchical list of Symantec AntiVirus servers on page 220. Roamadmn.exe Sets up Symantec AntiVirus servers for roaming access. See Configuring additional roaming client support for roam servers on page 223. SavRoam.exe Provides roam server data to roaming clients. See Configuring roaming client support options from the Symantec System Center console on page 220.
Managing roaming clients How roaming works
217
How roaming works

Roaming client support employs the following types of lists:

One or more lists of level 0 servers A hierarchical list of the servers that you want to support roaming clients
Roaming clients store the level 0 list in their registries, and use it to identify the servers to which they should attempt to connect. To implement roaming on your network, start by preparing one or more lists of level 0 servers, and the hierarchical list of servers. After you roll out this data, roaming clients work in the following manner:
SavRoam.exe launches on the Symantec AntiVirus client during startup, and selects the best Symantec AntiVirus server, based on registry values and server feedback. The selected server provides the client with a list of servers at the next level in the network hierarchy. SavRoam loops through the network hierarchy until no lower level exists. The final server becomes the clients new parent management server, and immediately pushes a full configuration to the roaming client. SavRoam runs the following checks at regular intervals:
Checks for the availability and response time of its parent management server. If its parent management server is unavailable or another parent management server can provide better performance, SavRoam connects the client with a new best parent management server on the network. Checks for the computers network address. If the address has changed, it connects to the new best parent management server. If the client was previously assigned to a different parent management server, SavRoam attempts to delete itself from the old parent after it checks in with the new parent.
Implementing roaming
To implement roaming, you must complete the following tasks:

Analyze and map your Symantec AntiVirus network. Identify servers in each region that point roaming clients to the next level of roam servers. Create a list of level 0 servers for roaming clients.
218 Managing roaming clients Implementing roaming
Create a hierarchical list of all roam servers, layered hierarchically. Configure roaming client support for roaming clients and servers from the Symantec System Center console. Configure additional roaming client options for roaming clients in the registry. This task is optional. Configure additional roaming client options for roam servers in the registry. This task is optional.
Analyzing and mapping your Symantec AntiVirus network

While you may have many servers in your network, you may want to identify only some of them as roam servers. Creating a hierarchical map of your network lets you quickly identify roam servers for your network. Figure 7-1 illustrates a map of an enterprise network that spans three continents. While this organization has more Symantec AntiVirus servers than appear in the map, only the mapped servers are identified as regional pointer servers. Figure 7-1 Sample enterprise map
USAEastSvr USASvr USAWestSvr
Level 0
EuropeSvr EUROEastSvr
JapanSvr AsiaSvr KoreaSvr
Level 1
EUROWestSvr
Managing roaming clients Implementing roaming
219
Identifying servers for each hierarchical level

To identify servers for each hierarchical level, you must analyze the needs of your roaming users. For example, you may need to identify mobile users based on whether they travel internationally, throughout the country, or within a smaller geographic area. If a user travels internationally, his server list could contain the names of the main country servers as its level 0 entry and the level 0 servers would contain the list of level 1 servers. If a user travels within one country only, his server list would need to contain only the level 1 servers as its level 0 entry. No additional levels are needed in the hierarchy. Depending on network speeds, the server list could contain only the top level servers (level 0 in Figure 7-1). This simplifies building the clients server list. The only limit to the number of levels that you can define is the text file size limit of 512 characters for each file entry.
Creating a list of level 0 Symantec AntiVirus servers

You can create the clients server list text file using a text editor such as Notepad. The server list text file must contain lines in the following format: <local><type of server><level><server list> where:
<local> indicates to the client that this is the level 0 of servers that the client should attempt to contact when searching for a roam server. <type of server> is the server type, such as parent server. <level> is 0. <server list> is the list of servers, which are separated by commas. (Spaces between the commas are optional.)
For example, the clients server list text file that corresponds to Figure 7-1 is as follows: <local> Parent 0 USASvr,EuropeSvr,AsiaSvr This is the only line in the server list for the roaming clients in this example. The list tells the clients to contact and compare response time from these three servers only. Depending on which server is best, the client continues its search down the list into one of the three continents.
Creating a hierarchical list of Symantec AntiVirus servers

You can create the hierarchical list using a text editor such as Notepad. It must contain lines in the following format: <computer> <type of server> <level> <server list> where:

<computer> is the host name of the server. <type of server> is the server type such as parent server. <level> is the level that is specified in the server list text file. <server list> is the list of servers, which are separated by commas. (Spaces between the commas are optional.)
For example, in the enterprise map in Figure 7-1, the USA branch would have the following server list: USASvr Parent 1 USAWestSvr,USAEastSvr
Configuring roaming client support options from the Symantec System Center console
You can configure roaming client support options from the Symantec System Center console. You can configure options at the following levels:

Server group Client group Server Client
Once you set the options, Symantec AntiVirus pushes them to the Symantec AntiVirus clients based on the selected level. To configure roaming client support options from the Symantec System Center console 1 In the Symantec System Center console, right-click the server group, Symantec AntiVirus servers, client group, or Symantec AntiVirus clients that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Roaming Options.
221
If you select a server group, the Symantec System Center will configure all of the clients that are in the server group. If you select a client group, the Symantec System Center will configure all of the clients that are in the client group.
In the Client Roaming Options dialog box, do the following:
Enable roaming on clients on which the Symantec AntiVirus roam service is installed. Set the number of minutes that a client waits before it validates that its parent management server is available. The default setting is 120 minutes. Set the number of minutes that a client waits before it checks for a closer parent management server. The default setting is 60 minutes. Set the number of times that a client checks each server to determine the average number of seconds required to contact it. The client then uses this sampling to determine how close a server is to the client. The default setting is 7 times. Set the number of seconds that a client that cannot find a new parent management server waits before retrying to connect to a new parent management server. The default setting is 30 seconds.
Under Use These Servers, select one of the following:

Roaming Failover You can set up level 0 parent management servers. You can set up a fault tolerance system by specifying backup servers to handle clients when roam servers are unavailable. A roaming client checks the response time for the first server in the list that answers. If the first backup server fails, the roaming clients that it manages migrate to the next available backup server in the list when they check their parent management server availability. Backup servers do not load balance. If you have multiple servers and want to distribute roaming clients among them, you can load balance by treating roam servers as equals regardless of how long it takes clients to contact them. A roaming client will contact each server in the list. Roaming servers keep a count of the Symantec AntiVirus clients that they manage, and return this value to the roaming client. The roaming client selects the server with the fewest clients. This server becomes the roaming clients new parent management server. Load balancing has a higher priority than finding the closest parent.
Loadbalance
To specify load balancing among servers, use an equal sign (=) between the servers. For example: MiamiSvr=AtlantaSvr=RichmondSvr To specify failover servers, Use a greater than symbol (>) in the hierarchical list of servers. For example: MiamiSvr>AtlantaSvr>RichmondSvr Click OK.
Configuring additional roaming client support for roaming clients

Configuring additional roaming client support for roaming clients consists of the following tasks:

Configuring roaming on each roaming client Adding level 0 server data to the registry of each roaming client
223
Configuring additional roaming on each roaming client

You can configure additional roaming on Symantec AntiVirus clients by setting the required values in a configurations file (Grc.dat), or by directly editing each roaming clients registry. The registry value RoamManagingParentLevel0 lists the parent management servers that roaming checks for proximity. Type this registry value under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ProductControl
Configuring additional roaming client support for roam servers

To configure a Symantec AntiVirus server for additional roaming options, you must complete the following tasks:
Optionally configure additional load balancing, failover, and alternate Symantec AntiVirus servers. For legacy servers, roll out the hierarchical list of servers to each roam server using RoamAdmn.exe, which is located on Disk 1 in the Tools folder. See Configuring roaming client support options from the Symantec System Center console on page 220.
Rolling out the hierarchical list of servers

When you run RoamAdmn, it communicates with each server named at the beginning of each line in the hierarchical list of servers. On each server, RoamAdmn adds a registry value that contains the servers at the next level down in the hierarchy. If the server cannot be reached, that server is bypassed. For legacy servers, you must roll out the hierarchical list of servers. To roll out the hierarchical list of servers 1 2 Copy RoamAdmn to the computer from which you want to work while rolling out the hierarchical list of servers to the roaming servers. At the command prompt, type the following:
RoamAdmn /import <serverlist.txt>
where <serverlist.txt> is the name of the hierarchical server list that you created.
224 Managing roaming clients Command-line options
Roaming server example

A corporation has a computer from which all roam servers are visible. The Serverlist.txt file includes the following lines: USASvr Parent 1 USAWestSvr,USAEastSvr EuropeSvr Parent 1 EUROEastSvr,EUROWestSvr AsiaSvr Parent 1 JapanSvr,KoreaSvr Table 7-2 describes the ServerList.txt data as it appears in each roam servers registry. Table 7-2 Server name
USASvr EuropeSvr AsiaSvr
Sample registry values Registry value

RoamManagingParentLevel1 RoamManagingParentLevel1 RoamManagingParentLevel1
Data
USAWestSvr,USAEastSvr EUROEastSvr,EUROWestSvr JapanSvr,KoreaSvr
Command-line options
Table 7-3 describes the command-line options that can be used with SavRoam.exe and RoamAdmn.exe. You must have local Administrator rights to use command-line options. Table 7-3 Option
/h
Command-line options Description

Displays a list of the options with descriptions of their usages. Sets up client or server registry keys. When you use RoamAdmn.exe, you can import the server list to remote servers. When you use SavRoam.exe, you can import the server list to the registry of the local computer. <server list> is the text file that contains the list of potential parent management servers.
/import <server list>
Managing roaming clients Command-line options
225
Table 7-3 Option

/export > <file>
Command-line options Description

Reports all of the roam servers that the client can find at all levels. <file> is the name of the file to which the information is written. You can use the file that is created with the export command as the server list for import.
/install <path> <new service name> <new exe name>
Registers and starts the roaming client service. The service runs until the computer is turned off. <path> is the path to the folder in which you want to copy SavRoam.exe. <new service name> is SavRoam.exe. <new exe name> is SavRoam.exe.
/remove <new service name> /nearest
Stops and removes SavRoam.exe.
Finds and sets the nearest appropriate parent for the parent server. Verifies that the parent management server is running. Disconnects the client from the parent management server. Provides the average amount of time that it takes to contact each specified server. <elapsed-time-in-seconds> is the number of seconds to allow the process to run. <delta-time-in-milliseconds> is how often to contact the server in milliseconds. For example, 10,000 would cause the client to contact the server every ten seconds. <servers> is the list of servers to be contacted. Separate server names with commas. Do not include spaces between server names or commas.
/check_parent /shutdown /time-network <elapsedtime-in-seconds> <deltatime-in-milliseconds> <servers>
226 Managing roaming clients Registry values
Registry values
You can edit the roaming registry values using a registry editor such as Regedit or Regedt32. The agent behavior is controlled by the registry keys under the following path: HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\ProductControl Table 7-4 describes the registry values for roaming clients. Table 7-4 Registry value
CheckForNewParentIntervalInSeconds
Registry values for roaming clients Description

Checks periodically to see if the network is up if a computer cannot find the nearest parent when it first starts. The interval is set by this registry key. The default value is 30 seconds. Determines how often a computer checks to see if its parent is available. If the parent is not available, it tries to find a new parent. The default value is 120 minutes. Instructs the agent to make this computer a child of the nearest parent. The default value is 0. Set this value to 1 if you want the computer to become a child of the nearest parent.
CheckParentIntervalInMinutes
RoamClient
Chapter
Working with Histories and Event Logs


About Histories and Event Logs Working with Histories Forwarding client and server logs Deleting Histories and Event Logs
About Histories and Event Logs

Histories and Event Logs offer a central view of virus, security risk, and scanning activity on your network. Using the Symantec System Center, you can do the following:
View data at the server group, server, or individual managed workstation level. In addition, each Symantec AntiVirus client stores its own Event Log data locally. The data is viewable from the Symantec AntiVirus client user interface. Sort and filter History and Event Log data. Perform actions that are based on History and Event Log data. For example, if a Risk History displays a found virus, you can perform actions such as repairing the infected file or moving it to the Central Quarantine. Export data to Microsoft Access (as an .mdb file) or in comma-separated value (.csv) format. Remove History and Event Log data.
228 Working with Histories and Event Logs About Histories and Event Logs
Table 8-1 describes the Histories and Event Logs that Symantec AntiVirus provides. Table 8-1 Name
Event Log
History and Event Log types Available for

Description
Provides the following information:

Server groups Individual servers Individual clients
Symantec AntiVirus startups and shutdowns Scans that were started, stopped, or aborted Configuration changes User name and domain that authenticated the user Virus and security risk definitions updates Viruses and security risks that were found and repaired Items that were forwarded to the Central Quarantine Items that were forwarded to Symantec Security Response
Scan History
Provides information about scans that have run or are running on Symantec AntiVirus clients at the server group, server, or individual workstation level. Specify a time range to filter the view. For example, you might want to view only those scans that ran within the last seven days. Lists all viruses and security risks that were detected for selected computers or server groups. You can select a virus or security risk item in the list and perform additional actions, such as Delete or Move To Quarantine. Risk History shows many details about each virus and security risk that was detected, including the following:

Risk History
The name and location of the infected files The name of the infected computer The first and second actions that were configured for the detected virus or security risk The action that was taken on the virus or security risk User name and domain that authenticated the user
You can click on the link in the security risk item to access detailed information about it at the Symantec Security Response Web site. Since security risks often involve many types of objects and files, this log contains a summary line for security risks. You can view more details by looking at the Risk properties. See Viewing Risk properties on page 239. Tamper History Provides information about the attempts to tamper with Symantec applications that Tamper Protection thwarted for servers and clients. Tamper History shows details about each attack, including the name of the user and the domain that authenticated the user. Server groups Individual servers Individual clients
Working with Histories and Event Logs About Histories and Event Logs
229
Table 8-1 Name

Virus Sweep History
History and Event Log types Available for

Description
Includes information about previous virus sweeps for servers or server groups.
Server groups Individual servers
Note: When a Symantec AntiVirus parent management server receives client Event Logs from different time zones, the server adjusts the client time stamps to correspond to the Symantec AntiVirus server's local time.
Sorting and filtering History and Event Log data

When you view the Event Log, Scan History, Risk History, Tamper History, or Virus Sweep History, you can filter items in the following ways:

Today Past 7 days This month All items A selected range of days
You can also filter event types by selecting just the events that you want to view.
Sort and filter History and Event Log data

When you view Histories and Event logs, you can sort the data in any column. You can filter History and Event Log data by date. You can also filter by event type for the Event Log. To sort the data
Click the column header. The ascending sort icon appears within a column header the first time that you click it. The descending sort icon appears the next time that you click the column header.
To filter History and Event Log data by date 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs, and then select one of the following:

Event Log Scan History Risk History Tamper History Virus Sweep History Today Past 7 Days This Month All Items Selected Range If you select Selected Range, select start and end dates, and then click OK.
In the list, select one of the following:

To filter Event Log data by event type 1 2 3 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Event Log. In the Event Log dialog box, click the filter icon. In the Filter Event Log dialog box, select the events that you want to display:

Configuration change Symantec AntiVirus startup and shutdown Virus definition file Scan omissions Forward to the Quarantine Server Deliver to Symantec Security Response Auto-Protect load/unload Licensing Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management
Working with Histories and Event Logs About Histories and Event Logs
231
Click OK.
Understanding Event Log icons

In the Event Log window, icons display information about any viruses or security risks that were found, and allow you to perform actions such as saving the data as a .csv file. Table 8-2 describes Event Log icons. Table 8-2 Icon Event Log icons Description
Get information about an event. An error occurred in association with this event. Close the Event Log window. View item properties. Save the data shown in the Event Log window as a comma-separated value (.csv) file or as a Microsoft Access database (.mdb) file. Filter the Event Log by the following categories:

Configuration change Symantec AntiVirus startup/shutdown Definitions file Scan Omissions Forward to Quarantine Deliver to Symantec Security Response Auto-Protect load/unload Licensing Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management
Display Help for the Event Log.
Viewing Histories
Table 8-3 describes the Histories that you can view in the Symantec System Center console. Table 8-3 History
Scan History (current and scheduled)
Histories Description

At the server group level, displays all of the scans for that server group At the server level, displays all of the virus sweeps for clients that are managed by that server At the client level, displays all of the virus sweeps for that client At the server group level, displays all of the viruses and security risks that were found in that server group At the server level, displays all of the viruses and security risks that were found for clients that are managed by that server At the client level, displays all of the viruses and security risks that were found for the client At the server group level, displays all of the attempts to tamper with Symantec processes for that server group At the server level, displays all of the attempts to tamper with Symantec processes for clients that are managed by that server At the client level, displays all of the attempts to tamper with Symantec processes on that client At the server group and server level, displays all of the virus sweeps for all servers in a server group or a server
Risk History
Tamper History
Virus Sweep History
View Histories
You can view Scan Histories, Risk Histories, Tamper Histories, and Virus Sweep Histories. To view a Scan History
In the Symantec System Center console, right-click a server group, server, or client, and then click All Tasks > Symantec AntiVirus > Logs > Scan History.
Working with Histories and Event Logs Working with Histories
233
To view a Risk History
In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Risk History.
To view a Tamper History
In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Tamper History.
To view a Virus Sweep History 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Virus Sweep History. In the Virus Sweep History dialog box, click View Results to examine the results of previous sweeps.
Working with Histories

You can view history information and save the history data as a .csv or .mdb file. You can perform additional actions in the Scan History and the Risk History.
Working with Scan Histories

In the Scan History window, icons display information about any viruses or security risks that were found. You can also perform certain actions on viruses and security risks in the Scan History. See Table 8-5, Scan History actions, on page 234. Note: You cannot perform actions on email data. You can perform only limited actions on compressed files.
234 Working with Histories and Event Logs Working with Histories
Table 8-4 describes the Scan History icons. Table 8-4 Icon Scan History icons Description
The file is infected. The file is not infected. The file was never infected, or it has been cleaned. See the action taken on the file for more information. Close the Scan History window. Display item properties. Save the data that is shown in the Scan History as a comma-separated value (.csv) file or as a Microsoft Access database file (.mdb). Display Help for the Scan History.
Table 8-5 describes the actions available in the Scan History window. Table 8-5 Action
Undo Action Taken
Scan History actions Description

Symantec AntiVirus can undo the last action that was taken on a file. This includes returning a file to its original location and state. Symantec AntiVirus cannot restore a file or a risk item that has been permanently deleted. You cannot undo actions on compressed files. Symantec AntiVirus definitions files are frequently updated. A file that you could not clean previously might be able to be cleaned when the definitions file is updated. You cannot perform this action on compressed files or items that are affected by security risks.
Clean (viruses only)
Delete Permanently
You can permanently delete an infected file (including a compressed file) that is stored in the Quarantine or Scan History. Permanently deleted items cannot be recovered. Note: For security risks, use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality.
235
Table 8-5 Action
Scan History actions Description

If you determine that Symantec AntiVirus has left a file that is infected by a virus alone, you should move the file to the Quarantine so that the virus cannot spread. You can move compressed files and files that are affected by a security risk to the Quarantine. Security risks that are moved to the Quarantine are no longer active on your computer. You can export information about a specific Scan History or Event Log item as a comma-separated value (.csv) file or as a Microsoft Access database (.mdb) file. You can view additional information about a specific Scan History or Event Log item.
Move To Quarantine
Export
Properties
Work with Scan Histories

In a Scan History, you can undo the last action that was taken on a file or risk, clean a file (viruses only), delete it permanently, or move the file to the Central Quarantine. You can also export Scan History data. To undo the last action that was taken 1 2 3 Double-click the entry. In the new dialog box that opens, right-click the file, and then click Undo Action Taken. In the Take Action dialog box, click Start Undo.
To clean an infected file 1 2 3 Double-click the entry. In the new dialog box that opens, right-click a file, and then click Clean. In the Take Action dialog box, click Start Clean.
To delete an infected file permanently 1 2 3 Double-click the entry. In the new dialog box that opens, right-click a file, and then click Delete Permanently. In the Take Action dialog box, click Start Delete. Permanently deleted files cannot be recovered.
To move a file to the Central Quarantine 1 2 3 Double-click the entry. In the new dialog box that opens, right-click a file, and then click Move To Quarantine. In the Take Action dialog box, click Quarantine.
To export the Scan History data 1 2 3 Double-click the entry. Right-click the file, and then click Export. In the Save as type list, select one of the following:

CSV (Comma Delimited) (*.csv) Access Database (*.mdb)
4 5
In the File name box, type a file name. Click OK.
Working with Risk Histories

In the Risk History window, icons display information about the viruses and security risks that were found. You can also perform certain actions on viruses and security risks in the Risk History.
237
Note: You cannot perform actions on email data. You can perform only limited actions on compressed files. Table 8-6 describes the Risk History icons. Table 8-6 Icon Risk History icons Description
This file has been infected with a virus or security risk. This file is not infected by a virus. The file was never infected, or it has been cleaned. See the action that was taken on the file for more information. An error occurred in association with this file. Close the Risk History window.
Table 8-7 describes the actions that are available in the Risk History window. Table 8-7 Action
Undo Action Taken
Risk History actions Description

Symantec AntiVirus can undo the last action that was taken on a file or risk. This includes returning a file to its original location and state. Symantec AntiVirus cannot restore a file that has been permanently deleted. You cannot undo actions on compressed files. Symantec AntiVirus definitions files are frequently updated. A file that you could not clean yesterday or a few weeks ago might be able to be cleaned when the definitions file is updated. You cannot perform this action on compressed files or security risks. You can permanently delete any infected file (including a compressed file) that is stored in the Quarantine or Risk History. Permanently deleted files cannot be recovered. Note: For security risks, use this action with caution, because in some cases, deleting security risks can cause applications to lose functionality.
Clean (viruses only)
Delete Permanently
Table 8-7 Action
Risk History actions Description

If you determine that Symantec AntiVirus has left an infected file alone, you should move the file to the Quarantine, so that the virus is unable to spread. You can move compressed files and files that are affected by a security risk to the Quarantine. Security risks that are moved to the Quarantine are no longer active on your computer. You can export information about a specific Risk History or Event Log item as a comma-separated value (.csv) file or as a Microsoft Access database (.mdb) file. You can view additional information about a specific Risk History item.
Move To Quarantine
Export
Properties
Work with Risk Histories

You can undo the last action that was taken on a risk, clean a file (viruses only), delete it permanently, or move a file to the Central Quarantine. For security risks, you can access a Symantec Security Response Web page for more information about the security risk. You can also export the Risk History data. To undo the last action that was taken 1 2 Right-click a file, and then click Undo Action Taken. In the Take Action dialog box, click Start Undo.
To clean a virus-infected file 1 2 Right-click a file, and then click Clean. In the Take Action dialog box, click Start Clean.
To delete a file permanently 1 2 Right-click the file, and then click Delete Permanently. In the Take Action dialog box, click Start Delete. Permanently deleted files cannot be recovered.
To move a file to the Central Quarantine 1 2 Right-click the file, and then click Move To Quarantine. In the Take Action dialog box, click Quarantine.
239
To see more information about a security risk 1 2 Double-click the entry to view its properties. Click the link in the entry to view a Symantec Security Response Web page, which describes the security risk in detail and provides information about removal.
To export Risk History data 1 2 Right-click the file, and then click Export. In the Save as type list, select one of the following:

3 4
Viewing Risk properties

The Risk properties dialog box displays more information about a particular threat or security risk. Risk properties include all the actions that are taken to repair or remove a risk. Table 8-8 lists the Risk properties icons. Table 8-8 Icon Risk properties icons Description
Represents a file infected by a virus. Represents a file or a COM object. Represents a registry object. Represents a process. Represents a batch file. Represents a .ini file. Represents a service.
To view Risk properties 1 2 Right-click a computer. Click All Tasks > Symantec AntiVirus > Logs > Risk History.
In the Risk History dialog box, right-click a risk entry, and then click Properties.
Working with Tamper Histories

The Tamper History window displays information about the tampering problems that were found. You can view this information and save the data as a .csv or .mdb file. Table 8-9 describes the Tamper History icon. Table 8-9 Icon Tamper History icon Description
Represents an attempt to tamper with a Symantec application.
Working with Histories and Event Logs Forwarding client and server logs
241
To export the Tamper History data 1 2 Right-click the file, and then click Export. In the Save as type list, select one of the following:

3 4
Working with Virus Sweep Histories

In the Virus Sweep History window, you can view and delete the results of previous virus sweeps, and start a new virus sweep. Note: Virus sweeps also scan for security risks. To run a virus sweep from the Virus Sweep History 1 2 3 Click New Sweep. In the Name box, type a name for the sweep. If appropriate, click Options and set configuration options. The same configuration options are available for running a virus sweep as for running a manual scan. See Configuring manual scans on page 154. To find viruses and security risks more quickly, select the options under Scan Enhancements. Click Start.
4 5
Forwarding client and server logs

Symantec AntiVirus managed clients forward log data to their parent management servers. On managed clients, log forwarding runs continually. On sometimes-managed clients, log data accumulates in between connections to their parent management servers. Symantec AntiVirus monitors and provides fault tolerant forwarding of the client logs. The client logs are located in the following directory: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus\7.5\Logs
242 Working with Histories and Event Logs Forwarding client and server logs
Symantec AntiVirus tracks a client log throughout the forwarding process and handles delivery failures by resending the log when necessary. You can configure events to forward from a client to its parent management server, or from a secondary management server to its primary management server.
Configuring log forwarding options

You can configure log forwarding options by editing the client log forwarding registry values. You can reset values to achieve a balance between the log delivery speed and network performance. You can also set the amount of data that Symantec AntiVirus forwards from clients. Log forwarding behavior is controlled by the values in the HKLM\SOFTWARE\ INTEL\LANDesk\VirusProtect6\CurrentVersion\Common\ForwardEvents registry key. Table 8-10 describes the registry values for client log forwarding. Table 8-10 Subkey name
Interval
Client log forwarding registry key values Data value

n
Description
Number of seconds between log record processing intervals. There is no minimum or maximum number. The number of records to process in each polling interval. There is no minimum or maximum number. The default is 10 records.
Count
Configuring log events to forward

You can configure the events that you want Symantec AntiVirus to forward. Table 8-11 lists the client and server events in the order in which they appear in the Log Event Forwarding dialog box. Table 8-11 Event name
Scan stopped Scan started
Client and server events Forwarding required Forwarded by default
243
Table 8-11 Event name
Virus definition update information Virus infections File not scanned New virus defs applied Configuration change Service shutdown Service startup Virus definitions downloaded from parent File forwarded to Quarantine Server File forwarded to Symantec File backed-up/restored to/from Quarantine Scan aborted Error loading services Services loaded Services unloaded Client removed from parent server Scan delayed Scan restarted Client roamed to new parent server
Client roamed from parent server License in warning period License expired, invalid or does not exist License in grace period Unauthorized communication Log forwarding error License installed License valid Virus definition rollback Client running without virus definitions Tamper protection alert Login failed Login succeeded Unauthorized communication (with certificate info) AntiVirus client installed Client uninstalled Client uninstall rolled-back Primary Server created (root certificate created) Server added to Server Group (certificates issued)
245
Trusted root certificate added or removed Server startup failed due to certificate problem Client successfully checked in with its parent Client has failed to check in with its parent server
Configure log events to forward

You can configure the events that are forwarded from a client to its parent management server, or from a secondary management server to its primary management server. Note: If you change primary management servers, the log from the former primary management server is not forwarded to the new primary management server. To configure events to forward from clients to their parent management servers 1 In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Logs > Client Log Forwarding. In the Log Event Forwarding dialog box, for quicker configuration, you can display only certain items in the list by selecting one of the following preconfigured options from the drop-down list:

All events (default) Scanning and infection events Virus definition events Management and configuration events Startup and shutdown events Licensing events Security related events
3 4
Check the events that you want the clients to forward to their parent management servers. Click OK.
To configure events to forward from secondary management servers to their primary management servers 1 In the Symantec System Center console, right-click a server or server group, and then click All Tasks > Symantec AntiVirus > Logs > Server Log Forwarding. In the Log Event Forwarding dialog box, for quicker configuration, you can display only certain items in the list by selecting one of the following preconfigured options from the drop-down list:

All events (default) Scanning and infection events Virus definition events Management and configuration events Startup and shutdown events Licensing events Security related events
3 4
Check the events that you want the secondary management servers to forward to their primary management server. Click OK.
Best practice: Configuring events to forward for sometimes-managed clients

For sometimes-managed clients, as a best practice, you can create a separate client group. See Creating client groups on page 74. After you create the client group for sometimes-managed clients, you can set log forwarding Windows registry values to do the following:

Forward the Virus definitions update information event only. Poll at a high interval. Count at a low value.
See Table 8-10, Client log forwarding registry key values, on page 242.
Working with Histories and Event Logs Deleting Histories and Event Logs
247
Reviewing the forwarding status file

You can verify that a client log was forwarded and received by reviewing the default status log. To verify that a client log was forwarded and received 1 Open the following folder: C:\Documents and Settings\All Users\Application Data\Symantec\ Symantec AntiVirus\7.5\Logs Use a text editor to open Fwdstatus.log.
Deleting Histories and Event Logs

You can configure Symantec AntiVirus to automatically remove data that is older than a specified date from the Scan, Risk, Virus Sweep, and Tamper Histories, and from the Event Logs. To set the delete frequency 1 In the Symantec System Center console, right-click a server, server group, or client, and then click All Tasks > Symantec AntiVirus > Configure History. In the History Options dialog box, select the time period after which the Histories or Event Logs are deleted. Check Apply settings to clients not in Groups to apply the settings to the selected client or clients under the selected server or server group that are not members of client groups. Click OK. This does not permanently remove data, but hides it in the History and Event Log views. To permanently delete History or Event Log records, delete the .log files that contain the event records. Events are recorded in .log files for each day of the week in a Logs directory. These files are named according to the day on which they were created.
2 3
248 Working with Histories and Event Logs Deleting Histories and Event Logs
Index
Numerics
64-bit operating systems definitions files 181 Internet email support 150 using Continuous LiveUpdate 182
A
access list reloading 62 using to enhance server group security 59 values for IP addresses 62 Action Status for alerts 102 actions configuring 139 File System Auto-Protect 136, 142 security risks 138 viruses 137 Active Directory, requirement for Discovery 25 adware 110 Alert Log Action Status 102 copying contents to Clipboard 102 deleting entries 101 displaying alerts in 100 filtering display list 103 viewing detailed information 102 Alert Management System about 83 alert forwarding for unmanaged clients 104 Alert Log 100 alert notification methods 83 configuring alert action messages 95 event threads 84 forwarding alerts to servers 105 limiting alert configuration network segments 86 alerts actions configuring 85 configuring messages 95 deleting actions from alerts 98
alerts (continued) actions (continued) export status 99 exporting to other computers 98, 99 testing 98 viewing export status 99 configuring Broadcast 87 default messages 97 paging services 91 SNMP traps 93 forwarding to AMS2 servers 105 message parameters 95 size limitation 97 antivirus and security risk protection 14 antivirus clients, configuring with Grc.dat 14 audits determining network security 34 labeling items and rerunning audits 39 Automatic enabler 132 Auto-Protect about 112 advanced options 129 configuring 123 email scanning 148 resetting options at different levels 124 scanning about 112 configuring for mail applications 123 options 115 SmartScan 126
B
backup files 132 blended threats 110 Bloodhound scanning 132 Broadcast alert, configuring 87
250 Index
C
cache discovering computers from 28 Discovery Clear Cache Now setting 29 file options 131 finding computers in local cache 30, 31 Normal Discovery address cache comparisons 25 server names and IP addresses in Symantec System Center console 25 client configuration, enabling direct 80 client groups adding clients to 75 changing settings for the access list 61 configuration change priority 46 configuring settings for 75 creating 74 deciding whether to manage with 46 deleting 78, 79 dragging and dropping clients to move them 76 filtering client group view 77 finding settings 75 in Symantec AntiVirus console view 20 moving clients between 75 renaming 78 running tasks 75 scenario 49 settings 75 viewing 76 clients about antivirus protection for 14 adding to client groups 75 assigned and unassigned 45 Auto-Protect options for 127, 134, 139, 144 changing between unmanaged and managed 82 check-in time 80 configuring check-in intervals 80, 81 configuring expiration 80, 81 disabling scheduled scans 169 editing or deleting scheduled scans 168 forcing definitions file updates 196 log forwarding registry values 242 moving between client groups 75 settings when the client group is deleted 78 viewing virus list 202 with intermittent connectivity 80 compressed files, configuring scanning of 157
computers, finding by using an IP address range 32 by using computer names 30 by using network search 31 by using TCP/IP 30 computers that run antivirus software from other vendors 37 computers that run unmanaged antivirus client or server software 38 in local cache 30 syncing to 38 unprotected 34 with outdated definitions 201 configuration change priority 46 roaming client support for servers 223 scan options about 111 on multiple selected computers 115 sharing in server and client groups 45 unauthorized change attempts log 63 console refreshing 33 starting 17 Continuous LiveUpdate changing registry values to enable 199 configuring for managed clients 198 CPU utilization, setting options for scheduled and manual scans 156
D
data columns, Symantec AntiVirus view 20 definitions files controlling deployment 201 displaying out-of-date or missing warning 173 finding computers with outdated definitions 201 forcing updates on all unlocked servers 182 on clients 197 on servers 183 Intelligent Updater 191 legacy clients 180 LiveUpdate 188 rolling back 202 rollouts 201 update methods 180 verifying dates 201 verifying version numbers 201
Index
251
delete frequency, setting for Histories and Event Logs 247 dialers 110 Discovery about Discovery types 23 Intense 24 Load from cache only 24 Local 24 Normal 25 Discovery Service changing the Discovery Cycle interval 30 configuring 28 Discovery Cycle configuration 29 how it works 23 how to find NetWare computers 26 Intense Discovery limitations 24 IP Discovery 24 running 26 why Discovery may not find computers 30 WINS or Active Directory requirement 25 within octets or subnet masks 86 drag-and-drop operation adding a client to a client group 75 moving a client from one client group to another 76 moving a server between server groups 49, 56
files (continued) cache options 131 cleaning infected 235, 238 deleting infected 235, 238 excluding from scanning 117 exclusions and inclusions 121 exclusions for NetWare 116 moving to Quarantine 236, 238 undoing action taken 235, 238 found items, locating in the Symantec System Center console 32
G
Grc.dat 56 changing parent management servers 55 configuring antivirus clients 14 enabling and configuring roaming clients 223 forwarding alerts to AMS2 servers 105
H
hack tools 110 heuristic scanning 132 Hierarchical Storage Management (HSM) settings, configuring 158 Histories about 227 deleting 247 filtering data 229 Risk History actions 237 Risk History icons 237 Scan Histories 233 Scan History actions 234 Scan History icons 234 setting delete frequency 247 sorting data 229 Tamper Histories 240 types 228 viewing 232 Virus Sweep Histories 241 History and Event Log data exporting to Microsoft Access 238 filtering 229
E
email, Lotus Notes, configuring scans for 123 Event Logs deleting 247 filtering data 229 forwarding 242 icons 231 setting delete frequency 247 sorting data 229 types 228 event threads 84 events, forwarding from clients and servers 242 exceptions for security risks 139 exclusions from scanning, configuring 121 export command for roaming client support 225 export status, viewing for alert actions 99
F
failover servers for roaming clients 222 files backing up before repairing 132
I
icons Risk History 236 Risk properties 239
252 Index
icons (continued) Scan History 233 Symantec System Center 15 Tamper History 240 inclusions for scanning, configuring 121 infected email message, notifying senders 176 infected files cleaning 238 deleting 238 infections, managing 205 Intense Discovery, about 24, 29 IP address range, finding computers by using 32 IP Discovery 24
Message Box alert, configuring 87 mobile clients, managing 80
N
NetWare excluding iFolder 116 finding NetWare servers 26 network auditing, setting options 36 Normal Discovery 25 notifications configuring 144 detection options 142 File System Auto-Protect 142 remediation options 143 user interaction with 146 Nsctop.exe 22
J
joke programs 110
L
LiveUpdate configuring servers to retrieve from Symantec FTP site 188 setting client policy for 200 using with internal LiveUpdate server 189 LiveUpdate servers, configuring internally for managed clients 197 Load an NLM alert, configuring 89 load balancing for roam servers 222 Load from cache only Discovery 24 Local Discovery 24, 28 log events, forwarding 242 login certificate configuring key size 42 lifetime about 39 configuring 40 Lotus Notes, configuring scans for 123
O
Other risk category 110
P
pager message, entering 92 paging services, configuring alerting 91 for AMS2 93 parent management server 55 See also servers passwords scanning mapped drives 173 uninstallation 173 Ping Discovery Service 23 primary management servers 44, 55
Q
Quarantine moving files to 236, 238 purging suspicious files from 208
M
managed clients changing to unmanaged clients 82 configuring Continuous LiveUpdate for 198 configuring for internal LiveUpdate servers 197 mobile clients 80 management servers, configuring by using the Virus Definition Transport Method 182 manual scans, configuring 154
R
Refresh feature 33 registry values changing to enable Continuous LiveUpdate 199 for access list 62 for client log forwarding 242 for roaming clients 226
Index
253
remote access programs 110 risk detection 110 Risk History about 228 icons and actions 236 sorting columns 229 Risk History data, exporting 239 Risk properties icons 239 RoamAdmn.exe about 216 command-line options 224 roaming client support configuring for clients 222 from Symantec System Center console 220 how it works 217 roaming clients about 215 analyzing and mapping antivirus network 218 components 216 creating hierarchical server list 220 enabling and configuring with Grc.dat 223 export command 225 failover servers for 222 implementing 217 registry values 226 server list 216 roaming servers configuring roaming support 223 example 224 identifying 218 level 0 216 sample registry values 224 Run Program alert, configuring 88
S
SavRoam.exe about 216, 217 command-line options 224 Scan History icons 233 sorting columns 229 Scan History data, exporting 235 scans assigning actions 123 Bloodhound 132 by program type 122
scans (continued) configuring Auto-Protect scans 123 exclusions 121 for compressed files 157 inclusions 121 manual scans 154 dimmed or missing options 115 displaying warning message on client 174 email 148 for viruses and security risks 109 options File System Auto-Protect 123 manual scans 154 precedence 115 scheduled scans 164 to exclude files from scanning 117 paused 171 recommended file extensions 118 scheduled scans allowing user to pause or stop 171 configuring 167 deleting 168 disabling 168 editing 168 running on demand 169 selecting files and folders to scan 121 setting Auto-Protect for files 123 CPU utilization options 156 options on multiple selected computers 115 snoozed 171 stopped 171 scheduled scans configuring 164 deleting 168 secondary management servers 44 security risks 109 security, enhancing for server groups 59 Send Internet Mail alert, configuring 90 Send Page alert configuring 91 paging service 91 server groups about 59 configuration change priority 46 creating 50 deciding whether to manage with 46
254 Index
server groups (continued) deleting 54 enhancing security 59 filtering views 54 how to view 53 locking and unlocking 51 moving servers to a new server group 56 refreshing the console 33 renaming 54 scenario 49 selecting primary management server for 18 viewing 53 servers Auto-Protect options 127, 134, 139, 144 changing parent management servers 55 changing primary management servers 55 configuring management servers by using the Virus Definition Transport Method 182 disabling scheduled scans 169 dragging and dropping to move between server groups 49, 57 editing or deleting scheduled scans 168 grouping into server groups 50 identifying best parent for roaming clients 215 moving to a new server group 56 parent management servers 45 primary management servers 44 secondary management servers 44 viewing in console 33 risk list for 202 SmartScan 126 spyware 111 subnet, IP Discovery for 24 Symantec Security Response, tracking submissions 213 Symantec System Center changing views 19 console views 19 icons 15 locating found items 32 populating the console 22 product management snap-ins 19 refreshing the console 33 saving console settings 19 starting 17 System Hierarchy display 15 System Hierarchy configuration change priority 46
System Hierarchy (continued) data columns in Default Console View 20 description 17 icon 15
T
Tamper History about 228 exporting data 241 icon 240 Tamper Protection about 70 enabling, disabling, and configuring 70 message fields 72 messages 72 Threat Tracer 131, 135 threats blended 110 tracing 135 throttling options 156 time discrepancy tolerance between clients and servers, configuring 40 Trackware 111 Trojan horses 110
U
unauthorized configuration change attempts, logging 63 uninstallation password 173 unmanaged clients alert forwarding 104 changing to managed clients 82 creating a custom .hst file for LiveUpdate 197 finding with network audits 34 updates, ensuring definitions file is current for all clients 180 user access levels, user account management 57
V
viewing Alert Log 100 client groups 76 Histories 232 server groups 53 virus list 202 views changing 19
Index
255
views (continued) filtering server group 54 Symantec System Center console 19 virus alerts, tracking 212 Virus Definition Transport Method configuring management servers by using 182 updating NetWare servers 185 virus list 202 virus sweep History 229, 232 running in response to outbreaks 206 viruses 109, 110
W
warning message adding to infected email message 175 displaying on infected computer 174 example 174 for email scanning 149, 151 WINS requirement for Discovery 25 worms 110

Savcadmn

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Savcadmn

Uploaded by

Copyright:

Available Formats

Symantec AntiVirus Corporate Edition Administrators Guide

Symantec AntiVirus Corporate Edition Administrators Guide

Licensing and registration

Contacting Technical Support

Managing Symantec AntiVirus

Managing Symantec AntiVirus

Setting up the Alert Management System

Configuring Symantec AntiVirus

Responding to virus outbreaks

Managing roaming clients

Working with Histories and Event Logs

Managing Symantec AntiVirus

Symantec AntiVirus basics

About Symantec AntiVirus

14 Symantec AntiVirus basics About the Symantec System Center

About the Symantec System Center

Symantec AntiVirus basics About the Symantec System Center

Symantec System Center console icons

16 Symantec AntiVirus basics About the Symantec System Center

Table 1-1 Icon

Symantec System Center icons Icon descriptions

Symantec AntiVirus basics Using the Symantec System Center

Using the Symantec System Center

Starting the Symantec System Center

Console tree tab

18 Symantec AntiVirus basics Using the Symantec System Center

Selecting a primary management server for a server group

Symantec AntiVirus basics Using the Symantec System Center

About console views

Changing console views

Saving console settings

Do one of the following:

20 Symantec AntiVirus basics Using the Symantec System Center

Customizing console view columns

Name Status Primary Server Valid State

Level selected in left pane

Groups (for client groups)

Symantec AntiVirus basics Using the Symantec System Center

Level selected in left pane

Showing when clients are offline

22 Symantec AntiVirus basics About the Discovery Service

Showing client Auto-Protect status

About refreshing the console

About the Discovery Service

Symantec AntiVirus basics About the Discovery Service

How Discovery works

24 Symantec AntiVirus basics About the Discovery Service

Discovery types What follows

Local Discovery (default)

Load from cache only Normal Discovery

Local Discovery Load from cache only Normal Discovery

Symantec AntiVirus basics About the Discovery Service

Table 1-3 Type

Discovery types What follows

Discovery Service requirement for WINS or Active Directory

26 Symantec AntiVirus basics Running the Discovery Service

NetWare computers and the Discovery Service

Running the Discovery Service

Configuring the Discovery Service to use IP addresses

Symantec AntiVirus basics Running the Discovery Service

28 Symantec AntiVirus basics Running the Discovery Service

Configuring the Discovery Service